[gentoo-user] A networking question...

[gentoo-user] A networking question...

[Steve]

I've a gentoo box sat behind a firewall - it runs a apache and sshd with 
holes punched through NAT to allow remote access.  It runs DHCP and DNS 
services for my LAN.

I would like to run a second instance of apache on a fresh IP address - 
to simulate a hosted environment supporting https.  I need to be able to 
access my second apache locally by URL on my LAN (which I can map 
however I chose using my DNS config.)  I also need to be able to access 
this second apache from a remote site (assume gentoo again, for 
simplicity) over an SSL tunnel - even if the remote server already runs 
apache doing something else again.  It isn't acceptable for the second 
apache to be accessible publicly.  It's also unacceptable

I'm think I probably want a VPN (or similar) - or maybe some sort of 
virtual network interface similar to those employed by VMWare for 
virtualisation... coupled with PPP over my ssh tunnel.

Can anyone give me any hints - or, ideally, a link to a how-to?

Thanks...

Steve

Re: [gentoo-user] A networking question...

[Sascha Hlusiak]

[-- Attachment #1: Type: text/plain, Size: 1126 bytes --]

Am Dienstag 05 Mai 2009 22:32:38 schrieb Steve:
> I've a gentoo box sat behind a firewall - it runs a apache and sshd with
> holes punched through NAT to allow remote access.  It runs DHCP and DNS
> services for my LAN.
>
> I would like to run a second instance of apache on a fresh IP address -
> to simulate a hosted environment supporting https.  I need to be able to
> access my second apache locally by URL on my LAN (which I can map
> however I chose using my DNS config.)  I also need to be able to access
> this second apache from a remote site (assume gentoo again, for
> simplicity) over an SSL tunnel - even if the remote server already runs
> apache doing something else again.  It isn't acceptable for the second
> apache to be accessible publicly.  
The easiest thing would probably be to just use ssh port forwarding because 
you already have all the pieces running anyway. Wouldn't a simple

  ssh -L 12345:secondapache:https user@remotessh

and the browsing to https://localhost:12345 do the trick? Or you could use a 
pppd over ssh vpn, yes, but that is a bit more complex.

- Sascha


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] A networking question...

[Steve]

Sascha Hlusiak wrote:
> The easiest thing would probably be to just use ssh port forwarding because 
> you already have all the pieces running anyway. Wouldn't a simple
>
>   ssh -L 12345:secondapache:https user@remotessh
>
> and the browsing to https://localhost:12345 do the trick? Or you could use a 
> pppd over ssh vpn, yes, but that is a bit more complex.
>
> - Sascha
>
>   
I really want to avoid having to access a non-standard port from the 
URLs - I want to use the final URLs exactly as they will be once the 
in-development website is eventually deployed.

Can you recommend a 'how-to' for the pppd over ssh approach?

Re: [gentoo-user] A networking question...

[Sascha Hlusiak]

[-- Attachment #1: Type: text/plain, Size: 1262 bytes --]

Am Dienstag 05 Mai 2009 23:28:22 schrieb Steve:
> Sascha Hlusiak wrote:
> > The easiest thing would probably be to just use ssh port forwarding
> > because you already have all the pieces running anyway. Wouldn't a simple
> >
> >   ssh -L 12345:secondapache:https user@remotessh
> >
> > and the browsing to https://localhost:12345 do the trick? Or you could
> > use a pppd over ssh vpn, yes, but that is a bit more complex.
> >
> > - Sascha
>
> I really want to avoid having to access a non-standard port from the
> URLs - I want to use the final URLs exactly as they will be once the
> in-development website is eventually deployed.
>
> Can you recommend a 'how-to' for the pppd over ssh approach?
# /usr/sbin/pppd pty "ssh root@remoteserver pppd notty local 
10.0.0.1:10.0.0.2" noipdefault nodefaultroute noauth updetach

You can also just create a file in /etc/ppp/peers/ with the following lines 
and then call 'pon':
  pty "ssh root@remoteserver pppd notty local 10.0.0.1:10.0.0.2"
  noipdefault
  nodefaultroute
  noauth
  updetach

You'll get the IP 10.0.0.2 and on the server 10.0.0.1. You need to setup 
proper routing and maybe NAT for that separate subnet, but it will be a tunnel 
into your home network.

- Sascha


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] A networking question...

