On Thu, Nov 12, 2020 at 12:56:15PM +0000, Bernstein, Noam CIV USN NRL (6393) Washington DC (USA) via CentOS wrote: > > If the point is to access a specific web site only the remote > machine can get to, you can also do it with port forwarding: > ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine > and then locally run any browser, and access > https://localhost:443 > (assuming it's https. If it's plain http, use "http" and 80). Note > that you'll be breaking some aspects of https security such as > man-in-the-middle protection and perhaps others, and you'll need to > accept some security exceptions. > > This will be useful if the point is to get to a web site only only > the remote machine can connect to, but all the browser code/plugins > will be the local ones. If this is actually something you want to do with regularity, I suggest using the SSH SOCKS proxy (with the DynamicForward port), and configure Firefox to use the localhost:port as a SOCKS5 proxy. Then all traffic in firefox will be routed over the ssh connection. It won't break SNI and for the most part, everything will work in firefox as if you were connecting from the remote side of the connection. It works with yum and dnf too, where you can use RemoteForward to set up a proxy port on the remote side, set the 'proxy' settings in the configuration, and all yum/dnf traffic will go over the established SSH connection. Why would you do this? Well, if you've got a system that's sitting inside a private, not NAT'd network and your workstation/jumphost has a VPN enabled but you don't have it enabled on the remote side, you can update a system without doing a lot of complicated network magic. Now imagine using Ansible to do this, which is already setting up SSH sessions... -- Jonathan Billings <billings at negate.org>