SSH Tunneling; encrypted surfing with Virtual Hosts

Encrypted SurfingWhether you’re the Secretary of Defense, or just an average Joe trying to survive with some peace of mind and security, encryption is a good thing. Have many virtual hosts on your unencrypted Apache server, but want encryption for whichever virtual host you specify? Here is the solution! Note, this is written for Linux clients – not Windows. You can tweak the instructions to work with Windows by using Putty and creating a tunnel that way.

First of all, here is the command to tunnel for Linux:

ssh -f -L 10000:your_virtual_host.com:80 user@myserver.com -N

Explanation of the above command:

  • ssh starts the ssh client
  • -f forks the ssh client into the background
  • -L forwards the command to the binded source_port:server:destination_port
  • -N tells ssh not to execute a command on the remote server once you are logged in to it

After you have started the tunnel using the command above, you will stay logged into it as long as the terminal is open.

Next, you would open your web browser and go to the following address with the address bar:

http://your_virtual_host.com:10000

By going to that address, it fails? What? Ohhhhh that’s right, you need to add the entry for that site to your hosts file:

Open the file:

vi /etc/hosts

(If you were doing this in Windows, the file is at C:WindowsSystem32driversetchosts)

Add this line to it:

127.0.0.1 your_virtual_host.com

Now go to the address again and it should work:

http://your_virtual_host.com:10000

If you were to run a packet sniffing program such as WireShark, you could monitor your network adapter (wlan0 or eth0 – whichever one you are using) and see that everything going to myserver.com (which is where you are tunneled into via ssh – using it to access you_virtual_host.com) is encrypted! Whoo hoo now you can log into your unencrypted website without worrying that people can see your plain text password going over the network.

If you were to monitor your loopback interface (lo) then you would see all the clear text data – except it never leaves your computer unencrypted.

NOTE: Once you have added your_virtual_host.com to your /etc/hosts file, it will always look for that domain on the local machine which means you need to open to tunnel to access it. As a result, if you try to ssh into your_virtual_host.com you will see that the connection is refused. The way around this is to ssh into a different domain on the same server (notice that I ssh’d into myhost.com instead of my_virtual_host.com).

Every host you add to the 127.0.0.1 line in the /etc/hosts file that is on your server will work on the same port (10000 or whatever port you specify – you can use any port you want that isn’t taken by another program). So, if you have my_other_domain.com on the server and, in your web browser, you go to http://my_other_domain.com then it will work as well with the existing tunnel.

View the next article for setting your computer to automatically start the tunnel when you log in.

If this works for you or not, please comment below and let me know.

6 Replies to “SSH Tunneling; encrypted surfing with Virtual Hosts”

  1. I have tried this and even though I get to the other end server, It looses the domain info or something else happens but I just can see the Apache “It Works!”. So I assume its seeing only the IP and not the hostname.

    1. Sorry, my bad. The issues was due to a reverse proxy translating the domain name o a different one. mydomain.com -> mydomain.intranet.net
      so putting 127.0.0.1 mydomain.intranet.net in /etc/hosts solved it.

    2. Hi Juan. If you add the FQDN to your /etc/hosts file, but using 127.0.0.1, you can then access the remote site via its URL. This means you want to ensure the port is not previously in use on your local machine. Then use 80:$yoursite.com:80 or whatever port is required.

Comments are closed.