Use stunnel through firewall for home Web server?
I was interested in whether there's a simple way to have stunnel redirect traffic from a public Web browser/port to my home Web browser behind my DSL firewall (no ports opened/forwarded for incoming connections on the router, only outgoing-initiated) I scanned old posts but didn't find anything that quite fit - references are usually for people who want to get out from behind a firewall, not publish sites publicly from behind (i.e. externally initiated clicks)
On Friday 23 January 2009, Bill Eldridge wrote:
I was interested in whether there's a simple way to have stunnel redirect traffic from a public Web browser/port to my home Web browser behind my DSL firewall (no ports opened/forwarded for incoming connections on the router, only outgoing-initiated)
Moin, it is not clear to what you want to do. From a public web browser to your home web browser? Can you clarify your setup? CU -- |Michael Renner E-mail: michael.renner@gmx.de | |D-81541 Munich Germany ICQ: #112280325 | |Germany Don't drink as root! ESC:wq
Michael Renner wrote:
On Friday 23 January 2009, Bill Eldridge wrote:
I was interested in whether there's a simple way to have stunnel redirect traffic from a public Web browser/port to my home Web browser behind my DSL firewall (no ports opened/forwarded for incoming connections on the router, only outgoing-initiated)
Moin,
it is not clear to what you want to do. From a public web browser to your home web browser?
Can you clarify your setup?
As an example if I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080.
On Friday 23 January 2009, Bill Eldridge wrote:
Michael Renner wrote:
On Friday 23 January 2009, Bill Eldridge wrote:
I was interested in whether there's a simple way to have stunnel redirect traffic from a public Web browser/port to my home Web browser behind my DSL firewall (no ports opened/forwarded for incoming connections on the router, only outgoing-initiated)
Moin,
it is not clear to what you want to do. From a public web browser to your home web browser?
Can you clarify your setup?
As an example if I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080.
Even this is the stunnel list, I recommend to use a reverse ssh tunnel together with netcat to do this. Setup netcat as an inetd application listening to port 8090 and redirect anything to localhost:8080 at the remote host. At your local maschine (with the apache) start a reverse ssh tunnel, redirect anything from localhost:8080 (in this case your remote maschine) to your local machine:8080 home # ssh -R 8080:localhost:8090 user@remote You should use a key to get rid of the password question! Add a line like this to the remote /etc/inetd.conf: 8090 stream tcp nowait nobody /usr/bin/nc /usr/bin/nc localhost 8080 CU -- |Michael Renner E-mail: michael.renner@gmx.de | |D-81541 Munich Germany ICQ: #112280325 | |Germany Don't drink as root! ESC:wq
Michael Renner wrote:
On Friday 23 January 2009, Bill Eldridge wrote:
Michael Renner wrote:
On Friday 23 January 2009, Bill Eldridge wrote:
I was interested in whether there's a simple way to have stunnel redirect traffic from a public Web browser/port to my home Web browser behind my DSL firewall (no ports opened/forwarded for incoming connections on the router, only outgoing-initiated)
Moin,
it is not clear to what you want to do. From a public web browser to your home web browser?
Can you clarify your setup?
As an example if I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080.
Even this is the stunnel list, I recommend to use a reverse ssh tunnel together with netcat to do this.
The particular reason has to do with having stunnel on all of the boxes I'm interested in and not having ssh on all of them. (The reasoning is a bit more convoluted than that, but let's just say I'm interested in doing this with stunnel in particular if possible, not alternative approaches, but thanks, yes, the ssh approach is very straightforward. So, can stunnel create an outgoing tunnel from behind a firewall for the Web server to follow back in (similar to the ssh scenario you describe? Though actually you don't need the netcat portion there: ssh -R handles all of that fine)
Setup netcat as an inetd application listening to port 8090 and redirect anything to localhost:8080 at the remote host.
At your local maschine (with the apache) start a reverse ssh tunnel, redirect anything from localhost:8080 (in this case your remote maschine) to your local machine:8080
home # ssh -R 8080:localhost:8090 user@remote You should use a key to get rid of the password question!
