johnnyt Posted September 17, 2011 Posted September 17, 2011 Would like to setup a reverse proxy server to share one inbound TCP port 443 (https) between three web servers on my LAN: my router admin, Homeseer and ISY. The main reason for it is that the corporate firewall at my work does not allow one to use anything other than port 443 with https. That means before I leave the house I have to chose one server (only) to expose. Secondary reasons are convenience and security (at least I think it's more secure and improves client side convenience). Am wondering if: 1) ISY with network module can act as a reverse proxy server? (doesn't look like it to me but want to confirm) 2) there are any recommendations (and some how to's) for setting up a Windows XP compatible reverse proxy server with SSL that would allow me to use my target web server by simply appending something like "/ISY", "/HS", "/router" to the url? Any advice would be appreciated.
bbconvert Posted September 17, 2011 Posted September 17, 2011 I use a SonicWall SSL VPN appliance for that very purpose.
johnnyt Posted September 18, 2011 Author Posted September 18, 2011 I can't install any client s/w on my work machine. In fact it won't even let me install the active X app that my SSL VPN router pushes out for it to provide that path into my home network (I bought the router in part hoping to use the SSL VPN functionality for this). I also cannot change the browser settings to allow any active X app to run. Things are locked down pretty tight.
bbconvert Posted September 18, 2011 Posted September 18, 2011 A SonicWall TZ 200 is a router with SSL VPN capabilities and it will allow you only to "extend" your home network by providing your work PC with a second IP address on your home network. To do that, you do need to install SW on your work PC. Even if that were allowed by your work IT group, I would not recommend (you dont want to take the risk of commingling your home and work networks). A SonicWall SRA appliance like the SonicWall SRA 1200 offers several different SSL VPN services, including reverse proxy. In reverse proxy mode, there is absolutely nothing that needs to be installed on the client (your work PC) side. It behaves 100% like a normal website. Cisco has similar offerings but I am not familiar with them.
johnnyt Posted September 20, 2011 Author Posted September 20, 2011 While the SonicWall SRA 1200 sounds like it might do what I'm looking for, it's well outside my budget for this... even if I hadn't already invested in my other router (at about a quarter of the price)
MWareman Posted February 17, 2013 Posted February 17, 2013 I do this for exactly the reason - accessing multiple interfaces from work where only 80 and 443 is allowed out. There is also a forced proxy - and I wanted to securely access various hosts within my home network. I have an internal Apache host setup (Ubuntu) with a wildcard certificate for *.domain.com (in this example) from http://www.cacert.org/. Get Apache working with the cert first and then NAT in port 443. I have a dynamic DNS setup for my external IP. I then use CNAME records in my external DNS (so - if my dynamic dns is 'xyz.no-ip.org' my cnames would be 'router CNAME xyz.no-ip.org' 'isy CNAME xyz.no-ip.org' etc.. If you have a static IP - you could setup a wildcard 'a' record for the IP. So - I can now access my Apache install from the outside with the unique URLs all resolving tot he same IP 'https://router.domain.com' and 'https://isy.domain.com' and I get a valid certificate each time (assuming your remove machine trusts CACert as a root authority). Now - I create a config file for each internal site I wish to publish (/etc/apache2/sites-enabled/isy in this case) like the following: ServerAdmin webmaster@domain.com ServerName isy.domain.com ProxyRequests Off ProxyPreserveHost On ProxyVia On Order deny,allow Allow from all ProxyPass / http://1.2.3.5:80/ ProxyPassReverse / http://1.2.3.5:80/ CustomLog ${APACHE_LOG_DIR}/access_proxy.log combined ErrorLog ${APACHE_LOG_DIR}/error_proxy.log SSLEngine on SSLCertificateFile /etc/ssl/certs/cert.pem SSLCertificateKeyFile /etc/ssl/private/cert.key Be sure to set the certificate key paths correctly. Also - change 1.2.3.5:80 to the internal IP and port to the service to be published. You also need to set the 'ServerName' to match the external CNAME record you setup. A quick reload of Apache - and it should work. I use this to publish several security cameras, a mythtv system, my ISY and my router. Generally works fairly well - but there can be issues with some web services that embed absolute links in the HTML. There is no rewriting of URLs within the HTML going on - so each published service may involve some work. Michael.
Recommended Posts