Tutorial page for using LE with Remote Port Forwarding?

i need to remote port forward a storage server with SSL in order to serve images and videos. i have looked for a tutorial on how to do this, but not yet found one. i would be most grateful if someone could point me to a suitable tutorial.

thanks,
julian


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rpf01.getzap.co

I ran this command: i am looking for a help page so i have not run any commands yet

It produced this output:

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: (not sure that it is applicable, but it is Digital Ocean)

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): haven’t got there yet

Could you explain what you mean by remote port forward?

It seems that you have a CentOS 7 server running somewhere. Is it at home behind a residential NAT router/modem?

@_az: you are correct that i have a Centos server behind a domestic NAT modem, which i want to use for heavy processing (ffmpeg conversion) and file storage. my public digital ocean droplet is low powered and has only limited storage space and i want to stop using S3 and operate my own storage.

ssh remote port forward allows the domestic centos machine to serve web pages and files to the public with http, but i need it to serve files with https (otherwise my site will appear insecure and it must run https for the getusermedia() function to work, which we use to create the video in the first place).

i may be able to get LE to work manually, but i would rather try the automated method first, but i foresee problems because the vhost config file on the domestic server will not have the public domain on it (or if it did, it surely would not resolve correctly - or perhaps it would?). i could make just one vhost on the apache server and make sure it was the default. perhaps by being the default site that might work. the trouble is i am just guessing because i do not have any deep knowledge of LetsEncrypt.

any practical thoughts on how to proceed will be gratefully received.
yours, julian

If I understand right, the droplet does nothing except serve as a public endpoint for your reverse tunnel, which connects up to your Apache server running at home?

i.e. You are doing something like:

ssh -N -T -R80:localhost:80 your.droplet.com

yes, that is all correct and the ssh command is exactly right. however, i am expecting also to create a second tunnel for the 443 port in the same command like this:

ssh -N -T -R80:localhost:80 -R443:localhost:443 your.droplet.com

but perhaps this is not necessary? somehow though the https connection is surely going to require a connection to 443, hence my thought above.

anyway, it sounds like you know exactly what i am trying to do. have you done this yourself and/or can you advise me on the following: a) is it possible to use LE in this setup? and if so, b) can you advise me how to proceed?

thanks, julian

Yes, you’d need to forward 443 as well.

At the end of the day, this is just a simple TCP proxy. Let’s Encrypt doesn’t care what’s happening under the covers with tunneling, as long as it can connect to your domain on port 80. Following https://certbot.eff.org/lets-encrypt/centosrhel7-apache (on your local machine, not on the droplet) should just work.

If you are listening on a non-80 HTTP port on the local machine, you may need to use Certbot’s --http-01-port <the port> flag, but otherwise, I think everything should work normally.

Your domain (rpf01.getzap.co) is busted and doesn’t resolve for me btw, something is wrong with its nameserver or DNS setup.

thanks! i will try out what you suggest. i will stick with ports 80 and 443 for now, though eventually it might be useful to try non-standard ports.

thanks for pointing out that rpf01.getzap.co wasn’t resolving. i have fixed it now (i hope) and it should ripple through soon (though it still isn’t working for me).

yours, julian

Yeah you might have to contact Namecheap about that one, it’s their own nameservers producing a SERVFAIL for your domain.

yes! it wouldn’t be the first time, either.

i will ping them right now and try to get it sorted out as i cannot continue LE if the DNS doesn’t work. i think i can guess why too - i have had this trouble before when using a new domain and the root and www subdomains are still parked, which they are in this case.

jd

DNS is now working. my next problem, which has nothing to do with LE, is that i cannot get my public box to listen on port 80, or indeed any port below 1024 because i am not using root to set up the ssh tunnel on the public droplet. as far as i can tell, the only way to port forward to port 80 or 443 on the public droplet is to connect as root on the public box. i can do this, but i am very unhappy about it.

in order to avoid having to connect an SSH port forward as root (on the public droplet), i have used socat (running as root on the public droplet) to forward an incoming unprivileged port (from the domestic server) to the privileged port 80 (on the droplet). the result is that i now have my domestic server appearing cleanly on port 80 of the droplet. it’s a bit clunky, but it seems to work. in case this helps anyone else, here are my test commands:

run as root on the public droplet:
socat TCP-LISTEN:80,fork TCP:localhost:3010

run on domestic server behind NAT modem and connecting to the droplet as user ‘abcdef’:
ssh -N -T -R3010:localhost:80 your-user-name@your-public-server.com

the above won’t show up on web in future because it’s on a test server which will shortly be switched off. regarding security, from what i can tell it is not a security risk to run socat as root on the public server, but i may be wrong. if anyone thinks running socat as root is problematic, please tell me.

now i think/hope i am ready to try the LetsEncrypt part.

Looks good to me. certbot --apache should just work now. Don't forget to setup the port 443 reverse tunnel as well before setting up an HTTP->HTTPS redirect, otherwise your site will become inaccessible.

Something has to bind 80 with higher privileges, at the end of the day. You could reduce that privilege level with CAP_NET_BIND_SERVICE via setcap or a systemd service, but may as well get the other parts to work first.

it’s worked!

the following url will only be alive till i shut down for the night, but here it is anyway:
https://rpf01.getzap.co/

thank you so much, _az, i really appreciate the support and help.

re CAP_NET_BIND_SERVICE or systemd service, i thought of those and did some research on them, but i have never used them in this way, and socat looked easier. however, now that https is working with remote port forwarding, i will look into making the backend as secure and elegant as i can and also automate the procedure.

this will include making the ssh tunnel persistent. in that regard, i have heard that autossh is something to look into.

if i stick with socat then i would prefer to run the two socat commands from one line, but i will need to check whether this is possible. if i need to make socat persistent i presume that appending & at the end of the command will work, and then i will write a bash script to detect the PID and make it easy to kill the process(es) without having to keep a hand-written log of them.

thanks again, julian

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.