Add a line like this to the remote /etc/inetd.conf: 8090 stream tcp nowait nobody /usr/bin/nc /usr/bin/nc localhost 8080
CU
At 7:46 PM +0100 1/23/09, Bill Eldridge wrote:
Michael Renner wrote:
On Friday 23 January 2009, Bill Eldridge wrote:
I was interested in whether there's a simple way to have stunnel redirect traffic from a public Web browser/port to my home Web browser behind my DSL firewall (no ports opened/forwarded for incoming connections on the router, only outgoing-initiated)
Moin,
it is not clear to what you want to do. From a public web browser to your home web browser?
Can you clarify your setup?
As an example if I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080.
Easier to use ssh to port forward in this instance, IMHO. But why? Seems like just port mapping on the NAT router would work just as well and with no different effect on security. Tom
Tom Shaw wrote:
At 7:46 PM +0100 1/23/09, Bill Eldridge wrote:
Michael Renner wrote:
On Friday 23 January 2009, Bill Eldridge wrote:
I was interested in whether there's a simple way to have stunnel redirect traffic from a public Web browser/port to my home Web browser behind my DSL firewall (no ports opened/forwarded for incoming connections on the router, only outgoing-initiated)
Moin,
it is not clear to what you want to do. From a public web browser to your home web browser?
Can you clarify your setup?
As an example if I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080.
Easier to use ssh to port forward in this instance, IMHO. But why? Seems like just port mapping on the NAT router would work just as well and with no different effect on security. Because I won't be able to add ssh or access the router in a number of cases where I need this, but I believe I'll have access to stunnel in many/most cases. Necessity is the mother of invention.
At 11:11 PM +0100 1/23/09, Bill Eldridge wrote:
Tom Shaw wrote:
At 7:46 PM +0100 1/23/09, Bill Eldridge wrote:
Michael Renner wrote:
On Friday 23 January 2009, Bill Eldridge wrote:
I was interested in whether there's a simple way to have stunnel redirect traffic from a public Web browser/port to my home Web browser behind my DSL firewall (no ports opened/forwarded for incoming connections on the router, only outgoing-initiated)
Moin,
it is not clear to what you want to do. From a public web browser to your home web browser?
Can you clarify your setup?
As an example if I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080.
Easier to use ssh to port forward in this instance, IMHO. But why? Seems like just port mapping on the NAT router would work just as well and with no different effect on security. Because I won't be able to add ssh or access the router in a number of cases where I need this, but I believe I'll have access to stunnel in many/most cases. Necessity is the mother of invention.
Maybe I am all wet but is seems to me that a) if you can put stunnel at both ends you can put ssh at both ends - saying that you would have access to stunnel and not ssh doesn't make any sense, b) why wouldn't you have access to your own router? Tom
Tom Shaw wrote:
As an example if I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080.
Easier to use ssh to port forward in this instance, IMHO. But why? Seems like just port mapping on the NAT router would work just as well and with no different effect on security. Because I won't be able to add ssh or access the router in a number of cases where I need this, but I believe I'll have access to stunnel in many/most cases. Necessity is the mother of invention.
Maybe I am all wet but is seems to me that a) if you can put stunnel at both ends you can put ssh at both ends - saying that you would have access to stunnel and not ssh doesn't make any sense, If stunnel already exists on the machines and ssh doesn't and I don't have permission to install it, it makes sense. b) why wouldn't you have access to your own router? If someone else installed it and didn't give me admin permission, for example, amongst other scenarios.
Tom
At 1:58 PM +0100 1/24/09, Bill Eldridge wrote:
Tom Shaw wrote:
As an example if I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080.
Easier to use ssh to port forward in this instance, IMHO. But why? Seems like just port mapping on the NAT router would work just as well and with no different effect on security. Because I won't be able to add ssh or access the router in a number of cases where I need this, but I believe I'll have access to stunnel in many/most cases. Necessity is the mother of invention.