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1649 bytes --]

On Tuesday 05 May 2009, Sascha Hlusiak wrote:
> Am Dienstag 05 Mai 2009 23:28:22 schrieb Steve:
> > Sascha Hlusiak wrote:
> > > The easiest thing would probably be to just use ssh port forwarding
> > > because you already have all the pieces running anyway. Wouldn't a
> > > simple
> > >
> > >   ssh -L 12345:secondapache:https user@remotessh
> > >
> > > and the browsing to https://localhost:12345 do the trick? Or you could
> > > use a pppd over ssh vpn, yes, but that is a bit more complex.
> > >
> > > - Sascha
> >
> > I really want to avoid having to access a non-standard port from the
> > URLs - I want to use the final URLs exactly as they will be once the
> > in-development website is eventually deployed.
> >
> > Can you recommend a 'how-to' for the pppd over ssh approach?
>
> # /usr/sbin/pppd pty "ssh root@remoteserver pppd notty local
> 10.0.0.1:10.0.0.2" noipdefault nodefaultroute noauth updetach
>
> You can also just create a file in /etc/ppp/peers/ with the following lines
> and then call 'pon':
>   pty "ssh root@remoteserver pppd notty local 10.0.0.1:10.0.0.2"
>   noipdefault
>   nodefaultroute
>   noauth
>   updetach
>
> You'll get the IP 10.0.0.2 and on the server 10.0.0.1. You need to setup
> proper routing and maybe NAT for that separate subnet, but it will be a
> tunnel into your home network.
>
> - Sascha

Or even simpler solution, can't you only allow access to https from your 
desired remote host IP address at your server's LAN firewall, or just use the 
accept/deny wrapper of the server itself after forwarding the https port at 
the firewall?

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] A networking question...

[Mike Kazantsev]

[-- Attachment #1: Type: text/plain, Size: 1754 bytes --]

On Tue, 05 May 2009 22:28:22 +0100
Steve <gentoo_sjh@shic.co.uk> wrote:

> Sascha Hlusiak wrote:
> > The easiest thing would probably be to just use ssh port forwarding because 
> > you already have all the pieces running anyway. Wouldn't a simple
> >
> >   ssh -L 12345:secondapache:https user@remotessh
...
> I really want to avoid having to access a non-standard port from the 
> URLs - I want to use the final URLs exactly as they will be once the 
> in-development website is eventually deployed.

But you don't have to!
Just setup first apache to forward requests to the second one in any
way you like using mod_rewrite:

  RewriteRule /remote/(.*) http://localhost:1235/$1 [P]

The rule might need some correction, but it's here just to illustrate
the point. That way you can bind any number of "remote" servers to
local urls, served (in the end) by the same apache.

http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

Also I think it's worth mentioning that apache isn't well suited for
such a tasks if both local and remote targets get similar load - lite
frontend server or reverse proxy (like nginx, lighttpd, squid, haproxy
etc) should save a lot of workload.
Even more, if you'll make it serve static content as well, and
optimally get apache out of the equation at all ;)

Another point is that apache isn't any good at mangling http headers as
well, so you should make sure that remote scripts won't redirect user
to 'localhost:12345' or use HTTP_HOST var from CGI interface (since
it'd be set to the same localhost), using *_X_* vars instead.
Alternative is, again, to install something that can mangle headers
and that's any of the daemons mentioned above.

-- 
Mike Kazantsev // fraggod.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] A networking question...

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 419 bytes --]

On Wed, 6 May 2009 06:24:08 +0600, Mike Kazantsev wrote:

> But you don't have to!
> Just setup first apache to forward requests to the second one in any
> way you like using mod_rewrite:

If the second server is only serving HTTPS, you don't even need that.
Just have the router forward port 80 to the first server and port 443 to
the second.


-- 
Neil Bothwick

Top Oxymorons Number 35: Legally drunk

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] A networking question...

[Anthony Metcalf]

Neil Bothwick wrote:
> If the second server is only serving HTTPS, you don't even need that.
> Just have the router forward port 80 to the first server and port 443 to
> the second.
>   
That leaves the HTTPS server open to the public though, which is
specifically not allowed to the OP.

I would say do the ssh port forwarding, but forward 443 instead of 1234.
But that won't work if he's on a server that is doing HTTPS itself....

The PPPoSSH route is looking best...

Re: [gentoo-user] A networking question...

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 480 bytes --]

On Wed, 06 May 2009 11:09:50 +0100, Anthony Metcalf wrote:

> > If the second server is only serving HTTPS, you don't even need that.
> > Just have the router forward port 80 to the first server and port 443
> > to the second.
> >     
> That leaves the HTTPS server open to the public though, which is
> specifically not allowed to the OP.

He can use HTTP authentication to prevent that.


-- 
Neil Bothwick

If ignorance is bliss, why aren't more people happy?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] A networking question...

