Sharing https 443 port for apache ssl and ssh server
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Sharing https 443 port for apache ssl and ssh server
Hi everybody
Question for some apache/iptables/gurus..
I want to establish an ssh tunnel to my server.
The ssh port has to be 443 because it's the only one which is opened from the outside (more or less..)
There is already an apache ssl running, so, also on port 443. And this port should not change, again it's the only one allowed.
So I know how to do both of that seperatly. But I need both at the same time...
My first idea is to use iptables on the server to do port forwarding based on pattern matching:
For a normal https connection, the "Host" part of the HTTP(/S) protocol will contain the real servername (www.my.com).
For a tunneled connection, the local part of the tunnel would set the "Host" part of the HTTP(/S) protocol to tunnel.my.com.
In both case, the IP adress in the packets will be the same (I'm not maintaining my DNS)
On the server, when iptables detects HTTP protocol which contain the "Host:tunnel.my.com" it would forward it to 444 where my ssh tunnel would in fact be.
Does that make sense? Is there an easier way? After 5mn of searching, I didn't find interesting stuffs on google for this, just came up with this idea. People basically say it's not possible. Impossible is not part of my language
Set up a virtual nic via ifconfig eth0:0 <ip_address> and assign it an ip address. Then have the ssh server listen on eth0's IP address and apache listen on eth0:0's IP address. Seems like that would be the easiest solution. Of course, you would want to script the alias so you can have it after you reboot.
Last edited by penfoldTHIS; 06-12-2008 at 04:20 PM.
Set up a virtual nic via ifconfig eth0:0 <ip_address> and assign it an ip address. Then have the ssh server listen on eth0's IP address and apache listen on eth0:0's IP address. Seems like that would be the easiest solution. Of course, you would want to script the alias so you can have it after you reboot.
I don't see how this would catch two different protocols at a single external port. nx5000's own suggestion sounds like the right way to me. I would interested in such a solution as well. However, I lack the technical skills to manipulate iptables.
I don't see how this would catch two different protocols at a single external port. nx5000's own suggestion sounds like the right way to me. I would interested in such a solution as well. However, I lack the technical skills to manipulate iptables.
Because you would have the DNS for https point to IP1 and ssh to IP2.
"--port-share host port
When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh."
I guess it is possible use openvpn over port 443, and then have the openvpn server redirect all non-openvpn traffic, including any HTTPS traffic, to another port, e.g 444. In that case you could "tunnel" SSH through the openvpn connection at port 443. Note that openvpn also enables SSH sessions directly over the tunnel interface, which openvpn creates anyway. The use of openvpn would obviously reduce performance.
Please excuse my ignorance, but do you mean by using different FQDNs?
Can you give me a pointer to an explanation? I have googled a bit, but I could not find anything.
Thanks!
Maybe, but a physical NIC can have more than one IP, say 1.2.3.4 and 1.2.3.5. Your nameserver could point all www requests to 1.2.3.4 (including https) and you could ssh to 1.2.3.5. Of course you could define ssh.yourdomain.com to point to 1.2.3.5 and ssh to that.
Aliases won't work if the OP cannot create an additional port forward in the perimeter firewall. External clients don't get to choose which LAN address a router selects.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.