HAProxy - High Availability Proxy ========================= It's like nginx for tcp. It understands http, but it's not a webserver. For example, it doesn't serve static files.
sslh (SSL + SSH = SSLH) ==================== It listens on a specified port (generally 0.0.0.0:443) inspects encrypted TLS (which is almost always called SSL, even though it is the unrelated successor to SSL) packets for the plaintext "SSH-2.0" header that every SSH hello packet begins with. Any such packet would be proxied to SSH (generally 127.0.0.1:22) and all other packets would be forwarded to a web server (generally 127.0.0.1:443 or 127.0.0.1:8443). SNI - Servername Indication ====================== This is a bit of plaintext part of the TLS 1.2 spec that allows any https or other TLS client to request a particular certificate from the server. Without this HAProxy and other virtual hosting software would have no way to know which of the dozens or hundreds of certificates the manage to issue to the client and then you'd always get a red broken lock icon in your browser because the certificate wouldn't match. Reverse VPN - aka Virtual Public Network ================================ A Virtual *Private* Network sits at or inside a corporate firewall and allows laptops sitting at McDonalds or in another business to connect and access physical resources - such as a printer, workstation, or server sitting physically behind the firewall - as though it were sitting in the office rather than on the firewalled internet. A Reverse VPN is when you sit the VPN server out on the cloud which allows devices on the internet to access a device which is on a private network as though it were on the public internet rather than in the office behind a firewall. Alternative solutions would include STUN, STUNT, TURN, NAT-PMP, UPNP, SOCKS5, and stunnel. Let's say I have a sucky internet connection at home, so I bring my pocket cloud server to work and stick it on my desk and plug it in. A Reverse VPN is probably the only solution that will work to allow you to access https://coolaj86.com running on my pocket cloud from inside such a constricted network. STUN, STUNT =========== Hole punching techniques for firewalls. They're pretty much unsupported and useless. SOCKS5 ======= A VPN somewhat hijacks your network settings. All of your computer behaves as if it exists physically inside the office, even though you're in McDonalds (this is configurable, but that's the common case). All web page requests, email connections, etc go transparently through the VPN and actually use the network connection inside the office. If you visit https://api.ipify.org from your Laptop in McDonalds while connect to the VPN, you would see the Office IP, not the McDonalds IP. SOCKS5 does the same thing, but only for clients that request to use the proxy. I could configure firefox and even OpenVPN (waaah virtual network-ception!!!) to use a SOCKS5 proxy by passing a commandline argument to them or changing settings in the gui. In this case Firefox thinks it's inside the office, but Chrome still thinks it's in McDonalds. Each application has to have explicit support for SOCKS5 in order to use it. ssh -N -D <local iface>:port> <user>@<home server> ssh -N -D localhost:6789 [email protected] https://coolaj86.com/articles/access-web-pages-through-your-home-network-via-ssh/ TURN ===== A kind of brute-force firewall holepunch that always works - somewhat similar to SOCKS5. UPNP NAT-PMP ============= UPNP is the HTTP over UDP configuration protocol for home routers that kindly requests a router for permission to a specific port. It can also tell an application it's public-facing ip address without the use of https://api.ipify.org. It's supported by almost every D-Link, Cisco/Linksys, Netgear, Google Fiber Networkbox, and consumer home router ubiquitously. NAT-PMP is Apple's flavor of UPNP, y'know, because they have to Think Different TM and all. It's based on MDNS rather than HTTP over UDP. Pocket Cloud ========== This is a term I'm inventing to refer to a device that automatically resumes cloud services any time you plug it into an internet connection - no matter whether it's behind a UPNP or NAT-PMP configurable router, or the strictest confines of a school, church, or corporate network. I could connect my pocket cloud in at a friend's house, at work, or even McDonald's and host my blog, video calls, or even a pirate internet radio station with an app on the device. Anywhere in the world and under any conditions I can have a peer to peer or client-server connection. How these things relate ================== https://coolaj86.com/articles/access-web-pages-through-your-home-network-via-ssh/ I'm building a commercial home and pocket cloud system. Whenever they turn on they check to see if they already have a public ip (eventually this could be possible via 3g / LTE connection), if they can kindly request public ports from the router, or if they need to brute force through by using a Reverse VPN. If you're sitting in the Provo Public Library you would find that port 1194 is blocked, 22 is blocked, pretty much every port except 53, 80, 443, and 5050 (which I discovered accidentally) are blocked. In this case a Reverse VPN alone isn't good enough. It needs to run on port 443 - but the https server also needs to run on 443. sslh would make that possible, but the cloud proxy server needs to serve many different users. HAProxy makes this possible. Even still, some firewalls look at an OpenVPN packet (which wraps TLS packets, not the other way around) or an SSH packet (with the glaring "SSH-2.0" as the first 7 bytes) and decide "none shall pass". But I decide "shall too pass, ß#$%^!!!". On the pocket cloud I can use SSH's ProxyCommand with openssl s_client to tunnel SSH over HTTPS. Even layer-7 firewalls can't detect this. Then I can tunnel unencrypted OpenVPN (since it's already doubly encrypted via HTTPS and SSH anyway) through to the proxy cloud server. HAProxy listens on port 80 (which will only redirect to 443) and 443 which looks at SNI. It can then determine that alice.example.com should be routed to openvpn ip address associated with whichever pocket cloud is registered to alice.example.com. And, in fact, using domains such as ssh.alice.example.com and vpn.alice.example.com, it then becomes possible to run the whole process in reverse as well, but that's more into complete geekery and not the simple case of I want to be able to serve my blog and vacation photos music from work. LetsEncrypt.org ============ And the abundance of HTTPS certificates that sounds like it would cost hundreds of dollars is all free, thanks to letsencrypt.org. And Beyond ========= If you want to get *really* crazy, I believe that you could technically even use stunnel or similar to run this entire process over udp 53 and host your pirate radio station from an unpaid go-go inflight wifi connection. If they found out you might end up and jail, because that's borderline malicious hackery, but I've read that others have done it. AJ ONeal (317) 426-6525 On Sat, Jul 4, 2015 at 4:15 AM, Dan Egli <[email protected]> wrote: > Okay, I've been watching this thread, and most of it I understand. But I > have to admit I've never heard of HAProxy, sslh, SNI, or a Reverse VPN. > Would someone care to illuminate me on these, please? I thought I'd heard > of most Linux related ideas, but these are totally new to me. > > > --- Dan > > On Thu, Jul 2, 2015 at 11:29 AM, AJ ONeal (Home) <[email protected]> > wrote: > > > I don't need a guru for the part I'm currently stuck on. > > > > Why don't these SNI rules work 100% of the time? > > https://gist.github.com/coolaj86/2faa07aa535e6dc04639 > > > > See also https://marc.info/?l=haproxy&m=143586100819897&w=2 > > > > AJ ONeal > > (317) 426-6525 > > > > /* > > PLUG: http://plug.org, #utah on irc.freenode.net > > Unsubscribe: http://plug.org/mailman/options/plug > > Don't fear the penguin. > > */ > > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
