Security :: BigBlueButton - From HTTP To HTTPS Reverse Proxy
Sep 17, 2010
I am working on a project to create a video conferencing environment. For this I use a default installation of BigBlueButton on ubuntu 10.04. One of the main problems here is that it's not safe enough to share classified documents trough this software. It's a simple webserver that uses nginx. What I want to do is make this connection secure.
One of the problems is that I don't only have a connection trough port 80 but it uses the following ports:
Port 80 (HTTP), 1935 (RTMP), 9123 (Desktop sharing).
I would like to use a proxy instead of some tunneling or vpn to do this. Would anyone happen to know anything about squid or another equivalent to do this?
I've been trying to make myself anonymous, but I cant find 'Tor' anywhere, tried 'yum & kpackagekit' neither have it. I did find 'Privoxy', installed it, set proxy for HTTP and HTTPS in Firefox, but it says 'unknown proxy' when I try to use it! I've been to the Privoxy web site and read through the 'User manual', but most of it is 'geek' to me!
I have searched and searched for a reverse proxy solution for non-website traffic. TCP but not http, on ports other than 80, 443, 8080, etc. Basically I just need a TCP forwarder that works with multiple TCP servers, WITHOUT webpage caching features. I do not need or want any webpage caching. Can squid work as a reverse proxy for TCP traffic without http? The other program I came across in searching was HAproxy. Both programs are for http but I am curious if they would work for TCP servers that do not serve webpages.
I need to redirect all http/https/ftp traffic through the remote proxy, but when I changes connection settings in browser or in System->Preferences->Network Proxy it doesn't work well: instead of getting page content browser asks for saving some short (8 bytes) file with the same content for all requested pages. It happens in Chrome/Opera/Firefox. This proxy requires authorization and works on computer with Windos XP. It worked well when I was using Windows 7 and Proxifier, now I have Ubuntu 9.10 with all available updates.
Will squid or HAproxy work to reverse proxy non-http traffic? I have searched and searched for a reverse proxy solution for non-website traffic. TCP but not http, on ports other than 80, 443, 8080, etc. Basically I just need a TCP forwarder that works with multiple TCP servers, WITHOUT webpage caching features. I do not need or want any webpage caching. Can squid work as a reverse proxy for TCP traffic without http? The other program I came across in searching was HAproxy. Both programs are for http but I am curious if they would work for TCP servers that do not serve webpages.
A Linux (CentOS5.3) server is setup with apache reverse proxy. The reverse proxy server is opened to outside and an internal server is mapped to ProxyPass configuration. SSL certificate is also installed on the Apache reverse proxy server. The problem is, it is extremely slow in serving http requests through reverse proxy. There is no problem with server resources or bandwidth. When the internal server is directly accessed through Internet, there is no delay. The backend server and the reverse proxy server are also on the same switch (same subnet). When I searched the Net, there were recommendations to enable cache in Apache. I did so as follows in httpd.conf.
But still there is no progress. Do I want to enable cache in ssl.conf too? Or is there any other workaround to speed up Apache reverse proxy. Is there a way to check that caching is happening?
I have a http proxy account. It works well under windows through wodTunnel(an active X control component). But, I usually works under linux. I want to use it here. But I don't know how. I tried gstm, it can connect to the server successfully, but it seems can't respond to my http request. What should I do next?
My company web access is behind proxy(http://abc.proxy). Network admin can get to check who is top10 user and web they access. I owned a centos server. I have a thought that create an encrypted tunnel within proxy so the admin cant detect my http address. This is how it going to works
client with OpenVPN -> OpenVPN server(centos with company proxy)-> proxy -> internet
My connectivity in my client are using OpenVPN server as bridge. Hence, no record for client is recorded in my Network admin monitoring list. OpenVPN server's activity can be traced by network monitoring tools, just assume that our ultimate goal is to hide client activity.
I've been doing some security testing in a lab environment that does not have direct internet access. It's actually a little complicated: From home to connect to my lab machine, I
1. SSH to machineA. 2. SSH from machineA to machineB
where machineB is my actual lab machine. neither machineA or machineB allow anything other than SSH, and machineB is only accessible from machineA. However, I really need to run yum on machineB. I have managed to get internet access via Firefox on machineB by creating a series of SOCKS proxy via SSH.
where machineC has internet without limits placed. This is the only way I have managed to get internet working. I tried using ssh -L all the way from machineB->machineA->machineC but it didn't work (even when setting Firefox to use http proxy). I tried using ssh -D all the way, but again that doesn't work either.
