| View previous topic :: View next topic |
| Author |
Message |
audiodef
Watchman
Joined: 06 Jul 2005
Posts: 6656
Location: The soundosphere
|
|
| Back to top |
|
 |
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
 Posted: Wed Feb 23, 2011 4:53 pm Post subject: |
 |
|
| Not sure about this router but I imagine that setting up port 443 instead of 80 will do the trick. |
|
| Back to top |
|
|
audiodef
Watchman
Joined: 06 Jul 2005
Posts: 6656
Location: The soundosphere
|
|
| Back to top |
|
|
titanofold
Developer
Joined: 30 Dec 2003
Posts: 235
Location: Bryson City, NC USA
|
| Posted: Wed Feb 23, 2011 7:42 pm Post subject: |
|
|
Yeah, not that simple. What you need is a page or a redirect rule to send people from HTTP to HTTPS.
So you'd have a virtual host listening on port 80 only to serve that redirect page or to issue that redirect command.
EDIT: Whoops! Now that I read your post again, I realize that's not what you were looking to have happen.
Would you post your SSL config for Apache?
_________________
The best things in life are free.
Guy-1: Surely, you will fold with me...
Guy-2: Alright, but don't call me Shirley |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Wed Feb 23, 2011 8:02 pm Post subject: |
|
|
Ok maybe I misread this post in the first place, let me try and clarify the problem.
1: Is this a question of your apache setup on your server?
If so I think what you are trying to do is to redirect a http request and proxy it to a https one either to your local server or another server.
If you want to switch from http to https on the local server you can simply add a redirect rule assuming that your https is already setup:
RedirectMatch /(.*) https://localhost
RedirectMatch / https://localhost
If you want to proxy and use ssl also then you need to setup an ssl proxy directive also
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost Off
ProxyPass / https://other-server
ProxyPassReverse / https://other-server
Hope I have understood the question  |
|
| Back to top |
|
|
audiodef
Watchman
Joined: 06 Jul 2005
Posts: 6656
Location: The soundosphere
|
| Posted: Tue Mar 01, 2011 2:02 pm Post subject: |
|
|
Here's my /etc/apache2/httpd.conf:
| Code: |
ServerRoot "/usr/lib64/apache2"
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
<IfDefine CACHE>
LoadModule cache_module modules/mod_cache.so
</IfDefine>
LoadModule cgi_module modules/mod_cgi.so
LoadModule cgid_module modules/mod_cgid.so
<IfDefine DAV>
LoadModule dav_module modules/mod_dav.so
</IfDefine>
<IfDefine DAV>
LoadModule dav_fs_module modules/mod_dav_fs.so
</IfDefine>
<IfDefine DAV>
LoadModule dav_lock_module modules/mod_dav_lock.so
</IfDefine>
LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
<IfDefine CACHE>
LoadModule disk_cache_module modules/mod_disk_cache.so
</IfDefine>
LoadModule env_module modules/mod_env.so
LoadModule expires_module modules/mod_expires.so
LoadModule ext_filter_module modules/mod_ext_filter.so
<IfDefine CACHE>
LoadModule file_cache_module modules/mod_file_cache.so
</IfDefine>
LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
<IfDefine INFO>
LoadModule info_module modules/mod_info.so
</IfDefine>
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
<IfDefine CACHE>
LoadModule mem_cache_module modules/mod_mem_cache.so
</IfDefine>
LoadModule mime_module modules/mod_mime.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule speling_module modules/mod_speling.so
<IfDefine SSL>
LoadModule ssl_module modules/mod_ssl.so
</IfDefine>
<IfDefine STATUS>
LoadModule status_module modules/mod_status.so
</IfDefine>
LoadModule unique_id_module modules/mod_unique_id.so
<IfDefine USERDIR>
LoadModule userdir_module modules/mod_userdir.so
</IfDefine>
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
User apache
Group apache
Include /etc/apache2/modules.d/*.conf
Include /etc/apache2/vhosts.d/*.conf
|
It's pretty much the default.
Currently, I host a chat server for a small number of people. I have port forwarding set up. I get the IP from my router and put it in my browser's address bar, along with the path to the chat server. So while I can get to the chat from http://localhost/chat, others can get to it from http://(ip_address)/chat.
