Bernstein, Noam CIV USN NRL (6393) Washington DC (USA)
2020-Nov-12 12:56 UTC
[CentOS] run firefox via an ssh tunnel
If the point is to access a specific web site only the remote machine can get to, you can also do it with port forwarding: ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine and then locally run any browser, and access localhost:443 (assuming it's https. If it's plain http, use "http" and 80). Note that you'll be breaking some aspects of https security such as man-in-the-middle protection and perhaps others, and you'll need to accept some security exceptions. This will be useful if the point is to get to a web site only only the remote machine can connect to, but all the browser code/plugins will be the local ones.
Am 12.11.20 um 13:56 schrieb Bernstein, Noam CIV USN NRL (6393) Washington DC (USA) via CentOS:> If the point is to access a specific web site only the remote machine can get to, you can also do it with port forwarding: > ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine > and then locally run any browser, and access > localhost:443 > (assuming it's https. If it's plain http, use "http" and 80). Note that you'll be breaking some aspects of https security such as man-in-the-middle protection and perhaps others, and you'll need to accept some security exceptions. > > This will be useful if the point is to get to a web site only only the remote machine can connect to, but all the browser code/plugins will be the local ones. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > lists.centos.org/mailman/listinfo/centos >This would not allow having access to SNI hostings (without dns tricks). Anyway, the original question was to forward a _native_ OSX output via X11 to the linux workstation. That is not possible but you can enable remotedesktop service on the osx machine and passing this through a ssh tunnel like "-L 5900:localhost:5900 -N" and accessing the osx machine via VNC. A complete different option is: having a opensource port distribution installed (like macports.org) and installing firefox that runs under xquartz.org. Not quite centos related ... -- Leon
On Thu, Nov 12, 2020 at 12:56:15PM +0000, Bernstein, Noam CIV USN NRL (6393) Washington DC (USA) via CentOS wrote:> > If the point is to access a specific web site only the remote > machine can get to, you can also do it with port forwarding: > ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine > and then locally run any browser, and access > localhost:443 > (assuming it's https. If it's plain http, use "http" and 80). Note > that you'll be breaking some aspects of https security such as > man-in-the-middle protection and perhaps others, and you'll need to > accept some security exceptions. > > This will be useful if the point is to get to a web site only only > the remote machine can connect to, but all the browser code/plugins > will be the local ones.If this is actually something you want to do with regularity, I suggest using the SSH SOCKS proxy (with the DynamicForward port), and configure Firefox to use the localhost:port as a SOCKS5 proxy. Then all traffic in firefox will be routed over the ssh connection. It won't break SNI and for the most part, everything will work in firefox as if you were connecting from the remote side of the connection. It works with yum and dnf too, where you can use RemoteForward to set up a proxy port on the remote side, set the 'proxy' settings in the configuration, and all yum/dnf traffic will go over the established SSH connection. Why would you do this? Well, if you've got a system that's sitting inside a private, not NAT'd network and your workstation/jumphost has a VPN enabled but you don't have it enabled on the remote side, you can update a system without doing a lot of complicated network magic. Now imagine using Ansible to do this, which is already setting up SSH sessions... -- Jonathan Billings <billings at negate.org>
On 11/12/20 7:50 AM, Jonathan Billings wrote:> On Thu, Nov 12, 2020 at 12:56:15PM +0000, Bernstein, Noam CIV USN NRL (6393) Washington DC (USA) via CentOS wrote: >> If the point is to access a specific web site only the remote >> machine can get to, you can also do it with port forwarding: >> ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine >> and then locally run any browser, and access >> localhost:443 >> (assuming it's https. If it's plain http, use "http" and 80). Note >> that you'll be breaking some aspects of https security such as >> man-in-the-middle protection and perhaps others, and you'll need to >> accept some security exceptions. >> >> This will be useful if the point is to get to a web site only only >> the remote machine can connect to, but all the browser code/plugins >> will be the local ones. > If this is actually something you want to do with regularity, I > suggest using the SSH SOCKS proxy (with the DynamicForward port), and > configure Firefox to use the localhost:port as a SOCKS5 proxy. Then > all traffic in firefox will be routed over the ssh connection. It > won't break SNI and for the most part, everything will work in firefox > as if you were connecting from the remote side of the connection. > > It works with yum and dnf too, where you can use RemoteForward to set > up a proxy port on the remote side, set the 'proxy' settings in the > configuration, and all yum/dnf traffic will go over the established > SSH connection. Why would you do this? Well, if you've got a system > that's sitting inside a private, not NAT'd network and your > workstation/jumphost has a VPN enabled but you don't have it enabled > on the remote side, you can update a system without doing a lot of > complicated network magic. Now imagine using Ansible to do this, > which is already setting up SSH sessions... >Sounds interesting, can you point me to any examples / how to's to set this up? Thanks