通过JSCH(SSH)和HTTPS反向隧道

Question

我必须实现从客户端到服务器的反向隧道.我使用以下命令使用JSCH

session.setPortForwardingR(rport, lhost, lport);

它的工作原理(另请参阅使用JSCH Java反向SSH隧道)!

接下来我必须通过双向身份验证的HTTPS流隧道我的ssh会话:

client -> firewall -> apache https -> ssh server 

----------------------> HTTPS
====================================> SSH
---------------------->

我在找

1. 一小段java代码,用于将SSH封装到HTTPS中
2. 2路HTTPS身份验证
3. APACHE配置

解决方案:

1)HTTPS隧道

1. JHTTPTunnel,但它基于J2ME并且它不支持SSL(另请参阅Java Http隧道,是否有用于通过HTTP发送二进制数据的Java库,HTTP隧道？)
2. JOD,但它不支持SSL

3)APACHE CONFIGURATION

1. 也许这个配置有效,但我必须尝试

## Load the required modules.
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so

## Listen on port 8443 (in addition to other ports like 80 or 443)
Listen 8443

<VirtualHost *:8443>

  ServerName youwebserver:8443
  DocumentRoot /some/path/maybe/not/required
  ServerAdmin admin@example.com

  ## Only ever allow incoming HTTP CONNECT requests.
  ## Explicitly deny other request types like GET, POST, etc.
  ## This tells Apache to return a 403 Forbidden if this virtual
  ## host receives anything other than an HTTP CONNECT.
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} !^CONNECT [NC]
  RewriteRule ^/(.*)$ - [F,L]

  ## Setup proxying between youwebserver:8443 and yoursshserver:22

  ProxyRequests On
  ProxyBadHeader Ignore
  ProxyVia Full

  ## IMPORTANT: The AllowCONNECT directive specifies a list
  ## of port numbers to which the proxy CONNECT method may
  ## connect.  For security, only allow CONNECT requests
  ## bound for port 22.
  AllowCONNECT 22

  ## IMPORTANT: By default, deny everyone.  If you don't do this
  ## others will be able to connect to port 22 on any host.
  <Proxy *>
    Order deny,allow
    Deny from all
  </Proxy>

  ## Now, only allow CONNECT requests bound for kolich.com
  ## Should be replaced with yoursshserver.com or the hostname
  ## of whatever SSH server you're trying to connect to.  Note
  ## that ProxyMatch takes a regular expression, so you can do
  ## things like (kolich\.com|anothersshserver\.com) if you want
  ## to allow connections to multiple destinations.
  <ProxyMatch (kolich\.com)>
    Order allow,deny
    Allow from all
  </ProxyMatch>

  ## Logging, always a good idea.
  LogLevel warn
  ErrorLog logs/yourwebserver-proxy_error_log
  CustomLog logs/yourwebserver-proxy_request_log combined

</VirtualHost>

Answer 1

我认为您自己提出的解决方案是基于Implement HTTPStunneling with JSSE的。

基本步骤是：

1. 为 JSCH 定义连接工厂
2. 打开 SSL 套接字并调用 "CONNECT " + host + ":" + port

在服务器端捕获所有调用“CONNECT”的请求并启用 22 SSH 端口。

但你还必须考虑以下问题：

1. 调整超时，因为 SSL 握手相当长
2. 启用 2 向身份验证或所有人都可以连接到您的 22 个服务器： 在 Android 上使用客户端/服务器证书进行双向身份验证 SSL 套接字