Saturday, February 7, 2015

SSH Over HTTPS While Serving HTTPS WebSite

Hey, folks! I use this blog also as a placeholder for little tidbits of info I find out on the net.  I stumbled across the following information for setting up an HTTPS proxy using Apache that allows a connection to a second port (e.g. for an SSH connection), while still allowing Apache to serve HTTPS requests on the same port  :

http://blog.chmd.fr/ssh-over-ssl-a-quick-and-minimal-config.html

Since most who visit here are already familiar with Apache's HTTPD server, I won't go into all the gory details.  If there is an unanswered question, visit the above link.

First, make sure you have the proxy module loaded!  This is a must, or you will receive errors when starting.  Next, open your SSL configuration that you want to allow the proxy on, and add the following :
    
    ProxyRequests On
    AllowConnect 139
    <Proxy *>
        Order deny,allow
        Deny from all
    </Proxy>
    <Proxy 127.0.0.1>
        Order deny,allow
        Allow from all
    </Proxy>
    
This essentially allows the proxy headers to tell Apache what you want to connect to, but limits it to only the localhost connection on port 139.  All other proxy requests (unless you've added more) will be denied.  Make sure you test it.  If it's failing to fire up for you, try doing it over the unencrypted (HTTP) connections instead (you will have to change the Apache configs for that), and watch what it is doing.

For the client side, you can connect to the proxy tunnel by installing the proxytunnel package, then using the command :
    proxytunnel -E -p example.com:443 -d 127.0.0.1:139 -q
    
If you are having problems connecting to the tunnel, change the -q to a -v (quiet to verbose), and try it again. If you are not doing Samba access, but sending it to SSH, you can connect to the tunnel, add the following stanza to your $HOME/.ssh/config file :
    Host example.com
        ProxyCommand proxytunnel -q -E -p example.com:443 -d 127.0.0.1:139
        DynamicForward 1080
        ServerAliveInterval 60
    
This should allow you to run the ssh command where it sets up the connection for you.  Try it out!  Again, I'm not the expert here, I simply pilfered this information from http://blog.chmd.fr/ssh-over-ssl-a-quick-and-minimal-config.html (and there is much, much more available from that link!