This system has DNS records for ssh.server.co.uk and www.server.co.uk, so can I use IPTables or similar to recognise if it is being connected to via ssh.server.co.uk on port 443 and forward the traffic to port 22? If www.server.co.uk:443 is used apache gets the traffic? Or is this (As I suspect) Impossible?
if ssh.server.co.uk and www.server.co.uk have different IP addresses, then sure.. iptables will work.. it works on layer 3 and 4 of the OSI model.
however if your two names share the same ip address, the reason apache can handle the virtual sites is because it's working on layer 7 of the OSI model - ie the application layer.
panix.com has a custom little app that listens on port 80. In it's clerverness, it determines if the connecting client is a web browser or a ssh. If it's ssh, it hands off the connection to sshd, if it's a web browser it hands it off to apache.
The concept is simple: ssh and www-browser send $STUFF to the server before getting a response. If the first few bytes the server receives isn't (GET, PUT, HEAD) then it must be an ssh client.
I wrote a daemon kludge a few years back to fix a b0rked commercial app that ran fine under linux, but it's GUI client interface didn't. The SCO version of the GUI server accepted some extra state information the client would send. The Linux version of the GUI server didn't like this extra state information. My little kludge happily pretended to be the GUI server and relayed what it received to the real server process - however, if it ever received any extra state information it simply threw it away so the linux gui server didn't have to deal with it.
Something similar could be designed for your case. Instead, the little daemon would just listen for connects, after reading the first few bytes, it would determine if the connection was an ssh or web one, then fork off a sshd or apache process to handle the input. In either case, you would have to setup sshd and apache to work as if it was called from inetd.conf, because in effect those services wouldn't be controlling the port, they would just be doing stdin<->stdout.
I'm not sure how apache would handle the log information, though. (how would apache know the ip address of the connection?)
-- [email protected] mailing list
