Sunday, April 22, 2012

Bypassing (layer 7) firewalls with proxytunnel and ssh over https/ssl

The whole thing is written out all over the internet.
The site I used was HERE.
And it worked after I made a few adjustments and assuming you patched apache2 to accept a CONNECT thru SSL.

To patch apache...You will need to download the source and install this patch.

1. SU to root since it's easier than sudoing everything and it's less likely to run into issues.
cd /usr/src
2. get the dependencies and download the source.
apt-get build-dep apache2; apt-get source apache2
3. extract the source file.
dpkg-source -x apache2_2.2.16-6+squeeze7.dsc
4. apply the patch (e.g. patch -p0<patch)
5. cd into the apache directory if you're not in there already.
cd apache2-2.2.16
6. build the package and install.
dpkg-buildpackage -b && dpkg -i *.deb

Then you need to set up apache.
I have several virtual hosts set up on apache so I decided that I wanted to make this on a vhost also. What I did was make an entry to add a vhost just for ssh over ssl.

This is what my add "looks" like...ssh.server.org is an example, change it to yours. First I forced ssl usage

/etc/apache2/sites-available/vhost1-sslproxy80

<VirtualHost *:80>
ServerName ssh.server.org
ErrorLog /var/log/apache2/ssh-on-ssl-error.log
Loglevel warn
Redirect 301 / https://ssh.server.org
</VirtualHost>


` then to /etc/apache2/sites-available/vhost1-sslproxy443

<IfModule mod_proxy.c>
<VirtualHost *:443>
ServerAdmin http@localhost
ServerName ssh.server.org
DocumentRoot /var/www/ssh-ssl
ServerSignature off
CustomLog /var/log/apache2/ssh-on-ssl.log combined
Errorlog /var/log/apache2/ssh-on-ssl-error.log
<Directory /var/www/ssh-ssl>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# THIS IS THE CONFIG NEEDED FOR OUR TUNNELLING
# Allow proxy connect (forward-proxy) on port 22 (SSH)
ProxyRequests on
AllowCONNECT 22
ProxyVia on
# Deny all proxying by default...

Order deny,allow
Deny from all
Allow from localhost
Allow from any.local.ip
Allow from any.local.ip.hostname.belonging.to.the.server
Allow from anyother.ip.hostname.you.want.to.allow.connect.from

# END OF TUNNELLING CONFIG
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLEngine On
SSLproxyengine on
</VirtualHost>
</IfModule>


Then enable the 2 sites using a2ensite
a2ensite vhost1-sslproxy80 vhost1-sslproxy443

This next part is the part that made me lose a few hairs since it kept saying "405 method not allowed" and the fix is that you MUST put your vhost name in the /etc/hosts file!!!

Add a line to /etc/hosts
127.0.0.1 ssh.server.org
assuming that you have a public fqdn or dynamic hostname. (FYI I use no-ip.org)

Then check if apache is started.
If all is good then try her out.

No comments:

Post a Comment