Httptunnel and nginx

dubstep · January 10, 2011, 5:46pm

Hello,

I want use nginx to redirect a subdomain on a http tunnel.
To make it I use hts as it :

/usr/bin/hts --forward-port localhost:22 8080

and I configure nginx as it (file /etc/nginx/site-avaible/default):

[code]server {
listen 80; ## listen for ipv4; this line is default and implied
#listen 8080; ## listen for ipv4; this line is default and implied
listen [::]:80 default ipv6only=on; ## listen for ipv6

#root /usr/share/nginx/www;
root /var/www;
index index.html index.htm index.php;

Make site accessible from http://localhost/

server_name barmic.fr barmic.42;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}

Indefero

location /indefero {
root /var/www/indefero;
index index.php;

#rewrite rules for indefero
if (-e $request_filename) {
  break;
}
 rewrite ^(.*)$ /index.php?_pluf_action=/$1 last;

}

#location /blog {

root /home/barmic/blog;

index index.html;

#}

location /doc {
root /usr/share;
autoindex on;
allow 127.0.0.1;
deny all;
}

location /images {
root /usr/share;
autoindex off;
}

#error_page 404 /404.html;

redirect server error pages to the static page /50x.html

#error_page 500 502 503 504 /50x.html;
#location = /50x.html {

root /usr/share/nginx/www;

#}

pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

#location ~ .php$ {

fastcgi_pass 127.0.0.1:9000;

fastcgi_index index.php;

include fastcgi_params;

#}

This block adds a little security.

See /usr/share/doc/nginx/examples/drupal for context

location ~ ../..php$ {
return 403;
}

This is basic PHP block that can be used to handle all PHP

requests.

See /usr/share/doc/nginx/examples/drupal for context

location ~ .php$ {
fastcgi_split_path_info ^(.+.php)(/.+)$;
include fastcgi_params;
# Intercepting errors will cause PHP errors to appear in Nginx logs
fastcgi_intercept_errors on;
fastcgi_pass unix:/tmp/phpcgi.socket;
}

deny access to .htaccess files, if Apache’s document root

concurs with nginx’s one

#location ~ /.ht {

deny all;

#}
}

server {
listen 80; ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6

Make site accessible from http://localhost/

server_name ssh.domain.com;

location / {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
}
}[/code]

I have try so without proxy_set_header, but when I try to use my tunnel.
The ssh connexion don’t establish. syslog say that :

Jan 11 01:13:26 sd-24129 hts[1746]: hts (httptunnel) 3.3 started with arguments: Jan 11 01:13:26 sd-24129 hts[1746]: me = /usr/bin/hts Jan 11 01:13:26 sd-24129 hts[1746]: device = (null) Jan 11 01:13:26 sd-24129 hts[1746]: port = 8080 Jan 11 01:13:26 sd-24129 hts[1746]: forward_port = 22 Jan 11 01:13:26 sd-24129 hts[1746]: forward_host = localhost Jan 11 01:13:26 sd-24129 hts[1746]: content_length = 102400 Jan 11 01:13:26 sd-24129 hts[1746]: strict_content_length = 0 Jan 11 01:13:26 sd-24129 hts[1746]: use_std = 0 Jan 11 01:13:26 sd-24129 hts[1746]: debug_level = 0 Jan 11 01:13:26 sd-24129 hts[1746]: pid_filename = (null) Jan 11 01:16:19 sd-24129 hts[1746]: connection from 127.0.0.1:55239 Jan 11 01:16:29 sd-24129 hts[1746]: tunnel_accept: poll timed out Jan 11 01:16:29 sd-24129 hts[1746]: tunnel_accept: in_fd = -1, out_fd = 5 Jan 11 01:16:29 sd-24129 hts[1746]: couldn't accept connection: Success

In the terminal use to try to connect that is write :

$ ssh -vvv -p 1234 barmic@localhost OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009 debug1: Reading configuration data /home/b/barretm/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to localhost [::1] port 1234. debug1: connect to address ::1 port 1234: Connection refused debug1: Connecting to localhost [127.0.0.1] port 1234. debug1: Connection established. debug1: identity file /home/b/barretm/.ssh/identity type -1 debug1: identity file /home/b/barretm/.ssh/id_rsa type -1 debug1: identity file /home/b/barretm/.ssh/id_dsa type -1

In finally /var/log/nginx/access.log say that :

XXX.XXX.XXX.XXX - - [11/Jan/2011:01:27:58 +0100] "POST /index.html?crap=1294677214 HTTP/1.0" 400 0 "-" "-"
And error.log is empty.

I don’t know where is the problem. Can you help me please ?

