Diagnosis
Connection refused
means curl
was not able to connect to whatever it tried to connect to. In your case it tried to connect to your (local) SSH client, unless you did something wrong with /etc/hosts
and curl
actually tried to connect to the real (or fake-but-wrong) <firewalled-box>
.
I assume curl
tried to connect to your SSH client. It seems your ssh
was not listening or the communication was blocked.
How do I know the problem is between curl
and your ssh
, not (or at least not yet) between the SSH server and <firewalled-box>
?
It's about how port forwarding with SSH works. In case of local forwarding a connection to SSH client needs to be established before the SSH server tries to connect to the target machine. If the latter connection fails then the former will be terminated. But because the former connection has already been established in the first place, the connecting process (curl
in your case) will print something like Connection reset by peer
, certainly not Connection refused
.
In your case Connection refused
indicates the connection initiated by curl
couldn't be established.
Solution
The problem may be because non-privileged users cannot listen on ports lower than 1024
. If you run ssh -L …
and the port cannot be used, some ssh
implementations will refuse to connect to the SSH server at all, but some will only print a warning and connect anyway. The warning might pass unnoticed if <bastion>
cleared the console or printed a long welcome message.
Use -o ExitOnForwardFailure=yes
to be sure your ssh
listens upon connection.
If low port number is the culprit then running ssh
as root will help, although I don't recommend running ssh
as root.
Maybe all you need is to use a higher number locally, like -L 1443:<firewalled-box>:443
. Then curl
should connect to https://<firewalled-box>:1443/…
.
Note formally <firewalled-box>
in -L
should be a name/address understood by the <bastion>
machine, while <firewalled-box>
in curl
invocation should be understood by your local machine (thanks to the modified /etc/hosts
).
Alternative
I suggest dynamic port forwarding, SOCKS.
- Remove
127.0.0.1 <firewalled-box>
from your /etc/hosts
.
- Invoke
ssh -ND 7654 me@<bastion>
.
- Run
curl
with -x socks5://localhost:7654
. If you use <firewalled-box>
in the address passed to curl
, it will have to resolve locally to an IP address valid remotely; so possibly you will need to modify /etc/hosts
anyway.
More details about -D
in this answer of mine.
netstat -ntlup | grep <portnum>
to verify the tunnel is connected and your local port is in a listening state on the address you expect it to be. There is also a question about your httpd and TLS and firewall configuration on the remote target. lots of places this could go wrong. confirm that the site loads via 127.0.0.1 on the target box to confirm its working. also do you have a proxy server in play? good luck.ssh
as a normal user? Because you cannot bind to port 443 unless you are root.