I have:
VPN server (SoftEther), to which I connected.
IP Tables rules to send all traffic from VPN to Proxy server.
Proxy server (Java). I use LittleProxy https://github.com/adamfisk/LittleProxy. It doesn't intercept HTTPS traffic.
All these items connected like this:
VPN client ===> VPN server ===> Proxy server ===> Intenet
HTTP traffic works fine, but HTTPS doesn't.
When I try to go to https://google.com, I see an error in Chrome:
This site can't provide a secure connection
When I connect browser directly to the Proxy server - HTTPS works fine
When I connect only to VPN server - HTTPS works fine.
The same problem appears, if I switch VPN to OpenVPN.
After sniffing traffic I identified that HTTPS requests are trying to go via HTTP protocol to HTTPS address. It seems to be some issues with redirect, since when I just go to www.google.com, after 2 redirects (generated by google) I am able to reach google via https, but when I enter https://google.com - error.
In Wireshark I got 400 error:
Expert Info (Warning/Security): Unencrypted HTTP protocol detected over encrypted port, could indicate a dangerous misconfiguration.
My IP Tables rules:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- ip-192-168-200-0.ec2.internal/24 anywhere tcp dpt:http to:172.31.64.145:9090
DNAT tcp -- ip-192-168-200-0.ec2.internal/24 anywhere tcp dpt:https to:172.31.64.145:9090
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- ip-192-168-200-0.ec2.internal/24 anywhere
MASQUERADE all -- ip-192-168-200-0.ec2.internal anywhere
Where 172.31.64.145:9090 - IP of Proxy server.
VPN server and Proxy servers run on the same AWS instance.
Related
I have similar path for the requests:
client mydomain.com -> nlb:443 -> haproxy -> cloudfront
client a.mydomain.com -> nlb:443 -> haproxy -> target_group_a
Main idea is do tls passthrough for the main domain name and send it to cloudfront without TLS termination. Requests into a.mydomain.com should pass to target_group_a and it should terminate tls. So my config for this is:
frontend main
bind *:443
mode tcp
option tcplog
log global
tcp-request inspect-delay 5s
acl is_main req_ssl_sni -i "${pDomainName}"
acl is_a req_ssl_sni -m beg "a"
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend main if is_main
use_backend a if is_a
backend main
mode tcp
option ssl-hello-chk
server cloudfront "${pCloudFrontUrl}:443" check resolvers aws
backend a
mode tcp
server local 127.0.0.1:9666 send-proxy
frontend a
bind *:9666 ssl crt server.pem ca-file ca.pem verify required accept-proxy
mode http
default_backend proxy_a
backend proxy_a
mode http
server elb "${pServer}:80" check resolvers aws
Main record pass successfull and I get CloudFront SSL termination and everything is okay, but not for a.mydomain.com.
Also I tried to watch what SNI Haproxy is capture but I got only capture0: - in logs. I did like (right after tcp inspect line)
tcp-request content capture req_ssl_sni len 15
log-format "capture0: %[capture.req.hdr(0)]"
and it's strange because routing works.
I've tried a lot of possibilities.. For now I get SSL peer handshake failed, the server most likely requires a client certificate to connect error, but if I do listen frontend a on another port and in http mode everyting works fine.
Maybe I miss something basic or not, but I'm stuck on it for ages and maybe someone could help me.
For someone who is suffering or will suffer with that situation, just be sure that you are testing with gnu version of curl (or build it with properly libraries) because it doesn't work for me with BSD curl. My curl version and libs
curl 7.66.0 (x86_64-apple-darwin17.7.0) libcurl/7.66.0 SecureTransport zlib/1.2.11
Release-Date: 2019-09-11
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile libz NTLM NTLM_WB SSL UnixSockets
I am running ubuntu 18.04 on my virtualbox and my host machine is a mac. There is a service active on port 8080 on the VM but I have port forwarded that to my host the same way that I have done it for other ports via Settings -> Network -> Port Forwarding. I have confirmed that other ports are properly port forwarded as I can actually see a different webpage hosted on port 5000. (And port 22 is working as that's how I've ssh to my VM). I am not able to see a webpage when I visit http://127.0.0.1:8080 or http://localhost:8080
My problem is that I am not sure why I'm having trouble with port 8080 where my Vue app is running at. After running the command "yarn serve", I get
App running at:
- Local: http://localhost:8080/ (copied to clipboard)
[19:11:02] Server listening on localhost:8080
Some of the things I've checked are:
Firewall:
sudo uft status
Status: inactive
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Running nmap on VM shows:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
5000/tcp open upnp
5432/tcp open postgresql
8080/tcp open http-proxy
Running nmap on host machine shows:
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
5001/tcp open commplex-link
5050/tcp open mmcc
8000/tcp open http-alt
8080/tcp open http-proxy
If I do curl localhost:5000 from host I get what is expected but if I do curl localhost:8080 I get
curl: (56) Recv failure: Connection reset by peer
Note: doing curl on both ports 5000 and 8080 returns information as expected from Ubuntu VM.
What's my problem?
If this is off topic please redirect me. I've tried posting on stackexchange network engineering but it doesn't even have the virtualbox tag.
I ended up running the project on my host and worked straight away. I also created a new vue app on the VM and was able to view the webpage from the host's browser. My guess is that the project that couldn't be seen on the host browser is also using other services running on different ports which I have not port forwarded for. Although this is just my guess.
