LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 06-12-2008, 04:25 AM   #1
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
Sharing https 443 port for apache ssl and ssh server


Hi everybody

Question for some apache/iptables/gurus..

I want to establish an ssh tunnel to my server.
The ssh port has to be 443 because it's the only one which is opened from the outside (more or less..)
There is already an apache ssl running, so, also on port 443. And this port should not change, again it's the only one allowed.

So I know how to do both of that seperatly. But I need both at the same time...

My first idea is to use iptables on the server to do port forwarding based on pattern matching:

For a normal https connection, the "Host" part of the HTTP(/S) protocol will contain the real servername (www.my.com).
For a tunneled connection, the local part of the tunnel would set the "Host" part of the HTTP(/S) protocol to tunnel.my.com.
In both case, the IP adress in the packets will be the same (I'm not maintaining my DNS)
On the server, when iptables detects HTTP protocol which contain the "Host:tunnel.my.com" it would forward it to 444 where my ssh tunnel would in fact be.

Does that make sense? Is there an easier way? After 5mn of searching, I didn't find interesting stuffs on google for this, just came up with this idea. People basically say it's not possible. Impossible is not part of my language

I'm sure others have done this before

Thanks!

Last edited by nx5000; 06-12-2008 at 04:27 AM.
 
Old 06-12-2008, 04:19 PM   #2
penfoldTHIS
LQ Newbie
 
Registered: Mar 2006
Location: Arkansas,US
Distribution: Slackware 12.1
Posts: 7

Rep: Reputation: 0
Set up a virtual nic via ifconfig eth0:0 <ip_address> and assign it an ip address. Then have the ssh server listen on eth0's IP address and apache listen on eth0:0's IP address. Seems like that would be the easiest solution. Of course, you would want to script the alias so you can have it after you reboot.

Last edited by penfoldTHIS; 06-12-2008 at 04:20 PM.
 
Old 07-23-2008, 05:59 PM   #3
vansteen
LQ Newbie
 
Registered: Jul 2008
Posts: 7

Rep: Reputation: 0
Quote:
Originally Posted by penfoldTHIS View Post
Set up a virtual nic via ifconfig eth0:0 <ip_address> and assign it an ip address. Then have the ssh server listen on eth0's IP address and apache listen on eth0:0's IP address. Seems like that would be the easiest solution. Of course, you would want to script the alias so you can have it after you reboot.
I don't see how this would catch two different protocols at a single external port. nx5000's own suggestion sounds like the right way to me. I would interested in such a solution as well. However, I lack the technical skills to manipulate iptables.
 
Old 07-23-2008, 06:03 PM   #4
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Quote:
Originally Posted by vansteen View Post
I don't see how this would catch two different protocols at a single external port. nx5000's own suggestion sounds like the right way to me. I would interested in such a solution as well. However, I lack the technical skills to manipulate iptables.
Because you would have the DNS for https point to IP1 and ssh to IP2.
 
Old 07-23-2008, 07:19 PM   #5
vansteen
LQ Newbie
 
Registered: Jul 2008
Posts: 7

Rep: Reputation: 0
Quote:
Originally Posted by billymayday View Post
Because you would have the DNS for https point to IP1 and ssh to IP2.
Please excuse my ignorance, but do you mean by using different FQDNs?

Can you give me a pointer to an explanation? I have googled a bit, but I could not find anything.

Thanks!
 
Old 07-23-2008, 08:13 PM   #6
vansteen
LQ Newbie
 
Registered: Jul 2008
Posts: 7

Rep: Reputation: 0
A bit more googling brought me to this interesting link: http://openvpn.net/index.php/documen...penvpn-21.html

"--port-share host port
When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh."

I guess it is possible use openvpn over port 443, and then have the openvpn server redirect all non-openvpn traffic, including any HTTPS traffic, to another port, e.g 444. In that case you could "tunnel" SSH through the openvpn connection at port 443. Note that openvpn also enables SSH sessions directly over the tunnel interface, which openvpn creates anyway. The use of openvpn would obviously reduce performance.

Last edited by vansteen; 07-28-2008 at 07:22 AM.
 
Old 07-23-2008, 08:42 PM   #7
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Quote:
Originally Posted by vansteen View Post
Please excuse my ignorance, but do you mean by using different FQDNs?

Can you give me a pointer to an explanation? I have googled a bit, but I could not find anything.

Thanks!
Maybe, but a physical NIC can have more than one IP, say 1.2.3.4 and 1.2.3.5. Your nameserver could point all www requests to 1.2.3.4 (including https) and you could ssh to 1.2.3.5. Of course you could define ssh.yourdomain.com to point to 1.2.3.5 and ssh to that.

Google something like ifconfig alias

First hit on http://www.google.com/linux?hl=en&q=...as&btnG=Search is http://home.pacific.net.sg/~harish/linuxipalias.html for example
 
Old 07-23-2008, 09:59 PM   #8
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Aliases won't work if the OP cannot create an additional port forward in the perimeter firewall. External clients don't get to choose which LAN address a router selects.
 
Old 09-02-2009, 06:19 AM   #9
nemo136
LQ Newbie
 
Registered: Mar 2008
Posts: 3

Rep: Reputation: 0
http://search.cpan.org/~book/Net-Proxy-0.08/script/sslh
seems to do the trick, has anybody tested yet ?

identical soft in C :
http://www.rutschle.net/tech/sslh.shtml

Last edited by nemo136; 09-02-2009 at 09:23 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configuring Automatic Redirects from port 80 to port 443 with bundled Apache server kaplan71 Fedora 1 12-28-2007 08:30 AM
nid a command to enable https port 443 cronics Linux - Server 1 07-30-2007 10:43 AM
turn off http port 80, keep https port 443 lothario Linux - Networking 6 02-11-2005 04:06 AM
FAVICON with apache server at port 443 doesn't seem 2 work ganninu Linux - General 0 12-21-2003 03:58 AM
Apache doesn't listen to 443 (https) yapp Linux - Networking 5 07-03-2003 06:23 PM


All times are GMT -5. The time now is 07:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration