Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

There are new messages.


computers / comp.security.ssh / Re: SSH tunnel to secure RPC traffic on HTTPS url

SubjectAuthor
* SSH tunnel to secure RPC traffic on HTTPS urlJonathan Larsen
+- Re: SSH tunnel to secure RPC traffic on HTTPS urlJonathan Larsen
`- Re: SSH tunnel to secure RPC traffic on HTTPS urlGrant Taylor

1
Subject: SSH tunnel to secure RPC traffic on HTTPS url
From: Jonathan Larsen
Newsgroups: comp.security.ssh
Date: Tue, 11 May 2021 02:29 UTC
X-Received: by 2002:a37:270d:: with SMTP id n13mr25229979qkn.146.1620700173115; Mon, 10 May 2021 19:29:33 -0700 (PDT)
X-Received: by 2002:a9d:d0e:: with SMTP id 14mr24588894oti.12.1620700172720; Mon, 10 May 2021 19:29:32 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!feeder1.feed.usenet.farm!feed.usenet.farm!tr3.eu1.usenetexpress.com!feeder.usenetexpress.com!tr1.iad1.usenetexpress.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Mon, 10 May 2021 19:29:32 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=73.98.198.161; posting-account=1tImgQoAAAB7-c2DTzd2a1rEL0p_z7xS
NNTP-Posting-Host: 73.98.198.161
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <77a7395e-6494-4d8d-88e3-3a28a6991dcan@googlegroups.com>
Subject: SSH tunnel to secure RPC traffic on HTTPS url
From: agentc...@gmail.com (Jonathan Larsen)
Injection-Date: Tue, 11 May 2021 02:29:33 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 80
View all headers
Hello.  I've been struggling to implement a secure solution for communication on RPC.
The server application that I am running is using RPC specifically on 127.0..0.1 on port 10854.
For those that might need to access my RPC server, the URL I want to give them is: https://cortex-coeus.asuscomm.com:8545
FWIW, http://{LOCALIP SERVERNAME}:8545 currently works using either of the following ssh commands:

sudo ssh -D 10.1.1.120:443  -L 10.1.1.120:8545:127.0.0.1:10854 -L 10.1.1.120:8546:127.0.0.1:10900 effofx@10.1.1.120 -p 44322

I've also tried:
sudo ssh -L *:443:10.1.1.120:8545  -L 10.1.1.120:8545:127.0.0.1:10854 -L 10..1.1.120:8546:127.0.0.1:10900 effofx@10.1.1.120 -p 44322

My router is forwarding 8545 and 443 to my internal server.

The server application is started so that the RPC port and address are: 127..0.0.1:10854.

I am mostly confused because the URL I want to give out has "two" associated ports with it.  the HTTPS part of the URL and 8545.
I wasn't sure if potentially setting up a socks proxy would resolve the issues because I believe this to be a headers problem in the forwarding.

Below are results when connecting using the second ssh command from above.  When using -D for a socks connection, I get a connection refused in the curl response.

root@cortex-coeus:/home/effofx# curl -H "Host: cortex-coeus.asuscomm.com" -L 10.1.1.120:443
curl: (52) Empty reply from server

root@cortex-coeus:/home/effofx# lsof -i -n -P | grep :443
sshd       727            root    3u  IPv4  20175      0t0  TCP 10.1.1.120:44322 (LISTEN)
sshd       887            root    4u  IPv4  27671      0t0  TCP 10.1.1.120:44322->10.1.1.101:56713 (ESTABLISHED)
sshd       999          effofx    4u  IPv4  27671      0t0  TCP 10.1.1.120:44322->10.1.1.101:56713 (ESTABLISHED)
sshd      1009            root    4u  IPv4  27919      0t0  TCP 10.1.1.120:44322->10.1.1.101:56721 (ESTABLISHED)
sshd      1078          effofx    4u  IPv4  27919      0t0  TCP 10.1.1.120:44322->10.1.1.101:56721 (ESTABLISHED)
ssh       1927            root    3u  IPv4  86835      0t0  TCP 10.1.1.120:52538->10.1.1.120:44322 (ESTABLISHED)
ssh       1927            root    4u  IPv4  86839      0t0  TCP *:443 (LISTEN)
ssh       1927            root    5u  IPv6  86840      0t0  TCP *:443 (LISTEN)
sshd      1928            root    4u  IPv4  88739      0t0  TCP 10.1.1.120:44322->10.1.1.120:52538 (ESTABLISHED)
sshd      2007          effofx    4u  IPv4  88739      0t0  TCP 10.1.1.120:44322->10.1.1.120:52538 (ESTABLISHED)

