I’m trying to host an apache webserver on a phone with termux, and the final goal is to make this server mobile by using 4G.To achieve this I thought it was possible to use a reverse SSH connection (to set a connection from the phone, wherever he is on internet) to a proxy in my home. The DNS of my website will redirect to this (reverse) proxy, which will redirect to my phone webserver, by using the reverse SSH connection.
For now, the phone server is on the same wifi network as the proxy, not in 4G.
So this phone connects to a computer which acts as a proxy, by connecting with reverse SSH on port 8082. From this computer, when I search http://localhost:8082 on internet on the computer, it works, I have access to the website.
However I can’t access the website from another device on the local network or from internet (I tried http://IPproxyComputer:8082 and I tried from a device on internet http://MyPublicIP with a port redirection from 80 to IPproxyComputer :8082 on my router). I don’t have any firewall on.
Here is a diagram to clarify
I didn’t find anyone trying to host a webserver with this config but someone explain how to give access to a device with reverse SSH and a squid proxy here.
So I thought this is what I must do, but with a different configuration for Squid because in my case, the request comes from someone on internet or local network to the webserver, so Squid must listen on a port, let say 8081 and redirect to 8082 where the SSH connection is, but I failed to set this up.
I need help to undersand two things:
-Why is the page accessible from the proxy with http://localhost:8082, but not from a device on the local network with http://IpproxyComputer:8082 ? Is it because of an authorization (and is it possible to change it?). Or is it just impossible to do this kind of connection ?
Is it a solution to use squid ? How to set this up ?
Here is the reverse SSH command I used from the phone webserver :
ssh -R 8080:localhost:8081 UsrProxyComputer#IPproxyComputer
Here is the config I tried for squid (it is the first time I use it and I am really a beginner in networks)
Define the listening port and default site
# Declare that virtual hosts will be used for allowing the reverse proxy
http_port 8081 accel vhost
# First we will configure the servers in our system
cache_peer 127.0.0.1 parent 8082 0 proxy-only name=InterRedir
# Create an additional ACL for local network access
acl localip src 192.168.0.0/24
http_access allow localip
cache_peer_access InterRedir allow localip
# Next we will map domains to the specific systems
# 1) This is done by creating an ACL for the domain
# 2) Then granting http access to it to allow the connection
# to get through.
# 3) Then mapping an acl to the specific server
# MyWebSite.com
acl MyWebSite_acl dstdomain MyWebSite.Com
http_access allow MyWebSite_acl
cache_peer_access InterRedir allow MyWebSite_acl
# Additional ACL definitions
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl purge method PURGE
acl CONNECT method CONNECT
# Restrictions
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny all
# Disable caching
cache deny all
Related
I have setup a Virtual Host with Apache2 with the following configuration:
<VirtualHost *:8080>
ServerName example.com
DocumentRoot /var/www/example.com
</VirtualHost>
It is possible to access the website from the outside.
example.com
But if I enter example.com from another system in my local network, it opens my router configuration page.
I forwarded my routers port 80 to my servers port 8080 in my network.
But I would like to access the website as well from my other systems in the local network. Is this possible?
Your router probably does not support "NAT loopback", where you access a service on the local network via the WAN IP of the router. Most consumer grade routers do not support NAT loopback.
You only have 2 options:
Change your router to one that does support "NAT loopback".
eg. Which NETGEAR routers support NAT loopback
Access your service via the internal IP address instead. You can override the public DNS using your local HOSTS file.
The way I generally "work around" this and have the site accessible to all machines/devices on the LAN, is to define a local subdomain (A record) in the public DNS that points to the local IP address. So when on the LAN I access the site by the subdomain local.example.com instead.
Related question on Security SE, which goes into more detail about what actually goes on with the network traffic:
Is NAT Loopback on my router a security problem?
I am new to Squid proxy and need help in setting up NTLM authentication.
I checked so many resources on the web but did not find exact steps to get my work done
Since I have no background on proxy/networking configurations, I am not able to figure out where I am missing. I need this for some testing purpose.
Scenario:
I have, two machines
Machine 1:
Windows Server 2012R2 on which Squid proxy server 2.6 is deployed. This machine has Active directory domain configured (domain1.com).
domain1.com has user-1 and user-2 users.
Machine 2: Is a part of domain1.com. Machine 1 acts as a proxy for Machine 2 (Manual proxy set on Machine2s Internet explorer).
Windows Integrated Authentication is turned ON in Internet Explorer menu.
I am trying to access google.com from Machine 2, IE prompts for authentication. I am providing user-1 credentials here. However, the request is not getting succeeded. Authentication prompt is appearing again and again.
Squid.conf
auth_param ntlm program C:/squid/libexec/mswin_ntlm_auth.exe --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl KnownUsers proxy_auth REQUIRED
http_access allow KnownUsers
http_access allow manager localhost
http_access allow manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
access.log:
1528144397.050 24 XX.XX.XXX.XXX TCP_DENIED/407 2151 CONNECT www.google.co.in:443 - NONE/- text/html
1528144397.056 5 XX.XX.XXX.XXX TCP_DENIED/407 1817 CONNECT www.google.co.in:443 - NONE/- text/html
Can someone please let me know what I am missing?
I have read several questions here and still nothing is working.
I am trying to access my test site from a remote computer (either network or wan but i need wan eventually)
I just re-downloaded the newest XAMPP for windows 10.
I can go to localhost (also the other 3 names I setup in the host file to redirect to localhost) and of course 127.0.0.1 (localhost).
If I try and use my ip address of the computer or someone else trys my ip address on their computer, we get page cant be found (from chrome)
If I check apache access logs I see nothing about an access attempt.
