比例道

月に1回更新します

debianでproxytunnel

以前CentOSでのproxytunnel使い方を書いたが,今回はdebian上のapacheにproxytunnel受信を準備した.CentOSとはいろいろ違っている.

/etc/apache2/site-enabled/000-default-sslを以下のように編集


 

 

<IfModule mod_ssl.c>

for proxytunnel

<VirtualHost *:443>

ServerName hoge.hoge.net:443 DocumentRoot “/var/www” ServerAdmin watashi@localhost

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Only ever allow incoming HTTP CONNECT requests.

Explicitly deny other request types like GET, POST, etc.

This tells Apache to return a 403 Forbidden if this virtual

host receives anything other than an HTTP CONNECT.

RewriteEngine On RewriteCond %{REQUEST_METHOD} !^CONNECT [NC] RewriteRule ^/(.*)$ - [F,L]

Setup proxying between youwebserver:8443 and yoursshserver:22

ProxyRequests On ProxyBadHeader Ignore ProxyVia Full

IMPORTANT: The AllowCONNECT directive specifies a list

of port numbers to which the proxy CONNECT method may

connect. For security, only allow CONNECT requests

bound for port 22.

AllowCONNECT 22

IMPORTANT: By default, deny everyone. If you don’t do this

others will be able to connect to port 22 on any host.

<Proxy *> Order deny,allow Deny from all </Proxy>

Now, only allow CONNECT requests bound for kolich.com

Should be replaced with yoursshserver.com or the hostname

of whatever SSH server you’re trying to connect to. Note

that ProxyMatch takes a regular expression, so you can do

things like (kolich.com|anothersshserver.com) if you want

to allow connections to multiple destinations.

<ProxyMatch (hoge.hoge.net|hoka.hoka.jp|192.168.xx.1)> Order allow,deny Allow from all </ProxyMatch>

Logging, always a good idea.

LogLevel warn ErrorLog /var/log/apache2/tun-proxy_error_log CustomLog /var/log/apache2/tun-proxy_request_log combined

</VirtualHost> </IfModule>


 

/etc/apache2/mods-enabledに以下のシンボリックリンクを作成

proxy.conf proxy.load proxy_connect.load Proxy_http.load rewrite.load

 

これでCentOSと同じようにproxytunnelが使えるようになる.もしかしたら,不要なモジュールを指定しているかもしれないが,それは勘弁してほしい.apacheに詳しい訳じゃあないので.