I'm using the new Azure cloud app and I have created a new VM with ubuntu 14.04.
I installed apache2 and some common modules (like php5).
Well, after that, I configured my app, but when I tried to access, The browser shows "Timeout" (using Chrome). The "ping" maps the hostname to the ip address but it doesn't gets any response (i suppose that ping is disabled by default)
At first I thought it was my app, so I only set the default apache settings in the "sites-enabled" folder (the one with the static html page that comes with apache).
But the same happens, so I check the usual things like firewall, iptables rules, etc. But I get always the same result :/
This is not my first server, but I'm not able to think in another option, so I just want to check what you guys think about what could be the problem.
iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw status
Status: inactive
default settings on the site-enabled folder (I erased the comments lines)
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1654/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 34899/postgres
tcp 0 0 x2.x2.x2.x2:16001 (other ip diff from server's ip) 0.0.0.0:* LISTEN 937/python
tcp6 0 0 :::80 :::* LISTEN 48801/apache2
tcp6 0 0 :::22 :::* LISTEN 1654/sshd
telnet ip 80 (from my pc)
Connecting To x.x.x.x 80...Could not open connection to the host, on port 80
: Connect failed
telnet localhost 80
Connected to localhost.
Escape character is '^]'.
exit
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Not Implemented</title>
</head><body>
<h1>Not Implemented</h1>
<p>exit to / not supported.<br />
</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at x3.x3.x3.x3 Port 80</address>
</body></html>
Connection closed by foreign host.
The ip x2.x2.x2.x2 and x3.x3.x3.x3 have the same value but they aren't equal to the server IP. (At least isn't the same ip value I use to connect to the VM by ssh)
Sounds like it might be an endpoint. By default when you create a virtual machine in the Azure portal, endpoints for Remote Desktop, Windows PowerShell Remoting, and Secure Shell (SSH) are automatically created.
You will have to go into the Azure portal to configure additional endpoints.
Each endpoint has a public and private. Public is used for outside requests/traffic coming into the VM through the load balance. Private is use by the VM for incoming traffic to route to the proper port/app.
Here is a link on Azure help that talks about setting up endpoints
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/
I am trying to use .NET implementation of SslStream by this tutorial.
I did everything like in this article, but I have some question. I downloaded RawCap and captured packets from the localhost, after that I opened dump file(.pcap) using Wireshark, but instead of SSL or TLS type of protocol, I saw just TCP: Here is the part of the TCP stream:
....l...h..T...........Y.2..1...t.4....8.J...../.5...
.......
.2.8.......'..............SslServer.
......................M..T...M.<.......e.E...M.%c...Kg.. .....iKku.^q(C.$..;..Mx......g&./..................0...0.............L.^..F.)...{.0...+......0.1
0...U....MyCA0..
150228143257Z.
391231235959Z0.1.0...U....SslServer0.."0
..*.H..
..........0..
......p9.cq...F.^....Bm...S... .....Bg.B.<]..f[...<...q'..Tc......R...Z.C.D.D...N...1..0.v..l.<...d[=C.7.8.+^..j(...X.........D'.!*5.^.^Ef..=.6y#.=..)|...Sp..Sv.|h.-..UT..&bG.......J{.7k.X...........:.[o....o.,r.......0..Wi.s..8.Jn9........4...WU....fkmw..........D0B0#..U...907..m.....#..
...f...0.1
0...U....MyCA..(J..j+..K......0...+...........h..X.+.M..{...n.....#.'.F........~....#9J.......A4,>.9.DE.R.V4t._bGY.,v.>G......J ....3....#..c,%[S._..u...$....!V.r....~...'.~..T*[.#[.?.B{..Z..m.p.9.7.U.u.}.e..c..H^n.:...-AJxs.. ...:...
..u.....YB....2n...y.g=...(.Fv...B.Is..GK.....;.F..Ln.....L...ao
......#...q0o1.0...U....SE1.0...U.
..AddTrust AB1&0$..U....AddTrust External TTP Network1"0 ..U....AddTrust External CA Root..0..1.0...U....US1.0...U.
.
GeoTrust Inc.1907..U...0(c) 2008 GeoTrust Inc. - For authorized use only1604..U...-GeoTrust Primary Certification Authority - G3.g0e1.0...U....US1.0...U.
Is this correct SSL/TLS stream? And why Wireshark marked it like TCP?
UPD:
By default Wireshark uses TCP port numbers to know if this is standard TCP or TLS/SSL.
If you want to make Wireshark permanently recognize any port as SSL/TLS, then go to Edit > Preferences > Protocols > HTTP > Under SSL/TLS Ports change it from 443 to 443,5555, ... <other TLS/SSL ports go here>.
Also note that SSL traffic is encrypted, and that is why you won't be able to see the actual data being transmitted. If you want Wireshark to decrypt SSL traffic, then you will have to give it your server's private key (reference SSL dissection in Wireshark)
I am not sure if stackoverflow allows for server configuration questions as well, but as this might be related to apache I hope someone can help. I am trying to setup my cloudserver to allow for incoming connections on port 80 so that I can see my server files when I enter either http://domain.com in a browser. Apache is installed and I am currently busy setting up my iptables (which I suspect might be the problem).
My current iptables are as follows:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host- prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host- prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
As this is my first attempt at this (and my network experience goes with what the GUI on MS machines offer) I am not sure if I did it correctly.
Any ideas?
Managed to get it to work, apache wasn't started :)