Jump to content

SSH tunnel for redirecting HTTPS…


theYinYeti
 Share

Recommended Posts

Hello,

 

First the theory. I've read over and over again that “TCP over TCP is badâ€, and I even think I understand why. But most of those reads were about PPP over SSH, which means a TCP network through PPP over another TCP network, if I understand correctly.

 

1st question: As I understand it, an SSH tunnel is simply this: SSH listens on localhost:XXXX, encrypts the data, forwards it through the SSH connection to remote:22, decrypts it, and makes it all available on remote:YYYY. Even though SSH connects over TCP, and in my case the data is HTTP(S), I have the feeling that this setup is not “TCP over TCPâ€. Or is it ?

 

Now in practice. I have this setup:

 

JBoss/machine A <---( local network X )--->[Firewall]<---( local network Y )---> machine B <---( internet )

 

Aim: view JBoss pages from Internet.

Considering HTTPS is already encrypted, I suppose using SSH for the tunnel is a bit overkill. Is there a more efficient solution?

 

Yves.

Link to comment
Share on other sites

Hi Yves,

 

I'm not sure what you're trying to achieve. Do you want access to JBOSS over https from anywhere? Meaning that not just you, but anyone could view this using standard https connection to your machine? Or are you trying to secure it further by the use of SSH, so that only you can gain access? Is there any particular reason you chose an SSH tunnel, instead of say, a VPN tunnel?

 

If you let us know what exactly you're attempting to achieve, what the aim is or what the goal is, we could help suggest something.

 

Take this into consideration:

 

If you want access from anywhere, without any special tools, such as SSH, or without using ports other than https (443), then JBOSS with https would be enough.

If you want access restricted just to you then I'd suggest a VPN connection. I don't see the point of tunnelling it over SSH.

Link to comment
Share on other sites

You're right, I need to explain better :-)

 

JBoss is on server A, completely shielded from any Internet access, or any access from local network Y for that matter.

Visible from Internet is server B.

Server A can access server B, and server B is allowed to access server A, although it is an exception, with secure chanels only (more generally, local network Y can't see local network X).

 

The aim is for JBoss to be browsable on HTTPS by anyone from anywhere.

 

Yves.

Link to comment
Share on other sites

I realize you're right Ian. And you actually help me precisely define the situation.

 

Because… I'm in the Java developer position (sort of), with no direct link with the network security team. And I don't have the rules ; I just know that I've made propositions and been given answers like « no, not possible » and very little more. So I'm kind of trying to find out the rules based on those short answers.

 

Well… One more information on why I was thinking about a tunnel: probably by fear of someone breaking past server B and into local network Y, they don't want to have the HTTPS port open in the firewall. They'll probably prefer an exotic/binary protocol (AJP), or a secure authenticated one (like SSH).

As a matter of fact, AJP was already tried but led to problems (sockets remaining in open state), and that's why I asked about SSH tunnels in the first place. I know it works in theory (and I tried for real to be sure, minus the firewall), but I don't know how well suited it is for production use.

 

Now to be honnest, a few days after I started this topic, it was discovered the problem with AJP was in the Apache front-end ; an upgrade cured the problem. Still, I'd like to know about alternatives.

 

Yves

Link to comment
Share on other sites

Hot news… our “sockets problem†isn't quite over… So I'm all the more interested in facts that would prove the SSH solution to be a working one, or ideas for alternatives.

 

Now that they see, that the AJP problem partially remains (or so it seems…), they ponder the possibility of letting HTTPS through the firewall, after all… So I'll propose your proxy idea, Ian. Thank you for your help :)

 

Yves.

Link to comment
Share on other sites

You can proxy in two ways, first with apache on the first server, and redirect to the jboss, or use a program called "pound" which is a proxy also. I've used it before, but proxying to a standard http port and configuring pound to use https.

Link to comment
Share on other sites

I'll definitely look into Pound. If our current problem with sockets can be worked around by using pound instead of Apache (which serves no content by itself), it would be good news; well worth a try :-)

 

Now to be more precise on the question about the SSH tunnel, I've read this:

http://sites.inka.de/~W1011/devel/tcp-tcp.html

where they explain that using PPP/SSH as a poor-man-VPN is a bad idea because you end up having:

<top protocol>/TCP/IP/PPP/SSH/TCP/IP

and TCP/…/TCP is bad.

 

And I wonder: if I run a simple “ssh -L†or “ssh -R†on port 443 (https), will I have:

HTTPS/SSH/TCP/IP (would be good)

or

HTTPS/TCP/IP/SSH/TCP/IP (would be bad)

or

something else entirely?

 

Yves.

Link to comment
Share on other sites

I'm not sure you would be able to do it. Rsync you can do over SSH, but I'm unaware of any other progs allowing you to use a helper program like ssh to send it over the SSH tunnel.

Link to comment
Share on other sites

Actually, as mentionned before, it does work :)

I did this test on my machine (yves.Xdomain):

ssh -g -L 7890:serverA.Xdomain:443 yves@serverA.Xdomain

and then I was to display in Firefox:

https://yves.Xdomain:7890/

instead of

https://serverA.Xdomain:443/

 

And anyone in the team could access the former instead of the latter, as well.

 

Now the question really is: is it TCP over TCP or not? If it is, then in case of network congestion, it may “self-destroy†any time; if not, all's well :unsure:

 

Yves.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...