I'd like to be able to do all this, except have users go through https://(ip_address)/chat. I can currently get to https://localhost/chat, but not https://(ip_address)/chat.
_________________
decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Tue Mar 01, 2011 2:16 pm Post subject: |
|
|
In that case your apache setup may be fine, to double check this I would attempt to connect from another machine on your LAN to the actual IP of your server just to prove the SSL is listing on the external and not just (localhost)
If you setup a redirect on the apache side this may solve the issue you have add the below. now when you connect to http://localhost it should redirect you to https://localhost
vi /etc/apache2/vhosts.d/default_vhost.include
| Code: | RedirectMatch /(.*) https://localhost
RedirectMatch / https://localhost |
|
|
| Back to top |
|
|
titanofold
Developer
Joined: 30 Dec 2003
Posts: 235
Location: Bryson City, NC USA
|
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Tue Mar 01, 2011 2:28 pm Post subject: |
|
|
This is what I would put there unless you have good reason not to.
| Code: | Listen 443
<VirtualHost *:443> |
|
|
| Back to top |
|
|
titanofold
Developer
Joined: 30 Dec 2003
Posts: 235
Location: Bryson City, NC USA
|
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Tue Mar 01, 2011 2:32 pm Post subject: |
|
|
That will bind apache to all network cards that are up if I'm not mistaking,
Which line of the config are you refering to? |
|
| Back to top |
|
|
titanofold
Developer
Joined: 30 Dec 2003
Posts: 235
Location: Bryson City, NC USA
|
| Posted: Tue Mar 01, 2011 2:37 pm Post subject: |
|
|
| chiefbag wrote: | That will bind apache to all network cards that are up if I'm not mistaking,
Which line of the config are you refering to? |
Binding could be an issue, but we won't know until the OP posts his/her 00_default_ssl_vhost.conf.
By allowing, I mean just that:
| Code: | <Directory /path>
Order allow,deny
Allow from all
</Directory> |
_________________
The best things in life are free.
Guy-1: Surely, you will fold with me...
Guy-2: Alright, but don't call me Shirley |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Tue Mar 01, 2011 2:42 pm Post subject: |
|
|
| Quote: | By allowing, I mean just that:
Code:
<Directory /path>
Order allow,deny
Allow from all
</Directory> |
The setup would not need to be altered in the SSL file as https access is already allowed.
The redirect has no effect on the SSL setup which is seperate. |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Tue Mar 01, 2011 2:55 pm Post subject: |
|
|
@titanofold
The point I was making was if the config was as follows then it would not be listening as an external interface and this ~I think would cause a problem
| Code: | | <VirtualHost 127.0.0.1:443> |
Anyhow I'm not convinced that the router will allow subsequent requests from an external client back in on https if the port forwarding is not setup. |
|
| Back to top |
|
|
titanofold
Developer
Joined: 30 Dec 2003
Posts: 235
Location: Bryson City, NC USA
|
| Posted: Tue Mar 01, 2011 2:56 pm Post subject: |
|
|
| chiefbag wrote: | | Quote: | By allowing, I mean just that:
Code:
<Directory /path>
Order allow,deny
Allow from all
</Directory> |
The setup would not need to be altered in the SSL file as https access is already allowed.
The redirect has no effect on the SSL setup which is seperate. |
Except that we don't actually know if HTTPS access is allowed to all until the OP posts his/her SSL host configuration.
The redirect rule isn't the issue:
| Quote: | | I'd like to be able to do all this, except have users go through https://(ip_address)/chat. I can currently get to https://localhost/chat, but not https://(ip_address)/chat. |
Emphasis mine.
Outside connections can't access the SSL host. So, not a redirect issue, but a permission or port forwarding issue.
_________________
The best things in life are free.
Guy-1: Surely, you will fold with me...
Guy-2: Alright, but don't call me Shirley |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Tue Mar 01, 2011 3:01 pm Post subject: |
|
|
| Quote: |
In other words, if the router's IP is 12.345.67.89, I want to be able to put https://12.345.67.89 in my browser have it forward to https://localhost, the same way it works with http. I have SSL set up on my localhost already.
I've done this before, just on a different router, and I've forgotten what needs to be done. |
The Apache setup is one issue, but the router seems to be the main one as the person is unable to forward port 443.