I do have access via Firefox using socks proxy. However, yum update fails to retrieve mirror list, and from what I have found I don't believe yum supports socks proxy directly. Instead, it uses http_proxy / ftp_proxy. how to get yum to go out over the SOCKS proxy I created (same one using in Firefox)? It seems like since Firefox can access the internet and everything without issues, i should be able to get yum to tunnel through the same connection to access everything.... I tried
I had setup an SSL secure server awhile back, such that: [url] works but [url]does not (note the different: in the first, I use HTTPS, whereas the second I use HTTP) How can I get both to co-exist?
I have my Linux laptop running Katatonic Koala at the moment. It is connected via CAT5 to a switch. The switch then connects to my router. All five of my computers are connected to the switch, actually. The only one that won't talk to any sites other than https secure sites is the Linux box. I am not well-versed in the inner workings of Linux and need some help in what I need to do so that regular http sites work. You guys always have the right anwers so I will wait humbly for your replies.
I have a server (Fedora 12) setup at a client's datacenter and the network is setup to allow me ssh access into the server, but prevents me from opening any connections from the server. However, I need to make http and https request from the server. What I'd like to do is forward all http/https traffic through another machine outside the network.
I've been looking at the documentation for ssh and the various options there and have gotten so far as to enable initiating an ssh connection from the client network back to my machine, but am not sure where to take it from there.
Here are some of the commands I've used so far:
Code:
I'm attempting to bind port 80 to be forwarded through the local machine. I assume I use "ssh -R" to create a dynamic tunnel to forward requests but I must be missing something.
I am trying to configure iptables for only HTTP and HTTPS traffic. I start by blocking all traffic, which works, via:
Code: iptables -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
I then try to allow HTTP and HTTPS on eth0 with these commands, which does not work:
Code: iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
Code: iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT After these commands I should be able to access the internet. Does anyone know why this is not working?
When I click on an http link in Thunderbird, nothing at all happens. There's no error message on the console, there's no new browser starting, and there's no new tab opening with the browser already running.
I've tried: sudo update-alternatives --config x-www-browser, choosing firefox.I've also tried: adding a new string value to Thunderbird's warranty-voiding config: network.protocol-handler.app.http, with a value of /usr/bin/firefox. This was recommended in various threads.But no luck.There's an entry for https - firefox on the Attachment tab of the preferences, and https links are indeed opening in Firefox. But not http.KDE 4.4.2 itself has default mail client and browser set to Thunderbird 3.0.4 and Firefox 3.6.3 (both from the repositories, no website downloads).
What is the best way to go about setting up multiple virtual hosts on the same box, one using http and one using https/ssl? I'd like to serve them from the same ip address if possible; I know it's possible in apache 1.3.
For one project I use a web hosting service. I wanted the entire site to be https, so I bought a service from them in which they automatically install a trusted cert so people can access the site through https protocol. Since http is still available, though, I need to do automatic rewrites or something to change http into https requests. (I don't have access to their Apache server configuration files or anything like that.)I found on the net this code to add to my .htaccess file:
Code: RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Is there a driver or utility to mount an iso image over http or https? There is a httpDisk driver for windows but I can't find anything similar for Linux.
There may be a way of using curl/wget but not sure if this is possible.
How to best manage both http and https pages on the same apache-server without conflicts. For example, if i have both 000-default.conf and 000-default-ssl.conf pointing to mydomain.com, and don't want users who visit mydomain.com without specifically type the https-prefix to be redirected to the https-page - how to handle users using browserplugins such as https-everywhere etc?
Another option would be to create a subdomain ssl.mudomain.com and have users who want to reach the ssl site to have to type ssl. I have tested several things with https everywhere enabled in my own browser, and it seems really hard to make this working the way i want, in one way or another i always end up getting redirected to the ssl-site automatically.
The reason i need this to work is because i run one site that i don't care much about SSL, that is the "official" part of that site, and i also host some things for friends and family on the SSL-part. This would not have been a problem if it wasn't that i use self-signed certificates for my ssl-site and the major user become afraid when a certificate-warning pops up in their browser and therefor leave the site.