[Anthony Metcalf]

[-- Attachment #1: Type: text/plain, Size: 626 bytes --]

Neil Bothwick wrote:
> On Wed, 06 May 2009 11:09:50 +0100, Anthony Metcalf wrote:
>
>   
>>> If the second server is only serving HTTPS, you don't even need that.
>>> Just have the router forward port 80 to the first server and port 443
>>> to the second.
>>>     
>>>       
>> That leaves the HTTPS server open to the public though, which is
>> specifically not allowed to the OP.
>>     
>
> He can use HTTP authentication to prevent that.
>   
*That* depends on the exact specifics of what he is/isn't allowed to be
showing....."They" may not even want the service to show as existing at
that address for whatever reason.

[-- Attachment #2: Type: text/html, Size: 1092 bytes --]

Re: [gentoo-user] A networking question...

[Steve]

Anthony Metcalf wrote:
> *That* depends on the exact specifics of what he is/isn't allowed to 
> be showing....."They" may not even want the service to show as 
> existing at that address for whatever reason.

Thanks for all your discussion...  I'll try to clarify - the PPP over 
SSH approach does seem to offer the best compromise.

I've a development site which hosts https and http services for existing 
applications both remotely and locally.  I'm developing an entirely new 
https service under Apache and want to be absolutely sure that I get no 
unexpected interactions between configurations for "live" services and 
the experimental in-development service - and I definitely don't want a 
random member of the public stumbling across the in-development site - 
which might expose unacceptable vulnerabilities as rough-cuts of code 
are trialled.

It is entirely acceptable for any host on my LAN to access the 
in-development service.  I want to allow collaborators to access the 
in-development service remotely over a SSH tunnel from their LAN, too 
(where I'm also not concerned about abuse...)

The snag I'm finding at the moment I'm sure I'll overcome... and relates 
to access from my LAN.  While I can sort-of see how to establish a new 
device with a new IP address on the remote LAN (with SSH and pppd) I'm 
not sure how to establish a second IP address for my single Ethernet 
adaptor to make this work on my LAN (though I'm sure it is do-able...)

I'm also curious to discover if there is a neat Gentooish way to 
establish my two instances of Apache.  I'm broadly familiar to doing 
this a hackish way - but I'd prefer it plays nicely with any emerge updates.

Re: [gentoo-user] A networking question...

[Mick]

[-- Attachment #1: Type: text/plain, Size: 3163 bytes --]

On Thursday 07 May 2009, Steve wrote:
> Anthony Metcalf wrote:
> > *That* depends on the exact specifics of what he is/isn't allowed to
> > be showing....."They" may not even want the service to show as
> > existing at that address for whatever reason.
>
> Thanks for all your discussion...  I'll try to clarify - the PPP over
> SSH approach does seem to offer the best compromise.
>
> I've a development site which hosts https and http services for existing
> applications both remotely and locally.  I'm developing an entirely new
> https service under Apache and want to be absolutely sure that I get no
> unexpected interactions between configurations for "live" services and
> the experimental in-development service - and I definitely don't want a
> random member of the public stumbling across the in-development site -
> which might expose unacceptable vulnerabilities as rough-cuts of code
> are trialled.

Have your development https service set up as a virtual host on a webroot of 
your choice, listening to a random port and also set up user authentication 
for the webroot fs.

In this way, whether accessed via the Internet or LAN, visitors will need to 
know the port to connect to and will also have to provide suitable 
credentials.  You can even control access to parts of the development https 
fs using <location> tags to define them and setting different user defined 
access to them.  If you use AuthDigest you can also set separate realms if 
the fs is extensive and access requirements complex.

> It is entirely acceptable for any host on my LAN to access the
> in-development service.  I want to allow collaborators to access the
> in-development service remotely over a SSH tunnel from their LAN, too
> (where I'm also not concerned about abuse...)

For collaboration setting DAV on is probably a better option as it uses 
lockfiles and won't have one developer overwritting (un)wittingly changes 
made by others.

> The snag I'm finding at the moment I'm sure I'll overcome... and relates
> to access from my LAN.  While I can sort-of see how to establish a new
> device with a new IP address on the remote LAN (with SSH and pppd) I'm
> not sure how to establish a second IP address for my single Ethernet
> adaptor to make this work on my LAN (though I'm sure it is do-able...)

An adaptor can have more than one public IP address (multi-homing) and you can 
use something like: ifconfig eth0:0 192.168.0.2 netmask 255.255.255.0 up to 
set them up (increment eth0:1, eth0:2, etc accordingly).  However, if your 
SSL vhost is listening on a random port you don't need binding of many 
addresses to one NIC.  You can use the same ip address.

