Hi everybody

Question for some apache/iptables/gurus..

I want to establish an ssh tunnel to my server.
The ssh port has to be 443 because it's the only one which is opened from the outside (more or less..)
There is already an apache ssl running, so, also on port 443. And this port should not change, again it's the only one allowed.

So I know how to do both of that seperatly. But I need both at the same time...

My first idea is to use iptables on the server to do port forwarding based on pattern matching:

For a normal https connection, the "Host" part of the HTTP(/S) protocol will contain the real servername (www.my.com).
For a tunneled connection, the local part of the tunnel would set the "Host" part of the HTTP(/S) protocol to tunnel.my.com.
In both case, the IP adress in the packets will be the same (I'm not maintaining my DNS)
On the server, when iptables detects HTTP protocol which contain the "Host:tunnel.my.com" it would forward it to 444 where my ssh tunnel would in fact be.

Does that make sense? Is there an easier way? After 5mn of searching, I didn't find interesting stuffs on google for this, just came up with this idea. People basically say it's not possible. Impossible is not part of my language

I'm sure others have done this before

Thanks!

Set up a virtual nic via ifconfig eth0:0 <ip_address> and assign it an ip address. Then have the ssh server listen on eth0's IP address and apache listen on eth0:0's IP address. Seems like that would be the easiest solution. Of course, you would want to script the alias so you can have it after you reboot.

I don't see how this would catch two different protocols at a single external port. nx5000's own suggestion sounds like the right way to me. I would interested in such a solution as well. However, I lack the technical skills to manipulate iptables.

Because you would have the DNS for https point to IP1 and ssh to IP2.

Please excuse my ignorance, but do you mean by using different FQDNs?

Can you give me a pointer to an explanation? I have googled a bit, but I could not find anything.

Thanks!

A bit more googling brought me to this interesting link: http://openvpn.net/index.php/documen...penvpn-21.html

"--port-share host port
When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh."

I guess it is possible use openvpn over port 443, and then have the openvpn server redirect all non-openvpn traffic, including any HTTPS traffic, to another port, e.g 444. In that case you could "tunnel" SSH through the openvpn connection at port 443. Note that openvpn also enables SSH sessions directly over the tunnel interface, which openvpn creates anyway. The use of openvpn would obviously reduce performance.

Maybe, but a physical NIC can have more than one IP, say 1.2.3.4 and 1.2.3.5. Your nameserver could point all www requests to 1.2.3.4 (including https) and you could ssh to 1.2.3.5. Of course you could define ssh.yourdomain.com to point to 1.2.3.5 and ssh to that.

Google something like ifconfig alias

First hit on http://www.google.com/linux?hl=en&q=...as&btnG=Search is http://home.pacific.net.sg/~harish/linuxipalias.html for example

Aliases won't work if the OP cannot create an additional port forward in the perimeter firewall. External clients don't get to choose which LAN address a router selects.

http://search.cpan.org/~book/Net-Proxy-0.08/script/sslh
seems to do the trick, has anybody tested yet ?

identical soft in C :
http://www.rutschle.net/tech/sslh.shtml