Language:
switch to room list switch to menu My folders
Go to page: 1 3 4 5 6 [7]
[#] Mon Feb 20 2017 15:02:07 EST from bennabiy @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

One other thought I had, which I use often is to do those types of translations at the router level. I guess to give a proper answer, I would need to know more about the environment (like why not just set your apache to listen on 8443 if it is security through obscurity?) also, If it is your local network access which you are concerned with or just outside connections. Those things make a difference with what method you use. You can get really technical and set up an stunnel listener on the 8443 and have it route to localhost (either directly, or through some fancy /etc/hosts file entries ) to your 443 port.

 

 



[#] Mon Feb 20 2017 15:08:05 EST from bennabiy @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

I agree about the Static IP vs Dynamic. One other thing to consider is that every dynamic IP is on a block list if you plan on running a mail server, so expect for your messages to get rejected by at least half of the servers out there.

 

Computers are much smarter at scanning than we are, but also, most of the time are just after the low lying fruit. Port knocking does have a way of thwarting them, when combined with firewall rules which denote which IP addresses the connection requests can come from, etc.

 



[#] Mon Feb 20 2017 17:39:06 EST from IGnatius T Foobar @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


I suppose we have to get this out of the way: why are you trying to tackle this problem using port forwarding? Most server programs can be told to listen on a variety of interface:port combinations.

If you really must forward, and if the protocol being used is HTTP or HTTPS, then maybe you could consider running an nginx proxy as a connection multiplexer.
If you do that it can handle things like SSL offload for you as well.

[#] Tue Feb 21 2017 06:56:49 EST from fleeb @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


In this situation, the person gains a full virtual machine that they can alter with as many network adapters configured however they want.

The people who would use this product might have unusual security conditions that may require peculiar network environments. If I can provide a flexible environment that lets them connect to the product however they wish (whatever port they want, etc), then the product becomes more appealing to them.

The only possible problem with stunnel is that it forces SSL. But, we force it anyway, so I don't view that as a serious impediment; we don't really want this information openly viewable via wireshark or the like.

I can indeed tell apache2 to listen to specific ports and specific adapters, but I don't know how well it listens to multiple ports/adapters configured in wildly different ways (e.g. 10.1.0.41:9123 & 192.168.1.23:443). Or, for that matter, if it's relatively simple to program such configurations. I can research it, though.

Port forwarding just seemed like it would work easily via iptables, but considering that stack overflow (or, as they call it now, superuser) has had a question similar to this for 5 years left unanswered, perhaps this isn't as easy an approach as I expected.

Hmm... nginx proxy... I can look at that, too.

[#] Tue Feb 21 2017 07:44:11 EST from fleeb @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


Huh... actually, apache2 does support doing exactly what I want.

I have to modify two files to do it instead of just one, but it is possible to specify multiple ip/port combinations for a single <VirtualHost>.

You can also mess around with ipv6.

This is probably the most straightforward way to address this problem.

[#] Tue Feb 21 2017 22:43:36 EST from bennabiy @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

Sanity...



[#] Wed Feb 22 2017 14:00:24 EST from fleeb @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


It's a trifle annoying, though, having to handle two configuration files instead of one, but, eh... whatever.

[#] Tue Feb 28 2017 09:20:10 EST from IGnatius T Foobar @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

It is not uncommon to distribute an appliance with a front end web server installed to handle proxy, caching, security, and even connection pooling.



[#] Tue Feb 28 2017 14:16:47 EST from fleeb @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


This appliance interfaces via web (both for a UI and services).

I just figured using forwarded ports would work more easily than having to reconfigure a web server, but it seems I am wrong.

[#] Mon Mar 06 2017 08:30:03 EST from IGnatius T Foobar @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

The current wisdom seems to be that you should distribute your appliance as a Docker container.



[#] Mon Mar 06 2017 09:58:40 EST from LoanShark @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


depends on who's wisdom your listening to. that's certainly the latest trend.

too many public docker base-images have unpatched security holes.

[#] Mon Mar 20 2017 07:45:57 EDT from fleeb @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


We've considered the use of Docker for a different purpose... putting an arbitrary number of these things on one box, and forwarding from one to all of them simultaneously.

Sadly, though, we can't distribute this as a Docker image, as we can't let people have access to the code. If we were open-sourced, it wouldn't be a problem.

[#] Tue Mar 21 2017 19:31:15 EDT from LoanShark @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


what? docker is a binary image format. it's *not* source-based.

[#] Wed Mar 22 2017 12:37:40 EDT from IGnatius T Foobar @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

Actually, Docker seems like the perfect way to distribute binary code across a range of compatible operating systems, since it carries along any of the libraries and other oddities that might vary from system to system.

Go to page: 1 3 4 5 6 [7]