Posted at Nginx Forum:

barmic · January 10, 2011, 6:30pm

On 10 Jan 2011 16h45 WET, [email protected] wrote:

Going out in a tangent, if you’re using this config (also) for Drupal,
you’re exposed to a lot of potential security holes.

The configuration is quite messy. How many locations and regexes are
needed for making a request? There’s an example config along theses
lines in the current debian nginx package for Nginx on the unstable
release. I’ve procrastinated opening a bug report because of this
messy config because I no longer use the debian package, but roll my
own instead. But something must be done to stop this ugliness to
spread like wildfire.

You can get a better config by visiting the group
Nginx | Drupal Groups and checking out what’s discussed
there.

It doesn’t solve your tunnel issue, but takes care of security
issues.

If you’re not using this for drupal then just ignore my rant.
— appa

barmic · January 11, 2011, 7:54am

Since for the moment, I haven’t CMS on my web server. Y have only a blog
build with pelican.
The configuration of php in cgi is make to test (for more later).

Thanks for your help, I go in this group to improve my configuration.

Nice day

Posted at Nginx Forum:

barmic · January 17, 2011, 11:55am

Hi,

I’ll be interested in knowing if you successfully manage to connect to
your home ssh server through an HTTP connection with nginx and
httptunnel.

On Mon, Jan 17, 2011 at 10:47, barmic [email protected] wrote:

I use nginx on version 0.6.32 on Debian Lenny.

The latest stable nginx release is 0.8.54 and there’s nothing really
unstable about nginx 0.9.3 (Sid only has 0.8.54), you lose nothing
compiling from source. YMMV though and i only use mine for simple
stuff with a very low number of connections.

Cheers,
Nuno

–
Mars 2 Stay!

/etc

barmic · January 17, 2011, 11:49am

Hello,

I finally choice to use nginx only as reverse proxy, but I don’t find
how transfer a connection to another port. I have hts that listen on
0.0.0.0:8081 of my server and I want that when I launch htc on port 80
of the virtual subdomain ssh.barmic.fr, nginx transfer the connection to
127.0.0.1:8081. This is my new configuration :
/etc/nginx/site-available/default

upstream default {
  server 127.0.0.1:8080;
}

upstream java {
  server 127.0.0.1:8081;
}

upstream tunnel {
  server 127.0.0.1:8082;
}

server {
  listen   80;
  server_name  *.barmic.fr;

  access_log  /var/log/nginx/barmic.fr.access.log;

  location / {
    proxy_pass http://default;
  }
}

server {
  listen   80;
  server_name  ssh.barmic.fr;

  access_log  /var/log/nginx/ssh.barmic.fr.access.log;

  location / {
    proxy_pass http://tunnel;
  }
}

server {
  listen   80;
  server_name  java.barmic.fr;

  access_log  /var/log/nginx/java.barmic.fr.access.log;

  location / {
    proxy_pass http://java;
  }
}

and /etc/nginx/nginx.conf (don’t touch by me) :

[code]
user www-data;
worker_processes 1;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

access_log  /var/log/nginx/access.log;

sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;
tcp_nodelay        on;

gzip  on;

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

}[/code]

I use nginx on version 0.6.32 on Debian Lenny.

Thanks in advance.

Posted at Nginx Forum:

barmic · January 17, 2011, 3:04pm

On 17 Jan 2011 10h47 WET, [email protected] wrote:

upstream java {

worker_processes 1;
default_type application/octet-stream;
gzip on;

include /etc/nginx/conf.d/.conf;
include /etc/nginx/sites-enabled/;
}[/code]

I use nginx on version 0.6.32 on Debian Lenny.

In case you’re interested in a 0.9.3 compiled for debian unstable
without SSI, WebDAV and Mail. With AIO, upload progress and upstream
fair.

http://debian.perusio.net (instructions included).

Of course you can grab the source package and build it yourself (YMMV,
I’ve never tried that – I run a mixed lenny/squeeze/sid).

HTH,
— appa

barmic · January 18, 2011, 8:45am

Hello,

I know that the configuration to make this for Apache is :

    ServerAdmin [email protected]
    DocumentRoot /var/www
    ServerName ssh.votredomaine.org
    ErrorDocument 404 /deprime.html
    ErrorLog /var/log/apache2/ssh-error.log
    CustomLog /var/log/apache2/ssh-access.log combined

                AddDefaultCharset off
    Order deny,allow
    Allow from all
#    Deny from all
    #Allow from .example.com


ProxyPass / http://localhost:8888

Maybe anybody knows how translate this in nginx configuration.

Posted at Nginx Forum: