Tunnel HTTP traffic through a reverse tunnel to a network behind a firewall.

Do you ever find yourself in need to browse the web from a network behind a firewall?

I’m curious if there’s a more direct route, but here’s what I did.

SSH Setup Reverse Tunnel

Borrowed from my post about setting this up for Remote Desktop.

On a LightSail instance on AWS (or your choice of linux servers)

sudo apt update
sudo apt install openssh-server

Edit the sshd_config

sudo vim /etc/ssh/sshd_config

At the bottom. Type “i” for insert then add the following lines

#Allow SSH Tunneling
GatewayPorts=clientspecified

To save: esc then “:wq” (command, wright, quit)

you can check that’s in there by running

cat /etc/ssh/sshd_config | Gate

response:

#GatewayPorts no
GatewayPorts=clientspecified

On your windows computer behind the firewall

Follow instructions from Microsoft to install OpenSSH:
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui

Add to file ~/.ssh/config
#aws server
Host 123.123.123.123
   User bitnami
   IdentityFile ~/.ssh/id_rsa
   IdentitiesOnly yes
   ServerAliveInterval 60
   ServerAliveCountMax 10

Adding ServerAliveInterval sets the number of seconds the client will wait before sending a keep connection alive

ServerAliveCountMax sets the number of times the client will try to keep connection alive.

you can also add this to the server as well.

vim etc/sshd/ssh_config

add

ClientAliveInterval 60
ClientAliveCountMax 10 #default is 3

Be sure to open up the correct port on your AWS firewall. I suggest restricting traffic on port 12345 only to the ip address of your client so you’re not opening up the port for nefarious actors.

In your terminal enter:

ssh 123.123.123.123 -2 -4 -T -N -C -R 0.0.0.0:12345:127.0.0.1:22

This creates an ssh tunnel, where a client can ssh into port 12345 on the AWS server which tunnels the traffic to your windows server behind the firewall.

Tunnel HTTP through SSH Tunnel with PuTTY

On your client computer, install PuTTY with the msi

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Use the PuTTYgen tool that’s installed to convert the private key to PuTTY’s .ppk format

Open PuTTY,

Host Name (of IP Address): 123.123.123.123 (ip of your aws server)
port: 12345

In the category field go to Connection -> SSH -> Tunnels

in source port: 8080
destination port: localhost:80
Select Dynamic

Click Add

Navigate back to Session

name the configuration, and save, then press open.

Because all traffic coming into 12345 on the aws server is routed to port 22 on the windows server, log in with your username and password for the windows machine. Once logged in, you’ll see the command prompt on your windows server.

Configure Proxy

Firefox is the easiest to set up. From options menu (top right) select Settings

At the very bottom of GENERAL, in the Network Settings section, select Settings

From the radio buttons, select Manural proxy configuration

in SOCKS Host: localhost
Port: 8080

Select Socks v5

Check the box next to Proxy DNS when using SOCKS V5

Test you setup

open google and search for “What is my ip”, The search result includes your IP address, it should be the IP of the WAN (Wide Area Network) of your windows server.

Troubleshoot

OpenSSH has a verbose mode. Add -v to your command for standard amount of verboseness. -vv will add even more info, -vvv will provide even more

Recap

The first tunnel is to forward all traffic from port 12345 on the AWS server to port 22 on the Windows Server

The Second tunnel forwards all traffic on port 80 (http) from your client computer (through the first tunnel), then requests the http traffic from the windows server.

Use SSH (without PuTTY)

In a terminal:

ssh -D 8080 -C -N [email protected] -p 12345

-D ::: Enables dynamic port forwarding, also known as a SOCKS proxy.
8080 is the binding port
-C ::: Enables compression
-N ::: Enables quiet mode
user ::: your windows server username
123.123.123.123 ::: Your AWS server
-p ::: Set ssh port
12345 ::: the port we want to connect to the AWS server so traffic is forwarded to the windows server

Activate Proxy on Mac

Settings -> Network -> (your network connection wifi/ethernet)

Details

From the details screen, select Proxies menu item.

activate SOCKS proxy.
Server: localhost
port: 8080

Running old wordpress themes on Lightsail

I do not recommend continuing to use PHP 5.6. It’s full of vulnerabilities, but I needed to buy myself some time with some old WordPress themes that error out on higher version of php.

Stop bitnami services and save the instance as a backup

sudo /opt/bitnami/ctlscript.sh stop
sudo mv /opt/bitnami /opt/bitnami.back

Download and install archived instance (check the Bitnami changelog to find if you need a different version, then just update the numbers accordingly)

cd /tmp
curl -LO https://downloads.bitnami.com/files/stacks/wordpress/4.8.2.php56-0/bitnami-wordpress-4.8.2.php56-0-linux-x64-installer.run

chmod +x bitnami-wordpress-4.8.2.php56-0-linux-x64-installer.run
sudo ./bitnami-wordpress-4.8.2.php56-0-linux-x64-installer.run

for PHP 7 useupl

 curl -LO https://downloads.bitnami.com/files/stacks/wordpress/5.9.1-0/bitnami-wordpress-5.9.1-0-linux-x64-installer.run

The newest version (at writing) using PHP8 is 6.1.1-0 and can be downloaded:

curl -LO https://downloads.bitnami.com/files/stacks/wordpress/6.1.1-0/bitnami-wordpress-6.1.1-0-linux-x64-installer.run

install to /opt/bitnami/

sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf

update document root

DocumentRoot "/opt/bitnami/apache2/htdocs"
  <Directory "/opt/bitnami/apache2/htdocs">

to

 DocumentRoot "/opt/bitnami/apps/wordpress/htdocs"
  <Directory "/opt/bitnami/apps/wordpress/htdocs">

then lower under ssl

<VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apps/wordpress/htdocs"  #Edit
  SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"

  <Directory "/opt/bitnami/apps/wordpress/htdocs"> #Edit

...

at the end add the following to allow for larger PHP uploads. Adjust so your All-in-One WordPress Backup file will upload.

php_value upload_max_filesize 128M
php_value post_max_size 128M
php_value memory_limit 256M
php_value max_execution_time 300
php_value max_input_time 300

sudo nano /opt/bitnami/apps/wordpress/htdocs/wp-config.php

define('WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] . '/wordpress');
define('WP_HOME', 'http://' . $_SERVER['HTTP_HOST'] . '/wordpress');

to

define('WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST]);
define('WP_HOME', 'http://' . $_SERVER['HTTP_HOST']);

sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf

#Include "/opt/bitnami/apps/wordpress/conf/httpd-prefix.conf"  

sudo /opt/bitnami/ctlscript.sh restart apache

go ahead and enter ip address in browser

Update WordPress and plugins

Before using all-in-one wp migration change the a record to the new ip address and set up encryption.

https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/

Install Let’s Encrypt

For bitnami v5.9.1 just run

sudo /opt/bitnami/bncert-tool

For older versions, you’ll have to install the tool first

wget -O bncert-linux-x64.run https://downloads.bitnami.com/files/bncert/latest/bncert-linux-x64.run
sudo mkdir /opt/bitnami/bncert
sudo mv bncert-linux-x64.run /opt/bitnami/bncert/
sudo chmod +x /opt/bitnami/bncert/bncert-linux-x64.run
sudo ln -s /opt/bitnami/bncert/bncert-linux-x64.run /opt/bitnami/bncert-tool

now you can run the Bitnami HTTPS Configuration Tool

sudo /opt/bitnami/bncert-tool

Remove Bitnami Banner

sudo /opt/bitnami/apache2/bnconfig --disable_banner 1