Netstat -a shows these two records
TCP 0.0.0.0:80
TCP 0.0.0.0:443
TCP [::]:80
TCP [::]:443
I have gone to Windows Firewall -> Advanced Settings -> Inbound rule. Here it shows that appache has 2 rules, one for UDP and one for TCP allowing all ports.
I have gone to my rounter and port forwarded 80 & 443 (which is what xampp is running on) and still nothing
I even have put my computer in a DMZ. I also turned off the windows firewall. (all back on after testing of course this is dangerous).
Xampp has no locationmatch in xampp-http.conf like other questions.
My vhost file has the directory setup like this:
<Directory "C:/Users/username/Desktop/git repos/stats-website">
AllowOverride All
Order Allow,Deny
Allow from all
Require all granted
</Directory>
This is my testing rig and I am now testing an API that is being accessed externally before I send it to the production server. I have been at this for 2 days and out of all possibilities
UPDATE
I have solved the issue somewhat. I can now get to it from everything except localhost or 127.0.0.1
In httpd.conf I changed it from just Listen 80 to Listen pcipaddress:80. I thought listen 80 defaulted to binding on more than just localhost
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
Listen 192.168.1.241:80
#Listen 80
How do I do it so it works both localhost and also remote connections?
I have the following setup:
one public IP
2 different domain names pointing to the same IP above: domain1.com and domain2.com
2 different ssl certificates: one for domain1.com and one for domain2.com
2 physical machines on the same LAN (192.168.1.10 and 192.168.1.20) running Apache2 and debian 8.5
I tested both servers indipendently forwarding the 443 port traffic to either of the machines. They work nicely.
Now, I am forwarding all port 443 requests arriving to the public IP to the first server at 192.168.1.10 and I would like this server to act as a https server for https://domain1.com and redirect the requests for https://domain2.com to address 192.168.1.20
I have tried to configure a reverse proxy in the first machine. It does redirect the requests for domain2 to the machine at 192.168.1.20 BUT it serves the certificate for domain1.
How can I configure reverse proxy as to present the right certificate for each one of my servers?
thank you in advance.
julia
Easiest "solution" (well, workaround) would be to use a single certificate that contains both hostnames. If you cannot do that, then you need to configure Apache SNI, like so: SSL with Virtual Hosts Using SNI
As some suggested I tried to use the Apache2 reverse proxy.
This somehow works but you have to install all the certificates on the machine running Apache2. Thus the trafic on the lan is no longer https which does not satisfy my requirement.
The solution is to use haproxy. This package can be set up as a pass through for https. There are many examples of such applications on the internet. It does exactly what I am asking for: I can host many https servers on a lan behind a nat router with one single public IP. The trafic is sent by haproxy as https to the indicated server on the LAN. If anyone is interested, I will be glad to share my config file solving precisely the problem I set out in my question.
To Robert M:
here is my configuration to be added at the end of the default haproxy.cfg file:
frontend ft_https
mode tcp
option tcplog
bind *:443
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl domain1_com req.ssl_sni -m end domain1.com # all url ending with domain1.com
acl domain2_com req.ssl_sni -i www.domain2.com # exactly www.domain2.com
use_backend b_domain1_com if domain1_com
use_backend b_domain2_com if domain2_com
default_backend b_default
backend b_default
mode tcp
option tcplog
server srv_default 127.0.0.1:1443
backend b_domain1_com
mode tcp
option tcplog
server srv_domain1 192.168.1.10:1443
backend b_domain2_com
mode tcp
option tcplog
server srv_domain2 192.168.1.20:443
I had to change the https port for apache on the first server to 1443 because both haproxy and apache cannot bind to the same 443 port as they reside on the same machine, but it is transparent to the user.
When I run Apache and have it configured to listen at ports 80 and 443, is it only listening for local traffic on my network? How can I tell if my server is visible to the web? (I want to keep it private for local development purposes) I think that for others to have access to my server, I would have to actually open up ports 80 and 443 on my router, but I have to say I'm pretty confused. Any help would be appreciated!
The ports have nothing to do with whether it's visible on the web. It's the IP address that the server is listening on and whether that IP address is allowed, to accept inbound connections if there is a firewall in front of it. So if you are using Localhost or an RFC 1918 IP address, then there is nothing to worry about. It has to use a publicly accessible IP address or hostname.
When Apache starts, it binds to some port and address on the local
machine and waits for incoming requests. By default, it listens to all
addresses on the machine. However, it may need to be told to listen on
specific ports, or only on selected addresses, or a combination of
both. This is often combined with the Virtual Host feature, which
determines how Apache responds to different IP addresses, hostnames
and ports.
https://httpd.apache.org/docs/2.2/bind.html
Also if you are behind a router, until you port forward your router on 80 or 443, nothing is going to get through from the outside.
You did not specify the OS/distribution you are using so it's a little hard to guess where you apache.conf or httpd.conf is located, you need to find it (including the ssl.conf file).
Somewhere right at the top you will find a few lines talking about "Listen: allows you to bind apache". You can limit this to your network of your local computer including localhost, now assuming you ipaddress is 192.168.10.1:
Listen 127.0.0.1:80
Listen 192.168.10.1:80
A little further down you will find a section talking about "DocumentRoot", right after that it will talk about "Directory", make it look like:
<Directory />
Order Allow, Deny
Deny From All
allow from 192.168.0.0
allow from 127.0.0.1
</Directory>
and depending where your document root is:
<Directory /var/www>
Order Allow, Deny
Deny From All
allow from 192.168.0.0
allow from 127.0.0.1
</Directory>
This will only allow local traffic to get to your server. You need to make sure that your ip address is within the range of 192.168.0.0.
Note that you need to do the same in the file called "ssl.conf".