theYinYeti Posted December 7, 2009 Report Share Posted December 7, 2009 Hello, First the theory. I've read over and over again that “TCP over TCP is badâ€, and I even think I understand why. But most of those reads were about PPP over SSH, which means a TCP network through PPP over another TCP network, if I understand correctly. 1st question: As I understand it, an SSH tunnel is simply this: SSH listens on localhost:XXXX, encrypts the data, forwards it through the SSH connection to remote:22, decrypts it, and makes it all available on remote:YYYY. Even though SSH connects over TCP, and in my case the data is HTTP(S), I have the feeling that this setup is not “TCP over TCPâ€. Or is it ? Now in practice. I have this setup: JBoss/machine A <---( local network X )--->[Firewall]<---( local network Y )---> machine B <---( internet ) Aim: view JBoss pages from Internet. Considering HTTPS is already encrypted, I suppose using SSH for the tunnel is a bit overkill. Is there a more efficient solution? Yves. Link to comment Share on other sites More sharing options...
ianw1974 Posted December 7, 2009 Report Share Posted December 7, 2009 Hi Yves, I'm not sure what you're trying to achieve. Do you want access to JBOSS over https from anywhere? Meaning that not just you, but anyone could view this using standard https connection to your machine? Or are you trying to secure it further by the use of SSH, so that only you can gain access? Is there any particular reason you chose an SSH tunnel, instead of say, a VPN tunnel? If you let us know what exactly you're attempting to achieve, what the aim is or what the goal is, we could help suggest something. Take this into consideration: If you want access from anywhere, without any special tools, such as SSH, or without using ports other than https (443), then JBOSS with https would be enough. If you want access restricted just to you then I'd suggest a VPN connection. I don't see the point of tunnelling it over SSH. Link to comment Share on other sites More sharing options...
theYinYeti Posted December 9, 2009 Author Report Share Posted December 9, 2009 You're right, I need to explain better :-) JBoss is on server A, completely shielded from any Internet access, or any access from local network Y for that matter. Visible from Internet is server B. Server A can access server B, and server B is allowed to access server A, although it is an exception, with secure chanels only (more generally, local network Y can't see local network X). The aim is for JBoss to be browsable on HTTPS by anyone from anywhere. Yves. Link to comment Share on other sites More sharing options...
ianw1974 Posted December 9, 2009 Report Share Posted December 9, 2009 Sounds like you just need to proxy the request from server B to server A. If of course, server B is not already using HTTPS (443) for anything?!? Link to comment Share on other sites More sharing options...
theYinYeti Posted December 11, 2009 Author Report Share Posted December 11, 2009 I realize you're right Ian. And you actually help me precisely define the situation. Because… I'm in the Java developer position (sort of), with no direct link with the network security team. And I don't have the rules ; I just know that I've made propositions and been given answers like « no, not possible » and very little more. So I'm kind of trying to find out the rules based on those short answers. Well… One more information on why I was thinking about a tunnel: probably by fear of someone breaking past server B and into local network Y, they don't want to have the HTTPS port open in the firewall. They'll probably prefer an exotic/binary protocol (AJP), or a secure authenticated one (like SSH). As a matter of fact, AJP was already tried but led to problems (sockets remaining in open state), and that's why I asked about SSH tunnels in the first place. I know it works in theory (and I tried for real to be sure, minus the firewall), but I don't know how well suited it is for production use. Now to be honnest, a few days after I started this topic, it was discovered the problem with AJP was in the Apache front-end ; an upgrade cured the problem. Still, I'd like to know about alternatives. Yves Link to comment Share on other sites More sharing options...
theYinYeti Posted December 11, 2009 Author Report Share Posted December 11, 2009 Hot news… our “sockets problem†isn't quite over… So I'm all the more interested in facts that would prove the SSH solution to be a working one, or ideas for alternatives. Now that they see, that the AJP problem partially remains (or so it seems…), they ponder the possibility of letting HTTPS through the firewall, after all… So I'll propose your proxy idea, Ian. Thank you for your help :) Yves. Link to comment Share on other sites More sharing options...
ianw1974 Posted December 13, 2009 Report Share Posted December 13, 2009 You can proxy in two ways, first with apache on the first server, and redirect to the jboss, or use a program called "pound" which is a proxy also. I've used it before, but proxying to a standard http port and configuring pound to use https. Link to comment Share on other sites More sharing options...
theYinYeti Posted December 14, 2009 Author Report Share Posted December 14, 2009 I'll definitely look into Pound. If our current problem with sockets can be worked around by using pound instead of Apache (which serves no content by itself), it would be good news; well worth a try :-) Now to be more precise on the question about the SSH tunnel, I've read this: http://sites.inka.de/~W1011/devel/tcp-tcp.html where they explain that using PPP/SSH as a poor-man-VPN is a bad idea because you end up having: <top protocol>/TCP/IP/PPP/SSH/TCP/IP and TCP/…/TCP is bad. And I wonder: if I run a simple “ssh -L†or “ssh -R†on port 443 (https), will I have: HTTPS/SSH/TCP/IP (would be good) or HTTPS/TCP/IP/SSH/TCP/IP (would be bad) or something else entirely? Yves. Link to comment Share on other sites More sharing options...
ianw1974 Posted December 14, 2009 Report Share Posted December 14, 2009 I'm not sure you would be able to do it. Rsync you can do over SSH, but I'm unaware of any other progs allowing you to use a helper program like ssh to send it over the SSH tunnel. Link to comment Share on other sites More sharing options...
theYinYeti Posted December 15, 2009 Author Report Share Posted December 15, 2009 Actually, as mentionned before, it does work :) I did this test on my machine (yves.Xdomain): ssh -g -L 7890:serverA.Xdomain:443 yves@serverA.Xdomain and then I was to display in Firefox: https://yves.Xdomain:7890/ instead of https://serverA.Xdomain:443/ And anyone in the team could access the former instead of the latter, as well. Now the question really is: is it TCP over TCP or not? If it is, then in case of network congestion, it may “self-destroy†any time; if not, all's well :unsure: Yves. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now