SSH Tunneling through web filters

At the end of the article, the author suggests to look at proxytunnel and <a href="http://dag.wieers.com/howto/ssh-http-tunneling" rel="nofollow">http://dag.wieers.com/howto/ssh-http-tunneling</a> if you want to do this under Linux.<p>I just want to point out that this last option does a lot more than what the article does: it actually encapsulates the ssh session in HTTPS requests, so it'll work even if your firewall does layer-7 filtering. The article just runs sshd on port 443 and connects to that.

&#62;Would anyone on HN work at a company that filters http?<p>I'm consulting for one now. For the most part, they filter porn and borderline porn. However, they also filter Facebook (but not LinkedIn!), YouTube, and a few other things mainstream sites.<p>Circumvention certainly isn't that hard, but it also likely violates some company policy. I connected my Droid to their Exchange servers and got a nastygram from IT security (albeit a few weeks later).<p>Ironically, the risk isn't just that I would get caught - the first time would be a hand slap unless they wanted a reason to get rid of me. The corporate culture is so focused on conformity and compliance that it would be absolutely shocking to others that I would have even considered such a thing. And, this affects perceptions of trustworthiness. [No, I do not like any of this!]

Given that Google App Engine gives away the first 5M requests/month for free and allows outgoing HTTP requests, would it be possible to build a proxy with it? Let's say I built a SOCKS client for Windows which delegated requests to a small AppEngine app via HTTPS. The server-side would simply make the request on the client's behalf and return the result. Would this work? I suspect latency would be much worse than the EC2/SSH option, but it would be more convenient. I could use something like FoxyProxy to only use the AppEngine hack for sites which required it.

The bank I have been working for the last 12 months was also blocking 443 traffic (except to few "safe" ssl sites). Tunnelling on 443 was impossible.

In China I found that using a UDP based OpenVPN to Slicehost was higher performing than the TCP on top of TCP issues that you get with SSH Tunneling when there's packet loss.<p>There's even some pretty decent desktop clients for OpenVPN, see Viscosity for OSX.<p>This is assuming you have the ports open (the Great Firewall of China does HTTP inspection but not port blocking).

A VPS (Slicehost anyone?) should do the same, and it's way less expensive than EC2. You just have to set up everything from a non-filtered connection (at home! ..hey, you can even build this in a home server!).<p>Anyway, if you can use a SOCKS proxy, it should work for almost every application supporting any kind of proxy (but not using the 443/SSL port).

Good writeup, ssh tunnels are something I can’t live without…<p>Step 9 can be skipped completely if no proxy is needed to be configured.<p>Also don’t forget, doing all of this still sends the DNS requests in the clear to the usual/old dns server and not through EC2. If the DNS server is also meant to filter and redirect, this can be an issue. To go around that, in firefox you can go to about:config and set network.proxy.socks_remote_dns = true<p>And for linux folks... you don't need any tools or any more special config... just run the ssh command with switch -D &#60;SOCKS_PORT_NUMBER&#62; and configure firefox or your browser to use that.

Has anyone on HN actually worked for a company that filters internet traffic? <i>Would</i> anyone on HN work at a company that filters http? I've always thought that if a company could effectively block internet traffic with a filter on a proxy then the problem wasn't that employees were wasting time surfing; the problem was that they were hiring employees incapable of getting around it.

For $60/mo you can get a Sprint MiFi, and have mobile broadband access anywhere there's coverage. I know, this doesn't work for everyone, but compared to a $57/mo EC2 instance, I think it's a win in many cases.

I use my slice for this stuff. On a mac, just add the localhost:&#60;someport&#62; to the 'network preferences &#62; SOCKS proxies' and then do:<p><pre><code> ssh -D &#60;someport&#62; user@slicehost.com</code></pre>

Wow! 8 cents an hour! Thats...um....$57 a month. Oh.<p>Can you schedule EC2 instances for certain times of the day, or is it an all on or nothing thing?

It works with anything but Google chrome.. I just learned that it doesn't support SOCKS proxy :/

it's pretty common for vpn providers like witopia or acevpn to provide access via tcp 443 to get through these same firewalls and it's a whole lot simpler, not to mention more cost effective.

You Can use Myentunnel