debianでproxytunnel
以前CentOSでのproxytunnel使い方を書いたが,今回はdebian上のapacheにproxytunnel受信を準備した.CentOSとはいろいろ違っている.
/etc/apache2/site-enabled/000-default-sslを以下のように編集
<IfModule mod_ssl.c>
for proxytunnel
<VirtualHost *:443>
ServerName hoge.hoge.net:443 DocumentRoot “/var/www” ServerAdmin watashi@localhost
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Only ever allow incoming HTTP CONNECT requests.
Explicitly deny other request types like GET, POST, etc.
This tells Apache to return a 403 Forbidden if this virtual
host receives anything other than an HTTP CONNECT.
RewriteEngine On RewriteCond %{REQUEST_METHOD} !^CONNECT [NC] RewriteRule ^/(.*)$ - [F,L]
Setup proxying between youwebserver:8443 and yoursshserver:22
ProxyRequests On ProxyBadHeader Ignore ProxyVia Full
IMPORTANT: The AllowCONNECT directive specifies a list
of port numbers to which the proxy CONNECT method may
connect. For security, only allow CONNECT requests
bound for port 22.
AllowCONNECT 22
IMPORTANT: By default, deny everyone. If you don’t do this
others will be able to connect to port 22 on any host.
<Proxy *> Order deny,allow Deny from all </Proxy>
Now, only allow CONNECT requests bound for kolich.com
Should be replaced with yoursshserver.com or the hostname
of whatever SSH server you’re trying to connect to. Note
that ProxyMatch takes a regular expression, so you can do
things like (kolich.com|anothersshserver.com) if you want
to allow connections to multiple destinations.
<ProxyMatch (hoge.hoge.net|hoka.hoka.jp|192.168.xx.1)> Order allow,deny Allow from all </ProxyMatch>
Logging, always a good idea.
LogLevel warn ErrorLog /var/log/apache2/tun-proxy_error_log CustomLog /var/log/apache2/tun-proxy_request_log combined
</VirtualHost> </IfModule>
/etc/apache2/mods-enabledに以下のシンボリックリンクを作成
proxy.conf proxy.load proxy_connect.load Proxy_http.load rewrite.load
これでCentOSと同じようにproxytunnelが使えるようになる.もしかしたら,不要なモジュールを指定しているかもしれないが,それは勘弁してほしい.apacheに詳しい訳じゃあないので.