[TriLUG] serving multiple HTTPS sites on same server with redirection
Blackburn, Marvin
mblackburn at glenraven.com
Fri Jun 7 15:35:28 EDT 2013
Aaron,
I meant to reply earlier. The web master was able to get SNI to work for him and we can use redirection.
Thanks for the help.
-----Original Message-----
From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org] On Behalf Of Aaron Joyner
Sent: Monday, May 20, 2013 11:17 PM
To: Triangle Linux Users Group General Discussion
Subject: Re: [TriLUG] serving multiple HTTPS sites on same server with redirection
I believe the answer is in the iptables man page, where the REDIRECT target
is described as follows:
REDIRECT
This target is only valid in the nat table, in the PREROUTING and OUTPUT
chains, and user-defined chains which are only called from those chains.
It redirects the packet to the machine itself by changing the destination
IP to the primary address of the incoming interface (locally-generated
packets are mapped to the 127.0.0.1 address).
In particular, note the second sentence above. It's going to do exactly as
you describe, the packets will always flow to eth0's IP (x.x.x.5).
Depending on your needs, SNI may not provide broad enough coverage. In
particular, it will work for Win XP users on IE. If you're willing to
throw connections from those users in the dust bin (which you probably
should be, at this point), then SNI is ready for prime time. If not, read
on...
There are couple ways to do what you want, specifically to allow the
webmaster-guy to control apache but not be root, with out going down the
SNI road just yet. One solid way of achieving this is to allow his copy of
Apache to bind to ports less than 1024 using Linux Capabilities (setcap).
If he's rebuilding Apache on a regular basis, or wants to do so w/o
involving you to setcap on a new binary for him, you can allow him to call
setcap with sudo. The beauty of this is it allows him to run arbitrary
code on your box, and to let that code bind to sub-1024 ports, but it
*doesn't* allow him to run arbitrary code directly with sudo[1].
If you still really want to go the port forwarding route, you can use the
DNAT target rather than the REDIRECT target, which allows you to specify a
destination ip:port pair.
Both the setcap method and port forwarding with DNAT are detailed on the
helpful Apache Wiki:
http://wiki.apache.org/httpd/NonRootPortBinding
G'luck!
Aaron S. Joyner
1 - Note: if he's particularly sneaky, and this box is multipurpose
(running an NFS server, for example), he may be able to parlay that
sub-1024 port binding capability into a privilege escalation on this box or
another box that trusts it... but it's not a straight-forward path by any
means.
--
This message was sent to: Marvin Blackburn <mblackburn at glenraven.com>
To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/mblackburn%40glenraven.com
TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
TriLUG is dedicated to a harassment-free experience for everyone. Our anti-harassment policy can be found at: http://trilug.org/anti-harassment
More information about the TriLUG
mailing list