I have 2 web server in my office : http and https. You will find attached the httpd.conf and ssl.conf. I can acces the https server from home, but not the http one.
What I did : configure the router to forward port 80 to my fedora 11 machine open port 80 with system-config-network created a virtualhost
The same exact steps have been done for port 443
I can access both server locally but only the https server remotelly.
Here are my iptables :
Code:
you can try to acces my servers using [url]
I made httpd to listen to port 8080, and done all the port forwarding/opening stuf, and it works. so is it a bug ?
Finally found my error seams like turning off UseCanonicalName to off did the trick
I really think it's a bug now. It was definitively working last week, I just added content to the main host of my website, and now i can't acces it from port 80. If someone think it's not a bug or find someting missing/wrong in my conf file.
I've noticed that when I open firefox I get really strange HTTP and HTTPS connections showing up in firestarter (which as I understand it is just a GUI for IPtables). They connect to various bits of a site listed as 1e100.net (when you use "lookup hostnames") such as wy-in-f18.1e100.net, they stay connected all the time as far as I can see unless I close firefox. I've heard people say they are connected to Google, but I can close all tabs after loging out of google and still see them... it's very odd.
I am running a Linux firewall (IPcop) to bridge two networks. Hosts on network A have to use a proxy server in order to get online. This server runs a transparent proxy (squid) configured to use the proxy needed to connect to the internet as an upstream proxy, therefore meaning all the hosts on network B can connect to the internet without the user having to configure a proxy address.
The problem is that HTTPS also has to go through the upstream proxy, which I'm told can't be proxied by my server transparently because of security issues. This means that hosts on network B can't currently access HTTPS sites.
I have a server in a corporate data center for a project. I have an SSH access to this machine at port 22.There are some virtual machines running on this server and then at the back of every thing many other Operating systems are working. Now Since I am behind the data centers firewall my supervisor asked me if I can do some thing by which I can give many people on Internet access to these virtual machines directly. I know if I were allowed to get traffic on port other than 22 then I can do a port forwarding. But since I am not allowed this so what can be a solution in this case.
The people who would like to connect might be complete idiots.Who may be happy just by opening putty at their machines or may be even filezilla.I have configured an Apache Reverse Proxy for redirecting the Internet traffic to the virtual machines on these hosts.But I am not clear as for SSH what can I do.So is there some thing equivalent to an Apache Reverse Proxy which can do similar work for SSH in this situation.I do not have firewall in my hands or any port other than 22 open and in fact even if I request they wont allow to open.2 times SSH is not some thing that my supervisor wants.
I'm having some trouble getting Apache up and running as a reverse proxy for a site using SSL. Ideally, this Apache system will function as a web application firewall running mod_security, but first I need to get Apache running right. The system is running CentOS 5.5 and Apache 2.2. Trouble is, the web server on the back end, which is running Windows Web Server 2008 (IIS 7) requires SSL. I have been able to get Apache set up and running so that it works fine on port 80, but any secure traffic on port 443 just won't work.
So first, here's the relevant portion of the Apache config: Code: <VirtualHost 192.168.108.212:80> ServerName www.server.com ErrorLog logs/test_error_log CustomLog logs/test_access_log common ProxyPass / http://192.168.108.152/ ProxyPassReverse / http://192.168.108.152/ </VirtualHost> <VirtualHost 192.168.108.212:443> ServerName www.server.com ErrorLog logs/test_error_log CustomLog logs/test_access_log common SSLProxyEngine On SSLProxyMachineCertificateFile /etc/httpd/conf/server.pem ProxyPass / https://192.168.108.152/ ProxyPassReverse / https://192.168.108.152/ </VirtualHost>
The server.pem was created following some steps I found online and was set up using the same certificate that's on the web server. It is formatted as so:
So, after all is said and done, Apache starts up just fine. Any unsecured requests on port 80 work just fine. Trying to use https results in an ssl_error_rx_record_too_long error in Firefox. The Apache logs show a 404 error, with the request being for /x16/x03/x01. I believe that means it's requesting SSL access on a non-ssl port, which doesn't make any sense to me, considering that I obviously do have something up on to listen on that port.
