SSHvnc, tightVNC, SSH, and apache
 

I want to access a KDE desktop session on a server at my home office from an external location. Server runs RH 8.0, Apache 2.0.40, SSH, and TightVNC. My firewall at the home office only has one open port (port 443). Apache is configured with multiple virtual hosts which I can access via SSL (trust me, you can configure apache to run multiple SSL virtual hosts as long as you only allow SSL access. If you want to allow non-SSL access also, then I think you can only have one SSL virtual host ... but that's another thread).

I am at a client site behind a corporate firewall/proxy that only allows me
to get out on standard ports (80, 443, etc). I have a virtual host set up on
my home office server that serves me an SSHvnc applet. SSHvnc is an applet-based VNC and SHH client. Essentially, it's the same as tunnelling VNC through SSH, except the VNC and SSH clients are in an applet, so you don't need to install anything on the remote machine -- you just need a java enabled browser (very cool).

This whole setup works just great inside my home office LAN where no firewall blocks any of the ports on my server box.

My question: SSH at my home office runs on the standard SSH port (22). I only want to have one port (443) open on my home office LAN firewall. I'm already successfully running apache on port 443 with several SSL virtual hosts. If I set up another virtual host called "ssh.myhomeoffice.com" is there a way to have apache re-direct traffic to ssh.myhomeoffice.com:443 (my SSH traffic) to port 22 (my SSH port)? My goal is to have both https traffic AND my SSH traffic hitting my server on the same port (443) via two different virtual hosts. I want to avoid opening up a second port for SSH traffic, if possible. Can it be done?

Thanks!
Apollo

I guess that rather long-winded question boils down to this:

Can I configure apache to accept SSH traffic on the regular http port and redirect it to the SSH port ? If so, can this be done via a virtual host (ie. "ssh.myhomeoffice.com") with apache still accepting regular http traffic at other virtual hosts (ie. "www.myhomeoffice.com")? If so, how?

Thanks!
Apollo

Why are you so set on having only one port open? Why not just open port 22?

Corporate firewall blocks outbound port 22 traffic. Fine, so I could just change the SSH port on the home office server to 80 and use port 80 for SSH traffic. Yes, that would work. In fact, that is plan B.

Reasons why I'd prefer to use just one port:

1) Security -- the fewer ports you have open the better (particularly if they're going to be common ports like 80 and 443).

2) I want to keep as low a profile as possible. I'd rather all my traffic used just one port.

3) Learning and the challenge of doing it with one port.

Any other suggestions?

My bet is you will need two ports. Can't see how Apache is going to redirect to another port - you've reached the application layer by then.
Just configure your firewall to drop everything that hasn't come from the corporate firewall's IP (I presume they are NAT'ing), and only allow the relevant ports from there after that.
That way you'll be invisible to the rest of the 'net and still pretty damn tight as you appear to the corp side of things.

Thanks yowi.

As you suggest, I will use two ports and configure my home office firewall to drop everything not from the corporate IP address. Actually, I work at different locations so it will be a pain to keep several IP addresses open to the two ports. I'd prefer not to filter by IP address. On the other hand, it's more secure that way.

I guess I am holding onto hope that apache can do something that it cannot. However, if by chance someone knows if apache can do what I need -- redirect SSH traffic arriving at one virtual host (on the http port) to another port (SSH port), then please post a response.

Thanks,
Apollo

Ok, so I have configured everything with port 80 handling SSH. On the home office LAN everything works fine. Now I am bumping into some problem with the proxy when I try to establish an SSH connection on port 80 with my home office sshd server from behind the corporate firewall.

When I use Mindterm applet as my ssh client I get this message:
"Error connecting to ssh.myhomeoffice.com,
reason: -> cannot connect to "proxy.behind-corp-firewall.com".

When I use Putty (a wintendo SSH client) I get:
"Proxy error: 403 Proxy denies fulfililng the request".

I wondered if i need to provide proxy authentication details (username and password?), but I am not aware of these being sent when I browse with Netascape (http and https) using this proxy. Netscape works just fine.

I've got the proxy port correct (8080) so it's not that. Can the proxy somehow detect that the traffic is not http or https? Any ideas what is wrong?

Apollo

Oh, I should probably mention, I abandoned SSHvnc because some java problem was occurring -- sshvnc applet wasn't loading properly. Mindterm applet seems to work just fine as an ssh client and I'm keeping my fingers crossed that the standard TightVNC applet will work through an SSH tunnel once I get the SSH/proxy problem solved.

So, anyone have any suggestions what's causing my SSH/proxy problem?

Just had a thought.
Set up an ssh tunnel and run all your traffic through that...

Yes. That's exactly what I'm trying. Sorry, I should have explained better my shift in strategy.

I'm just having this proxy issue that I cannot figure out. I cannot establish the tunnel or even a regular SSH connection. For some reason the proxy is blocking my SSH traffic on port 80, but allows http traffic (SSL and non-SSL) on both 443 and 80. Why? I cannot figure it out.

Are you sure that the proxy and firewall are only doing port level blocking? It appears that they may also be doing content filtering. Some proxies/firewalls are smart enough to make a reasonable guess as to whether http packets are real http traffic.

Are you sure that your port 80 traffic is being passed to an ssh daemon and not an instance of Apache?

Good suggestions.

I have apache listening only on port 443 and not on port 80. I have sshd listening on port 80 instead of 22. I know apache and sshd are configured fine because inside my home LAN this setup works. I can tunnel TightVNC via SSH successfully. (Incidentally, if anyone is trying to do this using TightVNC's applet, you need 2 SSH tunnels, not one. I pulled all my hair out before I figured this out. One tunnel on port 580x for regular traffic, and another tunnel on port 590x to handle login/connection data).

Your thought about smart proxies/firewalls is interesting. That could be it. I suppose an SSL tunnel would be the answer. I looked into this briefly, but I couldn't seem to find a good solution that would run on Linux. If you read back in this thread, I was originally hoping the solution would lie with apache, but that's probably not going to happen. Laplink has some product (maybe "LaplinkSSL??") that appeared to be close to what I needed, but it is commercial and non-linux (I think). I would be grateful for other suggestions if anyone has any.

Apollo

PS. It always amazes me that people with no stake in the problem I am trying to solve are willing to help. Your input is very very much appreciated.

Ok, so I've done a little more research. It seems that proxies typically will handle http (and maybe ftp) traffic, but often not anything else (like ssh). This may be the solution I need:

http://www.realvnc.com/pipermail/vnc...ch/037733.html

This solution uses stunnel and bouncer. I don't quite understand how this works yet, but I will.

Can anyone point me to bouncer? The common location that seems to be out there is dead (http://www.r00t3d.org.uk/).

Check out the Firewall piercing How-To at TLDP.org
I think you'll find a few other relevant pieces there as well.

It they are a client, why not just work with their tech folks to get the needed access? You may get more than you bargain for if they find out you are trying to circumvent their corporate security policy.