Maybe I am all wet but is seems to me that a) if you can put stunnel at both ends you can put ssh at both ends - saying that you would have access to stunnel and not ssh doesn't make any sense, If stunnel already exists on the machines and ssh doesn't and I don't have permission to install it, it makes sense. b) why wouldn't you have access to your own router? If someone else installed it and didn't give me admin permission, for example, amongst other scenarios.
Still confused. The premise you explained was, "I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080." In your scenario, you fundamentally want your home machine to accept connections from the public internet on port 8090. The simplest way it to configure apache to accept connections from port 8090 and allow port forwarding through your home router. You scenario seems to require connections to be make to your public linux machine. I can only imagine why as there are plenty of simpler ways of associating a host with and IP or dealing with dynamic dns, etc. But OK Its your linux machine and your home machine and you now say that your linux distro didn't come with ssh - weird . So why not configure your linux apache to provide reverse proxy services for your home machine? Or create a VPN between your home machine and your linux public machine. Your comment that you don't have access to either machine with admin privileges (your latest comment above) begs the obvious question as to how do you even expect to be able configure Stunnel or apache? Sorry that I don't understand the problem you are trying to solve.
Tom Shaw wrote:
At 1:58 PM +0100 1/24/09, Bill Eldridge wrote:
Tom Shaw wrote:
As an example if I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080.
Easier to use ssh to port forward in this instance, IMHO. But why? Seems like just port mapping on the NAT router would work just as well and with no different effect on security. Because I won't be able to add ssh or access the router in a number of cases where I need this, but I believe I'll have access to stunnel in many/most cases. Necessity is the mother of invention.
Maybe I am all wet but is seems to me that a) if you can put stunnel at both ends you can put ssh at both ends - saying that you would have access to stunnel and not ssh doesn't make any sense, If stunnel already exists on the machines and ssh doesn't and I don't have permission to install it, it makes sense. b) why wouldn't you have access to your own router? If someone else installed it and didn't give me admin permission, for example, amongst other scenarios.
Still confused.
The premise you explained was, "I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080."
In your scenario, you fundamentally want your home machine to accept connections from the public internet on port 8090. The simplest way it to configure apache to accept connections from port 8090 and allow port forwarding through your home router.
You scenario seems to require connections to be make to your public linux machine. I can only imagine why as there are plenty of simpler ways of associating a host with and IP or dealing with dynamic dns, etc. But OK Its your linux machine and your home machine and you now say that your linux distro didn't come with ssh - weird . So why not configure your linux apache to provide reverse proxy services for your home machine? Or create a VPN between your home machine and your linux public machine.
Your comment that you don't have access to either machine with admin privileges (your latest comment above) begs the obvious question as to how do you even expect to be able configure Stunnel or apache?
Sorry that I don't understand the problem you are trying to solve. Sigh. I think I described a scenario that I want to solve with stunnel. I realize there are other ways to do this, and can do it, and have done it. I would like to know if it's possible with stunnel or not, whether I misunderstand what stunnel is able to do, whether it needs stunnel with PPP to do what I describe or whether stunnel can do it alone.
Can I use stunnel to connect from my machine behind a firewall to an external Web server and use that tunnel to allow port forwarding from the Web server to the machine behind the firewall. Not reconfiguring Apache, not reconfiguring the firewall. Thanks.
Can I use stunnel to connect from my machine behind a firewall to an external Web server and use that tunnel to allow port forwarding from the Web server to the machine behind the firewall. Not reconfiguring Apache, not reconfiguring the firewall.
The answer is no... :-/ However, if you have access to netcat on the machines behind the firewall then you can use that to set up the connection ... and run it through stunnel for the encryption. -Claus ________________________________________ From: stunnel-users-bounces@mirt.net [stunnel-users-bounces@mirt.net] On Behalf Of Bill Eldridge [dcbill@volny.cz] Sent: Saturday, January 24, 2009 12:19 PM To: Tom Shaw Cc: stunnel-users@mirt.net Subject: Re: [stunnel-users] Use stunnel through firewall for home Web server? Tom Shaw wrote:
At 1:58 PM +0100 1/24/09, Bill Eldridge wrote:
Tom Shaw wrote:
As an example if I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080.
