0

There are some web sites that I can only access from a limited set of machines, but I can ssh into some of these machines (only as a regular user) and use ssh -D to set up a SOCKS proxy on my local machine, through which I can access the sites.

What I'd prefer, however, is to be able to go to http://server.that.i.control/some_path/ (secured in some fashion) and have it be a reverse-proxy through ssh -D or something similar on server.that.i.control.

Is this doable, preferably with apache or lighttpd on server.that.i.control?

Isaac
  • 534
  • 2
  • 11
  • 24
  • Not sure I understand. Why would the extra ssh step be necessary? Just set up a reverse proxy on one of the systems that's able to access the site. – Shane Madden May 12 '11 at 00:26
  • @Shane: I only have user-level access and very limited (if any) ability to put up web pages beyond static stuff on the systems that can actually access the web sites. – Isaac May 12 '11 at 00:28
  • What do you dislike about your current `ssh -D` solution? Might https://github.com/apenwarr/sshuttle be a better alternative to it than setting up a reverse proxy? – sciurus May 12 '11 at 03:39
  • @sciurus: I dislike having to set up and tear down the ssh connection and change the browser settings or computer networking settings to use the localhost SOCKS proxy just to do maybe 3 page loads. It's also inconvenient on other people's computers, especially windows boxes that don't necessarily have ssh installed already. At a glance, I suspect that sshuttle would pose most of the same issues, though I'm thinking there might be a way to use it on the machine that I control to get Apache or lighttpd to do the reverse-proxy stuff. – Isaac May 12 '11 at 03:53
  • yeah, if you used sshuttle on your server you could configure mod_proxy to talk to the web server directly. – sciurus May 12 '11 at 13:08

1 Answers1

1

I don't know of a way for apache or lighttpd to use a SOCKS proxy, but I think this is still doable with just ssh and a web server.

There are three servers.

  1. your.server
  2. gateway.server
  3. web.server

your.server cannot access websites on web.server or ssh to web.server. From your.server you can ssh to gateway.server. From gateway.server you can access websites on web.server.

First, set up ssh such that when a previously unused port (say, 3000) is accessed the traffic is sent via ssh to gateway.server and then via a normal connection to port 80 (or whatever the relevant port is) on web.server.

[your.server]$ ssh -fnL 3000:web.server:80 gateway.server

Second, configure the proxy in apache.

<VirtualHost *:80>
    ServerName your.server
    ProxyPass /some_path http://localhost:3000
    ProxyPassReverse /some_path http://localhost:3000
    ProxyPassReverseCookieDomain web.server your.server
    ProxyPassReverseCookiePath / /some_path
</VirtualHost>

Now, you should be able to access http://your.server/some_path and get content from http://web.server. You may be done, or another step may be necessary.

The potential flaw in this setup is that the Host header will be set to localhost when apache on your.server connects to web.server. If web.server host multiple sites and uses the Host header to decide what site to return, this won't work. I don't know of a way to have apache's mod_proxy change the Host header to something that isn't either the host that the request was made to (your.server) or the host of the backend server (which thanks to our ssh tunnel is localhost). A hack to work around this would be to edit the hosts file on your.server so that the domain names for the sites on web.server actually point to your.server. Let's say there are two sites you want to access, site1.web.server and site2.web.server. In /etc/hosts you would put

127.0.0.1 site1.web.server site2.web.server

and your apache configuration would change to

<VirtualHost *:80>
    ServerName your.server

    ProxyPass /some_path http://site1.web.server:3000
    ProxyPassReverse /some_path http://site1.web.server:3000
    ProxyPassReverseCookieDomain site1.web.server your.server
    ProxyPassReverseCookiePath / /some_path

    ProxyPass /another_path http://site2.web.server:3000
    ProxyPassReverse /another_path http://site2.web.server:3000
    ProxyPassReverseCookieDomain site2.web.server your.server
    ProxyPassReverseCookiePath / /another_path
</VirtualHost>

To secure access to your reverse proxy, look at Apache's authentication howto.

sciurus
  • 12,678
  • 2
  • 31
  • 49
  • I run into two problems with this setup: (1) I'm unfortunately running Apache 2.0, so I don't have the Cookie commands available [though I don't know what effect, if any, this is having]; (2) the web site I'm most interested in accessing seems to have all its URL references rooted so that while I want everything to end up as `http://your.server/some_path/*`, I'm getting HTML that wants things at `http://your.server/*`, which leads to a very broken web site. – Isaac May 12 '11 at 04:07
  • @Isaac look at http://apache.webthing.com/mod_proxy_html/ to rewrite the links. I'll edit the answer with details if I get more time today. – sciurus May 12 '11 at 13:10
  • That looks like it'll do the trick; I just haven't had time to deal with installing additional Apache modules to actually try it out. – Isaac May 13 '11 at 16:51