Dynamic Port Forwarding
We are often asked, “How can I tunnel my web browsing over SSH?” The usual reasons are for privacy or for browsing across a firewall. The SSH port forwarding we’ve described so far doesn’t meet this need very well, but there is another flavor called dynamic port forwarding which does. We’ll call the previous technique “static forwarding” in contrast.
Suppose you’re at home, using your home machine H, and need to access a web server W1 at work, but your employer’s internal network is behind a firewall. You might attempt to do this through a bastion server at work (say, B) which you can log into via SSH; and then from B, you can reach whatever internal web servers you want. So you create a tunnel using the following port-forwarding command on home machine H:
$ ssh -L 8080:W1:80 B This runs into problems
and point your web browser on H at http://localhost:8080/. This is a reasonable try, based on forwarding as we’ve seen it so far, but there are lots of problems:
- Problem 1: virtual hosts
Web servers can make decisions based on the hostname portion of the URL you request. For example, if the names foo and bar are aliases for the same host, then the URLs http://foo/ and http://bar/ may return different pages. A practical example is an ISP’s web server, which could host content for dozens or hundreds of customers’ web sites under different hostnames, all of which point to that same machine. This web server configuration is often called virtual hosts.
In our home/work ...
Get SSH, The Secure Shell: The Definitive Guide, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.