Skip to content

feat: HTTP/1.1 authentication before SSH tunnel#9

Open
coolaj86 wants to merge 1 commit into
mainfrom
feat/http-auth-ssh
Open

feat: HTTP/1.1 authentication before SSH tunnel#9
coolaj86 wants to merge 1 commit into
mainfrom
feat/http-auth-ssh

Conversation

@coolaj86
Copy link
Copy Markdown
Contributor

@coolaj86 coolaj86 commented May 1, 2026

Summary

  • Add --http-auth <url> flag to authenticate via HTTP/1.1 over TLS before establishing the SSH tunnel
  • Add --auth-token <token> flag to send a Bearer token in the Authorization header
  • Token can also be embedded in the auth URL as token=xxx (e.g., proxy.example.com/auth?token=mysecret)

How it works

  1. When --http-auth is set, each connection first establishes a TLS connection with http/1.1 ALPN
  2. An HTTP GET request is sent to the auth URL with a Bearer token (if provided)
  3. If authentication succeeds (HTTP 2xx), that connection is closed
  4. A second TLS connection is then established with ssh ALPN for the actual SSH tunnel

Usage examples

# Token via separate flag
sclient --http-auth proxy.example.com/auth --auth-token mysecret example.com:22 localhost:2222

# Token embedded in URL
sclient --http-auth proxy.example.com/auth?token=mysecret example.com:22 localhost:2222

# With custom ALPN protocols for the SSH connection
sclient --http-auth proxy.example.com/auth --auth-token mysecret --alpn ssh example.com:22 localhost:2222

Files changed

  • sclient.go - Added HttpAuthURL, AuthToken fields to Tunnel struct; added httpAuth() method; updated handleConnection() and test connection logic
  • cmd/sclient/main.go - Added --http-auth and --auth-token CLI flags

@coolaj86 coolaj86 force-pushed the feat/http-auth-ssh branch from 2143eee to bbd0fee Compare May 1, 2026 05:53
@coolaj86
feat: authenticate via HTTP/1.1 before establishing SSH tunnel
01501f4 
Add --http-auth and --auth-token flags to perform HTTP authentication
over TLS (with http/1.1 ALPN) before establishing the SSH tunnel.

Add --http-upgrade flag to use HTTP Upgrade header mechanism, allowing
the proxy to hijack/switch the connection to SSH on the same TLS
connection (similar to WebSocket upgrade but without websockets).

Two modes:
- Without --http-upgrade: Auth connection is closed after auth, then a
  second TLS+SSH connection is established (two connections)
- With --http-upgrade <proto>: After auth, if proxy responds with 101
  Switching Protocols + Upgrade: <proto>, the same connection is used
  for SSH (single connection, protocol switch)

No changes to existing behavior when --http-auth is not used.
@coolaj86 coolaj86 force-pushed the feat/http-auth-ssh branch from bbd0fee to 01501f4 Compare May 1, 2026 05:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@coolaj86