> I'm also curious to discover if there is a neat Gentooish way to
> establish my two instances of Apache.  I'm broadly familiar to doing
> this a hackish way - but I'd prefer it plays nicely with any emerge
> updates.

Other than vhost I guest you can run a second instance by reading section 5 
here (but I'm not sure you need to do that anyway):

http://www.gentoo.org/proj/en/php/php4-php5-configuration.xml
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] A networking question...

[Steve]

Mick wrote:
> An adaptor can have more than one public IP address (multi-homing) and you can 
> use something like: ifconfig eth0:0 192.168.0.2 netmask 255.255.255.0 up to 
> set them up (increment eth0:1, eth0:2, etc accordingly).  However, if your 
> SSL vhost is listening on a random port you don't need binding of many 
> addresses to one NIC.  You can use the same ip address.
>   
This is the essential bit I was missing, I think.  I knew it was 
possible to set up "multi-homing" (as I'd seen it on other systems) but 
I'd forgotten what it was called... and that made searching for 
documentation, erm, hard... though even knowing the term hasn't given me 
a slam-dunk search result through google.  I presume I need to fiddle 
with /etc/conf.d/net - somehow - in order to convince 
/etc/init.d/net.eth0 to do what I need.

> Other than vhost I guest you can run a second instance by reading section 5 
> here (but I'm not sure you need to do that anyway):
>
> http://www.gentoo.org/proj/en/php/php4-php5-configuration.xml
That's all helpful material - suggesting, at least, that there's no neat 
gentoo-specific one-liner to achieve the two instances I need... plus it 
highlights specific problems I might have with interactions between PHP 
in my two instances. Hmmm... I hadn't anticipated that... frustrating.

I guess the other route I could consider would be virtualisation - 
establishing a completely separate installation... at least that way I 
could be sure that no aspect of my 'alive' system could impact the 
configuation of my development system... allowing me maximum confidence 
that I know what's needed when I come to deploy.

Somewhat frustratingly, this seems to be morphing into a considerably 
more involved problem than I'd envisaged. ;)

Re: [gentoo-user] A networking question...

[Mick]

2009/5/8 Steve <gentoo_sjh@shic.co.uk>:
> Mick wrote:
>>
>> An adaptor can have more than one public IP address (multi-homing) and you
>> can use something like: ifconfig eth0:0 192.168.0.2 netmask 255.255.255.0 up
>> to set them up (increment eth0:1, eth0:2, etc accordingly).  However, if
>> your SSL vhost is listening on a random port you don't need binding of many
>> addresses to one NIC.  You can use the same ip address.
>>
>
> This is the essential bit I was missing, I think.  I knew it was possible to
> set up "multi-homing" (as I'd seen it on other systems) but I'd forgotten
> what it was called... and that made searching for documentation, erm,
> hard... though even knowing the term hasn't given me a slam-dunk search
> result through google.  I presume I need to fiddle with /etc/conf.d/net -
> somehow - in order to convince /etc/init.d/net.eth0 to do what I need.

Well, how often do you reboot?  You only need to run it once and
therefore you won't need to modify your conf.d/net configuration.  If
you have to, I think it that file is well commented anyway.

>> Other than vhost I guest you can run a second instance by reading section
>> 5 here (but I'm not sure you need to do that anyway):
>>
>> http://www.gentoo.org/proj/en/php/php4-php5-configuration.xml
>
> That's all helpful material - suggesting, at least, that there's no neat
> gentoo-specific one-liner to achieve the two instances I need... plus it
> highlights specific problems I might have with interactions between PHP in
> my two instances. Hmmm... I hadn't anticipated that... frustrating.

No, this would only be the case if you *need* to run two separate php
slots.  In your case (I assume) you will be using the same php
version.

> I guess the other route I could consider would be virtualisation -
> establishing a completely separate installation... at least that way I could
> be sure that no aspect of my 'alive' system could impact the configuation of
> my development system... allowing me maximum confidence that I know what's
> needed when I come to deploy.

That's perhaps more complicated a solution than what it needs to be.

> Somewhat frustratingly, this seems to be morphing into a considerably more
> involved problem than I'd envisaged. ;)

I don't know if your https dev't website uses different php, ruby,
perl, etc. versions and what not.  However, if all these are kept the
same then as long as you point your dev't SSL site it to a different
mysql user/database (assuming you're using one) and you keep its
webroot fs into a different directory with separate user
authentication, then your're good to go with just the virtual hosts
solution that I suggested and webdav access for editing its content.
No need for multi-homing, complete virtualisation or anything else.
Ask if you need more detail on setting it up.

HTH.
-- 
Regards,
Mick