Jump to content
  • Announcements

    • spinynorman

      Mandriva Official Documentation

      Official documentation for extant versions of Mandriva can be found at doc.mandriva.com.   Documentation for the latest release may take some time to appear there. You can install all the manuals from the main repository if you have Mandriva installed - files are prefixed mandriva-doc.
    • paul

      Forum software upgrade   10/29/17

      So you may have noticed the forum software has upgraded !!!
      A few things that have changed. We no longer have community blogs (was never really used) We no longer have a portal page.
      We can discuss this, and decide whether it is needed (It costs money) See this thread: Here
Sign in to follow this  
theYinYeti

SSH tunnel for redirecting HTTPS…

Recommended Posts

Hello,

 

First the theory. I've read over and over again that “TCP over TCP is badâ€, and I even think I understand why. But most of those reads were about PPP over SSH, which means a TCP network through PPP over another TCP network, if I understand correctly.

 

1st question: As I understand it, an SSH tunnel is simply this: SSH listens on localhost:XXXX, encrypts the data, forwards it through the SSH connection to remote:22, decrypts it, and makes it all available on remote:YYYY. Even though SSH connects over TCP, and in my case the data is HTTP(S), I have the feeling that this setup is not “TCP over TCPâ€. Or is it ?

 

Now in practice. I have this setup:

 

JBoss/machine A <---( local network X )--->[Firewall]<---( local network Y )---> machine B <---( internet )

 

Aim: view JBoss pages from Internet.

Considering HTTPS is already encrypted, I suppose using SSH for the tunnel is a bit overkill. Is there a more efficient solution?

 

Yves.

Share this post


Link to post
Share on other sites

Hi Yves,

 

I'm not sure what you're trying to achieve. Do you want access to JBOSS over https from anywhere? Meaning that not just you, but anyone could view this using standard https connection to your machine? Or are you trying to secure it further by the use of SSH, so that only you can gain access? Is there any particular reason you chose an SSH tunnel, instead of say, a VPN tunnel?

 

If you let us know what exactly you're attempting to achieve, what the aim is or what the goal is, we could help suggest something.

 

Take this into consideration:

 

If you want access from anywhere, without any special tools, such as SSH, or without using ports other than https (443), then JBOSS with https would be enough.

If you want access restricted just to you then I'd suggest a VPN connection. I don't see the point of tunnelling it over SSH.

Share this post


Link to post
Share on other sites

You're right, I need to explain better :-)

 

JBoss is on server A, completely shielded from any Internet access, or any access from local network Y for that matter.

Visible from Internet is server B.

Server A can access server B, and server B is allowed to access server A, although it is an exception, with secure chanels only (more generally, local network Y can't see local network X).

 

The aim is for JBoss to be browsable on HTTPS by anyone from anywhere.

 

Yves.

Share this post


Link to post
Share on other sites

Sounds like you just need to proxy the request from server B to server A. If of course, server B is not already using HTTPS (443) for anything?!?

Share this post


Link to post
Share on other sites

I realize you're right Ian. And you actually help me precisely define the situation.

 

Because… I'm in the Java developer position (sort of), with no direct link with the network security team. And I don't have the rules ; I just know that I've made propositions and been given answers like « no, not possible » and very little more. So I'm kind of trying to find out the rules based on those short answers.

 

Well… One more information on why I was thinking about a tunnel: probably by fear of someone breaking past server B and into local network Y, they don't want to have the HTTPS port open in the firewall. They'll probably prefer an exotic/binary protocol (AJP), or a secure authenticated one (like SSH).

As a matter of fact, AJP was already tried but led to problems (sockets remaining in open state), and that's why I asked about SSH tunnels in the first place. I know it works in theory (and I tried for real to be sure, minus the firewall), but I don't know how well suited it is for production use.

 

Now to be honnest, a few days after I started this topic, it was discovered the problem with AJP was in the Apache front-end ; an upgrade cured the problem. Still, I'd like to know about alternatives.

 

Yves

Share this post


Link to post
Share on other sites

Hot news… our “sockets problem†isn't quite over… So I'm all the more interested in facts that would prove the SSH solution to be a working one, or ideas for alternatives.

 

Now that they see, that the AJP problem partially remains (or so it seems…), they ponder the possibility of letting HTTPS through the firewall, after all… So I'll propose your proxy idea, Ian. Thank you for your help :)

 

Yves.

Share this post


Link to post
Share on other sites

You can proxy in two ways, first with apache on the first server, and redirect to the jboss, or use a program called "pound" which is a proxy also. I've used it before, but proxying to a standard http port and configuring pound to use https.

Share this post


Link to post
Share on other sites

I'll definitely look into Pound. If our current problem with sockets can be worked around by using pound instead of Apache (which serves no content by itself), it would be good news; well worth a try :-)

 

Now to be more precise on the question about the SSH tunnel, I've read this:

http://sites.inka.de/~W1011/devel/tcp-tcp.html

where they explain that using PPP/SSH as a poor-man-VPN is a bad idea because you end up having:

<top protocol>/TCP/IP/PPP/SSH/TCP/IP

and TCP/…/TCP is bad.

 

And I wonder: if I run a simple “ssh -L†or “ssh -R†on port 443 (https), will I have:

HTTPS/SSH/TCP/IP (would be good)

or

HTTPS/TCP/IP/SSH/TCP/IP (would be bad)

or

something else entirely?

 

Yves.

Share this post


Link to post
Share on other sites

I'm not sure you would be able to do it. Rsync you can do over SSH, but I'm unaware of any other progs allowing you to use a helper program like ssh to send it over the SSH tunnel.

Share this post


Link to post
Share on other sites

Actually, as mentionned before, it does work :)

I did this test on my machine (yves.Xdomain):

ssh -g -L 7890:serverA.Xdomain:443 yves@serverA.Xdomain

and then I was to display in Firefox:

https://yves.Xdomain:7890/

instead of

https://serverA.Xdomain:443/

 

And anyone in the team could access the former instead of the latter, as well.

 

Now the question really is: is it TCP over TCP or not? If it is, then in case of network congestion, it may “self-destroy†any time; if not, all's well :unsure:

 

Yves.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×