SSL support with Apache and Proxytunnel

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by whuppy on Super User See other posts from Super User or by whuppy
Published on 2010-05-25T14:12:05Z Indexed on 2010/05/25 14:21 UTC
Read the original article Hit count: 344

Filed under:
|
|

I'm inside a strict corporate environment. https traffic goes out via an internal proxy (for this example it's 10.10.04.33:8443) that's smart enough to block ssh'ing directly to ssh.glakspod.org:443.

I can get out via proxytunnel. I set up an apache2 VirtualHost at ssh.glakspod.org:443 thus:

ServerAdmin [email protected] ServerName ssh.glakspod.org

    <!-- Proxy Section -->
    <!-- Used in conjunction with ProxyTunnel -->
    <!-- proxytunnel -q -p 10.10.04.33:8443 -r ssh.glakspod.org:443 -d %host:%port -->
    ProxyRequests on
    ProxyVia on
    AllowCONNECT 22
    <Proxy *>
            Order deny,allow
            Deny from all
            Allow from 74.101
    </Proxy>

So far so good: I hit the Apache proxy with a CONNECT and then PuTTY and my ssh server shake hands and I'm off to the races.

There are, however, two problems with this setup:

  1. The internal proxy server can sniff my CONNECT request and also see that an SSH handshake is taking place. I want the entire connection between my desktop and ssh.glakspod.org:443 to look like HTTPS traffic no matter how closely the internal proxy inspects it.

  2. I can't get the VirtualHost to be a regular https site while proxying. I'd like the proxy to coexist with something like this: SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/ca/samapache.crt SSLCertificateKeyFile /path/to/ca/samapache.key SSLCACertificateFile /path/to/ca/ca.crt

    DocumentRoot /mnt/wallabee/www/html
<Directory /mnt/wallabee/www/html/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
</Directory>


<!-- Need a valid client cert to get into the sanctum -->
<Directory /mnt/wallabee/www/html/sanctum>
        SSLVerifyClient require
        SSLOptions +FakeBasicAuth +ExportCertData
        SSLVerifyDepth 1
</Directory>

So my question is: How to I enable SSL support on the ssh.glakspod.org:443 VirtualHost that will work with ProxyTunnel?

I've tried various combinations of proxytunnel's -e, -E, and -X flags without any luck.

The only lead I've found is Apache Bug No. 29744, but I haven't been able to find a patch that will install cleanly on Ubuntu Jaunty's Apache version 2.2.11-2ubuntu2.6.

Thanks in advance.

© Super User or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about proxy

Related posts about apache

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle