View previous topic :: View next topic |
Author |
Message |
augury l33t
Joined: 22 May 2004 Posts: 722 Location: philadelphia
|
Posted: Sun Feb 02, 2014 2:31 am Post subject: Port based firewall, encryption, poxy, http security |
|
|
I've emerged www-apache/anyterm. It provides a console terminal to a web browser.
The problem is that the terminal is not only an unencrypted transmission -- its already logged in!
I really like the idea of having a terminal on a web browser interface. It requires at least two security features that should apply to this port exclusively:
1. password login for http capable browser
2. encryption handled by a web browser (ssl?)
Anyterm is started by a deamon to a specified port. Although it is www-apache it does not have an apache folder or config files. |
|
Back to top |
|
|
hdcg Tux's lil' helper
Joined: 07 Apr 2013 Posts: 120
|
Posted: Sun Feb 02, 2014 6:31 am Post subject: |
|
|
Hi augury,
I am not an anyterm user myself, but I would assume that authentication/authorization as well as encryption should be handled by an Apache server in front of anyterm.
A look at the anyterm homepage http://anyterm.org/howitworks.html confirms this.
So you should setup anyterm to only listen on localhost. Place Apache in front with a suitable authentication module and the proxy module enabled. Then you can proxy a URL of our choice to the anyterm daemon.
I would assume that stunnel could also be used for such a setup. As it is SSL centric it offers less options than Apache when it comes to authentication/authorization.
Best Regards,
Holger |
|
Back to top |
|
|
augury l33t
Joined: 22 May 2004 Posts: 722 Location: philadelphia
|
Posted: Sun Feb 02, 2014 8:27 am Post subject: |
|
|
I swear to god I am the the international error code tourist.
OK I got it to work.
Code: |
<VirtualHost *:80>
ServerName 192.99.12.70
Include /etc/apache2/vhosts.d/default_vhost.include
ProxyPass /console http://127.0.0.1:7676 #this is the forward proxy to the localhost
ProxyPassReverse /console http://127.0.0.1:7676 #this is the proxy reverse
ProxyPassReverseCookiePath /console / #anyterm.html does not set cookies
ProxyPassReverseCookieDomain http://127.0.0.1:7676 http://192.99.12.70
ProxyHTMLExtended On #this allows the .js and .css to be loaded -- had to emerge mod_proxy_html and add -D PROXY_HTML to the options line in /etc/conf.d/apache2
ProxySourceAddress 127.0.0.2 #this was not required but it reenforces the fact
<Location /console/anyterm.html>
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/htpasswd/htpasswd"
Require valid-user
</Location>
</VirtualHost>
|
Now what I need to do is use add the secure connection encryption. |
|
Back to top |
|
|
augury l33t
Joined: 22 May 2004 Posts: 722 Location: philadelphia
|
Posted: Sun Feb 02, 2014 8:36 am Post subject: |
|
|
I enabled all the APACHE2_MODULES= (why not) and had to add -D PROXY and -D PROXY_HTML (from the mod_proxy_html port). |
|
Back to top |
|
|
augury l33t
Joined: 22 May 2004 Posts: 722 Location: philadelphia
|
Posted: Sun Feb 02, 2014 8:43 am Post subject: |
|
|
Another thing, it is sort of useless if anytermd is not run without --user root. |
|
Back to top |
|
|
augury l33t
Joined: 22 May 2004 Posts: 722 Location: philadelphia
|
Posted: Sun Feb 02, 2014 9:38 am Post subject: |
|
|
OK now I want to run a gkrellmd over the internet. gkrellmd is as bad as an open terminal, SO I need to secure a log in.
But gkrellm clients do not have a means of authenticating.
Is apache able to authenticate with another apache and connect my proxys? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21619
|
Posted: Sun Feb 02, 2014 5:22 pm Post subject: |
|
|
Perhaps it would be a better use of your time to find a way to make ssh work reliably over whatever excuse for an Internet connection you are stuck on. Once that works, ssh port forwarding will handle the rest. You could also try an OpenVPN TCP-TLS tunnel over 443, which should work in the absence of an SSL-cracking proxy. |
|
Back to top |
|
|
|