next »

[yumbaman]

I would like to setup my firewall/nat on my network to allow incoming connections on port 443 to sshd and https.  I am running sshd on pfsense xxx.xxx.xxx.65 and my CentOS 5 server is running HTTPS apache on xxx.xxx.xxx.69.  Can IPtables detect the different protocols and redirect the request?  Do I have to use subdomains and apache mod_proxy?  I have seen something like sslh, but I don't think in runs on PFsense.  I would prefer pfsense to handle the requests, but if required I will install a proxy like squid or whatever.  Thanks.

[Bern]

Since they're on different IP addresses, you should be able to NAT the HTTPS to your CentOS box and let pfSense handle the SSH.

[ktims]

You can't run HTTPS and SSH on the same IP/port, it will never work. Choose different ports for each service or get a second IP.

[yumbaman]

Why can't I use the information in the packet with like a sniffer or grab a connect or user agent out of the packets?  It seems like a proxy solution or a semi-simple script written in C.

[yumbaman]

http://www.rutschle.net/tech/sslh.shtml
Someone has already done this.  But it is written for the linux kernel instead of the Unix kernel.  Can we port this to pfsense/FreeBSD?

[jahonix]

I am running sshd on pfsense xxx.xxx.xxx.65 and my
CentOS 5 server is running HTTPS apache on xxx.xxx.xxx.69.

You already have separate IPs. Assumingly public IPs. Why would you want to do that?

[ktims]

Interesting hack. From a quick glance, it doesn't look like this uses any Linux-specific system calls, so it will likely build on FreeBSD, or at least should be easy to port. You could try compiling it on a FreeBSD 7.1 installation and if it builds, the binary should run on pfSense. That's a start, then you can work on getting a package created for better integration if you like.

[yumbaman]

I only have one dynamic IP address.  The other listed IPs are internal.

[yumbaman]

Can apache or squid read packets and forward them to the correct destination when rules are set? 

[Bern]

I only have one dynamic IP address.  The other listed IPs are internal

Right, that makes all the difference! You didn't say that in the original post, nor in two of your follow-ups and it's details like that which make a difference.

Are there any other seemingly-minor details we need to know about? Since the sslh daemon will introduce an up-to-two-seconds delay, can you tolerate that?

What restrictions are being put on you that forces you to use 443 for both services? Are you trying to bypass a workplace policy of some kind?

Are the HTTPS and SSH servers for your own use or for general public use?

Can you use 465 (SMTPS) or 993 (IMAPS) for SSH, for example?

If it's largely for your own use, use SSH tunnels, stunnel or OpenVPN and multiplex the connections over a single secure channel.

Details!

[yumbaman]

I need HTTPS for apache on my Centos box for my websites.  At work and at my college we are restricted to 80 and 443.  I have HTTPS set to port 8080, but then I have to rewrite each web service where to forward https requests.  I have not yet done this, instead just tell users to type it in their web browser.  https://taco.mexico.com:8080/ as an example.  But I need 443 for ssh to punch a tunnel into my network for vnc, rdp, winscp, sftp, and other services that I require.  1 or 2 second delay does not sound that bad.  It is for a home office network.  Most likely, I will have very few concurrent connections.