View previous topic :: View next topic |
Author |
Message |
Vieri l33t
Joined: 18 Dec 2005 Posts: 888
|
Posted: Mon Dec 02, 2019 4:27 pm Post subject: http within https tunnel |
|
|
Hi,
I'd like to set up a "user-friendly" way to connect to an internal HTTP server through an HTTPS gateway from an Internet client (using browsers only).
eg. Internet browser client connects to https://mygateway.org, thus allowing him/her to access (maybe among other options) to "internal server http://mylanserver:8080".
I've tried it with a reverse proxy (Squid HTTPS cache_peer to internal server), but there are redirect issues, and I do no have admin access to the internal server. Also, it would be preferable to first authenticate the user before letting him/her access the internal server.
The idea would be something like Apache Guacamole, but it doesn't seem to support the HTTP protocol (it's focused on RDP, VNC, telnet, ssh).
Does anyone know of any other guacamole-like portal that can tunnel HTTP over HTTPS?
Thanks |
|
Back to top |
|
|
e3k Guru
Joined: 01 Oct 2007 Posts: 515 Location: Quantum Flux
|
Posted: Mon Dec 02, 2019 6:21 pm Post subject: Re: http within https tunnel |
|
|
Vieri wrote: | Hi,
I'd like to set up a "user-friendly" way to connect to an internal HTTP server through an HTTPS gateway from an Internet client (using browsers only).
eg. Internet browser client connects to https://mygateway.org, thus allowing him/her to access (maybe among other options) to "internal server http://mylanserver:8080".
I've tried it with a reverse proxy (Squid HTTPS cache_peer to internal server), but there are redirect issues, and I do no have admin access to the internal server. Also, it would be preferable to first authenticate the user before letting him/her access the internal server.
The idea would be something like Apache Guacamole, but it doesn't seem to support the HTTP protocol (it's focused on RDP, VNC, telnet, ssh).
Does anyone know of any other guacamole-like portal that can tunnel HTTP over HTTPS?
Thanks | i did this with Apache and it was trivial but when it comes to rewrites it will be more difficult. but you do not need to admin the internal http server the rewrites are all done on the gateway. _________________
Flux & Contemplation - Portrait of an Artist in Isolation
|
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3171
|
Posted: Mon Dec 02, 2019 7:47 pm Post subject: |
|
|
Can you just configure the client's browser to use a proxy server?
In this case there is nothing to rewrite, because it's the browser that sends requests to a proxy server and not you pointing it in a different direction.
Doing full rewrite is tricky, I think apache is able to do that with mod proxy, but then again: maybe it just rewrites headers and not the response body. |
|
Back to top |
|
|
Banana Veteran
Joined: 21 May 2004 Posts: 1415 Location: Germany
|
|
Back to top |
|
|
Vieri l33t
Joined: 18 Dec 2005 Posts: 888
|
Posted: Mon Dec 02, 2019 9:07 pm Post subject: |
|
|
Thanks, everyone.
Unfortunately, the ssh/stunnel-type tunnel solutions as well as vpn connections (such as openvpn) require the user/client to run extra/custom software (and sometimes as admin/root). I want external users to use their browsers only.
The explicit proxy solution is a no go because it requires tinkering with the settings.
Even if I could solve the "redirection issues" found when using a reverse proxy, I would still have an undesired situation for the following reasons (actually, the same reasons why one uses a VPN tunnel to connect to sensitive services).
Suppose I have 5 HTTP servers in a corporate network, and that none of them have been audited yet, or should not be exposed to the internet for whatever reason.
However, specific users require connecting to these platforms (eg. off-site workers). Reverse proxies cannot be used in this scenario. It is preferable to use a single/secure entry point, and from there connect to these 5 services.
This entry point can be a ssh server, stunnel, vpn, etc. However, ideally I'd rather have the clients connect to an HTTPS "gateway" with a standard browser (like Apache Guacamole) and, once logged in, have them connect to any of these 5 services via HTTP over HTTPS.
Except Apache Guacamole is designed to render graphics to a display.... |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Dec 03, 2019 5:36 am Post subject: |
|
|
Vanilla Apache has no trouble reverse-proxying HTTP services behind HTTPS with authn/authz. I have 4 of those myself, they don't even need to be on separate subdomains. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|