Easier to use ssh to port forward in this instance, IMHO. But why? Seems like just port mapping on the NAT router would work just as well and with no different effect on security. Because I won't be able to add ssh or access the router in a number of cases where I need this, but I believe I'll have access to stunnel in many/most cases. Necessity is the mother of invention.
Maybe I am all wet but is seems to me that a) if you can put stunnel at both ends you can put ssh at both ends - saying that you would have access to stunnel and not ssh doesn't make any sense, If stunnel already exists on the machines and ssh doesn't and I don't have permission to install it, it makes sense. b) why wouldn't you have access to your own router? If someone else installed it and didn't give me admin permission, for example, amongst other scenarios.
Still confused.
The premise you explained was, "I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080."
In your scenario, you fundamentally want your home machine to accept connections from the public internet on port 8090. The simplest way it to configure apache to accept connections from port 8090 and allow port forwarding through your home router.
You scenario seems to require connections to be make to your public linux machine. I can only imagine why as there are plenty of simpler ways of associating a host with and IP or dealing with dynamic dns, etc. But OK Its your linux machine and your home machine and you now say that your linux distro didn't come with ssh - weird . So why not configure your linux apache to provide reverse proxy services for your home machine? Or create a VPN between your home machine and your linux public machine.
Your comment that you don't have access to either machine with admin privileges (your latest comment above) begs the obvious question as to how do you even expect to be able configure Stunnel or apache?
Sorry that I don't understand the problem you are trying to solve. Sigh. I think I described a scenario that I want to solve with stunnel. I realize there are other ways to do this, and can do it, and have done it. I would like to know if it's possible with stunnel or not, whether I misunderstand what stunnel is able to do, whether it needs stunnel with PPP to do what I describe or whether stunnel can do it alone.
Can I use stunnel to connect from my machine behind a firewall to an external Web server and use that tunnel to allow port forwarding from the Web server to the machine behind the firewall. Not reconfiguring Apache, not reconfiguring the firewall. Thanks. _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
On Friday 23 January 2009, Bill Eldridge wrote:
Tom Shaw wrote:
[...] ok, let's recapitulate: you have to use SSL, not ssh you can not use port forward there is no 'reverse mode' in stunnel An other alternative with stunnel is to use a SSL-VPN. This encapsulate a ppp network in a SSL (here: stunnel) connection. It has much more features as you need, but * it is SSL * it is under your control google will help you to find instructions . There is also an exellent book "Building Linux Virtual Private Networks" that I bought last week ;-) CU
At 7:46 PM +0100 1/23/09, Bill Eldridge wrote:
Michael Renner wrote:
On Friday 23 January 2009, Bill Eldridge wrote:
I was interested in whether there's a simple way to have stunnel redirect traffic from a public Web browser/port to my home Web browser behind my DSL firewall (no ports opened/forwarded for incoming connections on the router, only outgoing-initiated)
Moin,
it is not clear to what you want to do. From a public web browser to your home web browser?
Can you clarify your setup?
As an example if I run Apache on my home machine, I'd like it to start the tunnel when I turn it on, have it automatically set up stunnel to a Linux box I have on the public net, and have anything to port 8090 on the Linux box get passed to my home machine 8080.
Easier to use ssh to port forward in this instance, IMHO. But why? Seems like just port mapping on the NAT router would work just as well and with no different effect on security.
Because I won't be able to add ssh or access the router in a number of cases where I need this, but I believe I'll have access to stunnel in many/most cases. Necessity is the mother of invention. _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-- |Michael Renner E-mail: michael.renner@gmx.de | |D-81541 Munich Germany ICQ: #112280325 | |Germany Don't drink as root! ESC:wq
participants (4)
-
Bill Eldridge -
Lund, Claus -
Michael Renner -
Tom Shaw