With this suggested apache setup it may be possible to get apache to poke a hole through the router fire wall and then maintain an open route back in. |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Tue Mar 01, 2011 3:23 pm Post subject: |
|
|
@audiodef
1 question to clarify . . .
1: Is Port forwarding setup on port 443 on your router?
If yes then stop apache and do the following as root
emerge net-analyzer/netcat
Run the following command as Root User
nc -l -p 443
Now get someone to connect externally over https
You should now see an output from the terminal you ran the command, this proves then that your port forwarding is working correctly so all you need to do is sort out your apache config. |
|
| Back to top |
|
|
audiodef
Watchman
Joined: 06 Jul 2005
Posts: 6656
Location: The soundosphere
|
| Posted: Wed Mar 02, 2011 4:26 pm Post subject: |
|
|
Here's the latest:
I get no output with that command, whether apache is running or not. However, reading through this thread sparked a suspicion. I put my router's current IP address into the exceptions for my TOR setup, and HTTPS sailed right through. I'll have to come back to this later, when I've solved the following problem:
HTTPS requests land on the login page for the router, not on my apache's localhost (HTTP requests land on my apache's localhost as expected). In my port forwarding section, I have two forwards:
192.168.1.3:80, HTTP TCP Any -> 80
192.168.1.3:443, Application TCP 443 -> 443
There's nothing about forwarding 443 to 192.168.1.1, which is the router.
I wonder if the fact that the 443 forward rule is an "application" and not "http" has anything to do with it. I didn't see a way to have any control over this, though.
Maybe at this point, my apache config needs to be tweaked. Here's my SSL config:
| Code: |
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
Listen 443
<VirtualHost _default_:443>
ServerName localhost
Include /etc/apache2/vhosts.d/default_vhost.include
ErrorLog /var/log/apache2/ssl_error_log
<IfModule log_config_module>
TransferLog /var/log/apache2/ssl_access_log
</IfModule>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/apache2/server.crt
SSLCertificateKeyFile /etc/ssl/apache2/server.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/localhost/">
SSLOptions +StdEnvVars
</Directory>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
<IfModule log_config_module>
CustomLog /var/log/apache2/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
|
_________________
decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN |
|
| Back to top |
|
|
titanofold
Developer
Joined: 30 Dec 2003
Posts: 235
Location: Bryson City, NC USA
|
|
| Back to top |
|
|
audiodef
Watchman
Joined: 06 Jul 2005
Posts: 6656
Location: The soundosphere
|
| Posted: Thu Mar 03, 2011 1:45 am Post subject: |
|
|
| titanofold wrote: | There should be a page that allows you to control the routers remote management. This may be what is actually interfering with the connections getting in on port 443.
|
I found it, but the router is not set to allow remote management. So I shouldn't even be seeing the router from an external IP! 
EDIT: I found a system settings page for the router, which had port 443 as the https management port. I changed it to 444 and the router no longer comes up when try to access the router's IP address via https, but I'm still not getting to my localhost via https.
_________________
decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN |
|
| Back to top |
|
|
titanofold
Developer
Joined: 30 Dec 2003
Posts: 235
Location: Bryson City, NC USA
|
|
| Back to top |
|
|
audiodef
Watchman
Joined: 06 Jul 2005
Posts: 6656
Location: The soundosphere
|
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Fri Mar 04, 2011 4:38 am Post subject: |
|
|
what sort of router, out of curiosity?
I had something like this with a Netgear WNR2000. Never had such an issue on any of my Linksys rigs.
I could access everything fine coming in from outside, but internally, it ended up connecting to the web management interface for the router.
Can't remember what I had to change. May have been one of the RIP settings, not sure.
Highly suggest you find an external host with nmap, easier to figure this sort of thing out. Maybe you have a friend with a spare shell!
| Code: |
nmap -sT -p389 -P0 x.x.x.x
|
(where x.x.x.x is your public IP of course)
filtered == firewall dropping packets
closed == it's being routed to a host *somewhere*, but nothing on said host is listening on that port
I'd check the router logs as well. It should show an access attempt from whichever IP you're coming from, if you're coming in from outside.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
|
Networking & Security
