http within https tunnel

Vieri · l33t Joined: 18 Dec 2005 Posts: 888

Hi,

I'd like to set up a "user-friendly" way to connect to an internal HTTP server through an HTTPS gateway from an Internet client (using browsers only).

eg. Internet browser client connects to https://mygateway.org, thus allowing him/her to access (maybe among other options) to "internal server http://mylanserver:8080".

I've tried it with a reverse proxy (Squid HTTPS cache_peer to internal server), but there are redirect issues, and I do no have admin access to the internal server. Also, it would be preferable to first authenticate the user before letting him/her access the internal server.
The idea would be something like Apache Guacamole, but it doesn't seem to support the HTTP protocol (it's focused on RDP, VNC, telnet, ssh).

Does anyone know of any other guacamole-like portal that can tunnel HTTP over HTTPS?

Thanks

e3k · Guru Joined: 01 Oct 2007 Posts: 515 Location: Quantum Flux

szatox · Advocate Joined: 27 Aug 2013 Posts: 3171

Can you just configure the client's browser to use a proxy server?
In this case there is nothing to rewrite, because it's the browser that sends requests to a proxy server and not you pointing it in a different direction.
Doing full rewrite is tricky, I think apache is able to do that with mod proxy, but then again: maybe it just rewrites headers and not the response body.

Banana · Veteran Joined: 21 May 2004 Posts: 1415 Location: Germany

Have a look into ssh tunnel / socks proxy. Maybe this will help. Like creating the ssh tunnel on mygateway.org and config this as an socks proxy in the client software.
_________________
My personal space
My delta-labs.org snippets do expire

PFL - Portage file list - find which package a file or command belongs to.

Vieri · l33t Joined: 18 Dec 2005 Posts: 888

Thanks, everyone.

Unfortunately, the ssh/stunnel-type tunnel solutions as well as vpn connections (such as openvpn) require the user/client to run extra/custom software (and sometimes as admin/root). I want external users to use their browsers only.

The explicit proxy solution is a no go because it requires tinkering with the settings.

Even if I could solve the "redirection issues" found when using a reverse proxy, I would still have an undesired situation for the following reasons (actually, the same reasons why one uses a VPN tunnel to connect to sensitive services).
Suppose I have 5 HTTP servers in a corporate network, and that none of them have been audited yet, or should not be exposed to the internet for whatever reason.
However, specific users require connecting to these platforms (eg. off-site workers). Reverse proxies cannot be used in this scenario. It is preferable to use a single/secure entry point, and from there connect to these 5 services.
This entry point can be a ssh server, stunnel, vpn, etc. However, ideally I'd rather have the clients connect to an HTTPS "gateway" with a standard browser (like Apache Guacamole) and, once logged in, have them connect to any of these 5 services via HTTP over HTTPS.
Except Apache Guacamole is designed to render graphics to a display....

Ant P. · Watchman Joined: 18 Apr 2009 Posts: 6920

Vanilla Apache has no trouble reverse-proxying HTTP services behind HTTPS with authn/authz. I have 4 of those myself, they don't even need to be on separate subdomains.