[TriLUG] serving multiple HTTPS sites on same server with redirection

Aaron Joyner aaron at joyner.ws
Mon May 20 23:16:36 EDT 2013


I believe the answer is in the iptables man page, where the REDIRECT target
is described as follows:

REDIRECT
This target is only valid in the nat table, in the PREROUTING and OUTPUT
chains, and user-defined chains which are only called from those chains.
 It redirects the packet to the machine itself by changing the destination
IP to the primary address of the incoming interface (locally-generated
packets are mapped to the 127.0.0.1 address).

In particular, note the second sentence above.  It's going to do exactly as
you describe, the packets will always flow to eth0's IP (x.x.x.5).

Depending on your needs, SNI may not provide broad enough coverage.  In
particular, it will work for Win XP users on IE.  If you're willing to
throw connections from those users in the dust bin (which you probably
should be, at this point), then SNI is ready for prime time.  If not, read
on...

There are couple ways to do what you want, specifically to allow the
webmaster-guy to control apache but not be root, with out going down the
SNI road just yet.  One solid way of achieving this is to allow his copy of
Apache to bind to ports less than 1024 using Linux Capabilities (setcap).
 If he's rebuilding Apache on a regular basis, or wants to do so w/o
involving you to setcap on a new binary for him, you can allow him to call
setcap with sudo.  The beauty of this is it allows him to run arbitrary
code on your box, and to let that code bind to sub-1024 ports, but it
*doesn't* allow him to run arbitrary code directly with sudo[1].

If you still really want to go the port forwarding route, you can use the
DNAT target rather than the REDIRECT target, which allows you to specify a
destination ip:port pair.

Both the setcap method and port forwarding with DNAT are detailed on the
helpful Apache Wiki:
http://wiki.apache.org/httpd/NonRootPortBinding

G'luck!
Aaron S. Joyner

1 - Note: if he's particularly sneaky, and this box is multipurpose
(running an NFS server, for example), he may be able to parlay that
sub-1024 port binding capability into a privilege escalation on this box or
another box that trusts it... but it's not a straight-forward path by any
means.



More information about the TriLUG mailing list