You can call us on +44 20 3337 3012 today to discuss your current challenges and how we can best help, or email us at help@hanscombe.net.

More about what we do

SSHD behind an NGINX websocket

This guide details how SSHD can be set up behind an NGINX websocket.

As the websocket is specific to a randomly generated URL this acts as a shared secret and prevents SSHD from being exposed to reconnaisance.

It isn’t possible to determine the websocket URL, even if traffic is intercepted.

Generate a random URL

openssl rand -hex 20

The resulting URL can be added to the NGINX configuration:

server {
    listen 443 ssl;
    server_name www.yourdomain.com

    index index.html;
    root /var/www/html;

    ssl_certificate     /etc/ssl/fullchain.pem;
    ssl_certificate_key /etc/ssl/privkey.pem;

    location = 1bd98b4dd919f9f54fe2492dcbe9ba9d73922aab {
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_pass http://127.0.0.1:1443;
        proxy_read_timeout 120s;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Upgrade \$http_upgrade;
    }
}

Run Websockify on port 1443:

/usr/bin/websockify 127.0.0.1:1443 127.0.0.1:22

Run SSHD on port 22:

/usr/sbin/sshd -D -e &

Connect to SSHD via the websocket:

/usr/bin/ssh -o "ProxyCommand /usr/local/bin/websocat -b wss://%h/1bd98b4dd919f9f54fe2492dcbe9ba9d73922aab"  \
             www.yourdomain.com

Further Considerations

We do not endorse the pattern described for organisations where VPN access would be more appropriate. It is provided only as a fragment of configuration which improves upon other solutions which forward entire endpoints to a websocket, and so are vulnerable to reconnaisance via the SNI header.

As this pattern encrypts the URL within the body of the HTTPS request, the endpoint remains secret.

This pattern is dependent on a secrets management solution which securely distributes the URL to both the NGINX server and the device connecting in.

Just port 443 should be exposed to inbound connections. Websockify and SSHD should only be bound to localhost, and therefore only be reachable via NGINX.

Websockify is normally available in-distribution. Websocat may need to be built from source, and supply-chain risk for these, as well as SSHD and NGINX should be tracked and managed.

Further consideration should also be given to regular rotation of the websocket URL, and monitoring of inbound traffic to detect attack.

Best-practice SSHD configuration is also necessary to provide defense-in-depth.

SSHD behind an NGINX websocket

Generate a random URL

Further Considerations

We're here to help