CentOS - Nov 2020 - run firefox via an ssh tunnel

If the point is to access a specific web site only the remote machine can get
to, you can also do it with port forwarding:
ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine
and then locally run any browser, and access
https://localhost:443
(assuming it's https.  If it's plain http, use "http" and 80).
Note that you'll be breaking some aspects of https security such as
man-in-the-middle protection and perhaps others, and you'll need to accept
some security exceptions.

This will be useful if the point is to get to a web site only only the remote
machine can connect to, but all the browser code/plugins will be the local ones.

Am 12.11.20 um 13:56 schrieb Bernstein, Noam CIV USN NRL (6393) 
Washington DC (USA) via CentOS:
> If the point is to access a specific web site only the remote machine can
get to, you can also do it with port forwarding:
> ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine
> and then locally run any browser, and access
> https://localhost:443
> (assuming it's https.  If it's plain http, use "http" and
80).  Note that you'll be breaking some aspects of https security such as
man-in-the-middle protection and perhaps others, and you'll need to accept
some security exceptions.
> 
> This will be useful if the point is to get to a web site only only the
remote machine can connect to, but all the browser code/plugins will be the
local ones.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 

This would not allow having access to SNI hostings (without dns tricks).

Anyway, the original question was to forward a _native_ OSX output via 
X11 to the linux workstation. That is not possible but you can enable
remotedesktop service on the osx machine and passing this through a ssh
tunnel like "-L 5900:localhost:5900 -N" and accessing the osx machine 
via VNC.

A complete different option is: having a opensource port distribution 
installed (like macports.org) and installing firefox that runs under
https://www.xquartz.org/.

Not quite centos related ...

--
Leon

On Thu, Nov 12, 2020 at 12:56:15PM +0000, Bernstein, Noam CIV USN NRL (6393)
Washington DC (USA) via CentOS wrote:
>
> If the point is to access a specific web site only the remote
> machine can get to, you can also do it with port forwarding: 
> ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine
> and then locally run any browser, and access
> https://localhost:443
> (assuming it's https.  If it's plain http, use "http" and
80).  Note
> that you'll be breaking some aspects of https security such as
> man-in-the-middle protection and perhaps others, and you'll need to
> accept some security exceptions. 
> 
> This will be useful if the point is to get to a web site only only
> the remote machine can connect to, but all the browser code/plugins
> will be the local ones.
If this is actually something you want to do with regularity, I
suggest using the SSH SOCKS proxy (with the DynamicForward port), and
configure Firefox to use the localhost:port as a SOCKS5 proxy.  Then
all traffic in firefox will be routed over the ssh connection.  It
won't break SNI and for the most part, everything will work in firefox
as if you were connecting from the remote side of the connection.

It works with yum and dnf too, where you can use RemoteForward to set
up a proxy port on the remote side, set the 'proxy' settings in the
configuration, and all yum/dnf traffic will go over the established
SSH connection.  Why would you do this?  Well, if you've got a system
that's sitting inside a private, not NAT'd network and your
workstation/jumphost has a VPN enabled but you don't have it enabled
on the remote side, you can update a system without doing a lot of
complicated network magic.  Now imagine using Ansible to do this,
which is already setting up SSH sessions...

-- 
Jonathan Billings <billings at negate.org>

On 11/12/20 7:50 AM, Jonathan Billings wrote:
> On Thu, Nov 12, 2020 at 12:56:15PM +0000, Bernstein, Noam CIV USN NRL
(6393) Washington DC (USA) via CentOS wrote:
>> If the point is to access a specific web site only the remote
>> machine can get to, you can also do it with port forwarding:
>> ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine
>> and then locally run any browser, and access
>> https://localhost:443
>> (assuming it's https.  If it's plain http, use "http"
and 80).  Note
>> that you'll be breaking some aspects of https security such as
>> man-in-the-middle protection and perhaps others, and you'll need to
>> accept some security exceptions.
>>
>> This will be useful if the point is to get to a web site only only
>> the remote machine can connect to, but all the browser code/plugins
>> will be the local ones.
> If this is actually something you want to do with regularity, I
> suggest using the SSH SOCKS proxy (with the DynamicForward port), and
> configure Firefox to use the localhost:port as a SOCKS5 proxy.  Then
> all traffic in firefox will be routed over the ssh connection.  It
> won't break SNI and for the most part, everything will work in firefox
> as if you were connecting from the remote side of the connection.
>
> It works with yum and dnf too, where you can use RemoteForward to set
> up a proxy port on the remote side, set the 'proxy' settings in the
> configuration, and all yum/dnf traffic will go over the established
> SSH connection.  Why would you do this?  Well, if you've got a system
> that's sitting inside a private, not NAT'd network and your
> workstation/jumphost has a VPN enabled but you don't have it enabled
> on the remote side, you can update a system without doing a lot of
> complicated network magic.  Now imagine using Ansible to do this,
> which is already setting up SSH sessions...
>
Sounds interesting, can you point me to any examples / how to's to set 
this up?


Thanks