by Pedro M. S. Oliveira | Feb 5, 2010 | Daily life, Linux, Solaris
It’s been a while since I last wrote about ssh, one of my favorite applications.
SSH is extremely versatile and although the use of tunnels is a well know feature of ssh the reverse tunnel is not.
First where can you use a reverse tunnel? Imagine that you need to service a server/desktop that is behind a firewall and the only communication available is must be started on the host behind the firewall.
Look at the diagram bellow:
Now you are sitting on PC B and your mother in law is sitting on PC A (familiar story?? And yes my mother in law uses Linux), I don’t have direct access to her laptop (PC A) but I still need to install her skype to talk to the family.
First on PC B I create a dummy user for the connection:
useradd -m motherinlaw
Then tell someone on PC A to do the following (or create you own script to do it automatically, I’m also assuming that both PCs have sshd running)
ssh motherinlaw@PC-IP-B -R 2000:localhost:22
Let me explain it, the -R sets a remote tunnel, the 2000 is the port to be opened on the remote computer and the 22 is the port where the communication is going to on the local computer (PC A)
So after a successful ssh login from PC A to PC B (you may check it for instance with who), you will be able to login in PC A from PC B issuing:
ssh root@localhost -p2000
Hope this helped someone out there.
by Pedro M. S. Oliveira | Jun 29, 2009 | Linux
This weekend I was updating and reconfiguring my apache2 installation, I run a server with multiple domains both with http and https, they are sitting behind a firewall. I also had some tomcat installations running on port 8080 on my server. In my previous configuration in the firewall I had port 80,443 and 8080 forwarded to my apache server and it worked perfectly. but as you know it’s easy to educate users to use both http(port 80) and https(port443) but not that easy to tell them to write https://yourserver:8080/blabla to redirect them to the tomcat server.
Having this I decided to change the way things work but using a reverse proxy this way I can have all the users using just http and https and at the same time redirect the traffic to the t0mcat behind the the firewall.
How did I do it?
First you have to enable the following modules on your apache2 server (I won’t explain how to do it as you can do it multiple ways and even use your distro tools to help you):
I also recommend you to use virtualhosts for doing this as you’ll be able to serve multiple domains with ease:
and edit your virtual host to look like this:
DirectoryIndex index.php index.html index.htm
ProxyPass / http://your.internalserver.local:8080/
ProxyPassReverse / http://your.internalserver.local:8080/
Allow from all
or if you are using https your virtualhost config file might look like:
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
CustomLog /var/log/apache2/ssl_request_log ssl_combined
ProxyPass / http://www.your_domain.local:8080/
ProxyPassReverse / http://www.your_domain.local:8080/
Well hope this is helpful to someone.
Pedro M. S. Oliveira
Found this article about APACHE2 as a OWA proxy which I really liked 🙂 bellow there are some excerpts that I frequently use. I’m copying them for my reference:
DirectoryIndex index.html index.php
RewriteRule ^/$ /exchange [L,R]
RequestHeader set Front-End-Https On
Allow from all
ProxyPass /exchange https://mxbsas.example.local/exchange
ProxyPassReverse /exchange https://mxbsas.example.local/exchange
ProxyPass /exchweb https://mxbsas.example.local/exchweb
ProxyPassReverse /exchweb https://mxbsas.example.local/exchweb
ProxyPass /public https://mxbsas.example.local/public
ProxyPassReverse /public https://mxbsas.example.local/public
ProxyPass /exchangerng https://mxrng.example.local/exchangerng
ProxyPassReverse /exchangerng https://mxrng.example.local/exchangerng
ProxyPass /Microsoft-Server-ActiveSync https://mxbsas.example.local/Microsoft-Server-ActiveSync
ProxyPassReverse /Microsoft-Server-ActiveSync https://mxbsas.example.local/Microsoft-Server-ActiveSync