When starting the server, I see this in the auth.log
May 11 02:24:56 cortex-coeus sshd[2050]: pam_unix(sshd:session): session opened for user effofx by (uid=0)
May 11 02:24:56 cortex-coeus systemd-logind[699]: New session 12 of user effofx.
May 11 02:24:57 cortex-coeus sshd[2129]: error: connect_to 127.0.0.1 port 10854: failed.

And the prompt continues to display:
channel 3: open failed: connect failed: Connection refused

I am really confused, if I am being 100% honest, mostly because of this dual-port thing.  Maybe I've overcomplicated it in my head?  I am unsure of how to properly forward the https traffic externally on port 8545 to my internal server.
The reasoning behind needing a URL that is 'HTTPS' versus 'HTTP', is that when connecting to my nodes RPC server, metamask requires that the URL be HTTPS when not an internal address. I also want to ensure I am securing the traffic so that nothing can be injected to steal anything from any transfer.  In the past, this has happened on the etherium chain.  I attempted a nginx reverse proxy but, that wasn't working for me, and decided to see if there was another way.

I am trying to help a few people recover some of their cryptocurrency when transferred to an ERC20 addr instead of being on-chain.


Subject: Re: SSH tunnel to secure RPC traffic on HTTPS url
From: Jonathan Larsen
Newsgroups: comp.security.ssh
Date: Tue, 11 May 2021 02:47 UTC
References: 1
X-Received: by 2002:ac8:6c3a:: with SMTP id k26mr27010538qtu.146.1620701232112;
Mon, 10 May 2021 19:47:12 -0700 (PDT)
X-Received: by 2002:a9d:6e0d:: with SMTP id e13mr24944236otr.83.1620701231818;
Mon, 10 May 2021 19:47:11 -0700 (PDT)
Newsgroups: comp.security.ssh
Date: Mon, 10 May 2021 19:47:11 -0700 (PDT)
In-Reply-To: <77a7395e-6494-4d8d-88e3-3a28a6991dcan@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=73.98.198.161; posting-account=1tImgQoAAAB7-c2DTzd2a1rEL0p_z7xS
NNTP-Posting-Host: 73.98.198.161
References: <77a7395e-6494-4d8d-88e3-3a28a6991dcan@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <70d7d08a-e0f1-4aac-a843-c2919aaa46e2n@googlegroups.com>
Subject: Re: SSH tunnel to secure RPC traffic on HTTPS url
From: agentc...@gmail.com (Jonathan Larsen)
Injection-Date: Tue, 11 May 2021 02:47:12 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Path: i2pn2.org!i2pn.org!paganini.bofh.team!usenet.pasdenom.info!usenet-fr.net!feed.ac-versailles.fr!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
View all headers

Below are results when connecting using the second ssh command from above.. When using -D for a socks connection, I get a connection refused in the curl response.

root@cortex-coeus:/home/effofx# curl -H "Host: cortex-coeus.asuscomm.com" -L 10.1.1.120:443
curl: (52) Empty reply from server

Addendum to the above.

This error comes from the ssh -D *:443 part of the command I am running.
When the second one is used, curl does not return anything.  This is also the case for if i instead change the curl command to 10.1.1.120:8545.  So I had assumed it was working but trying to connect via https never happens.

Also, the error logs for failing to connect on port 10854 via 127.0.0.1 are probably because peers are trying to connect prior to my node restarting.  Because once the node starts, they are not continually displayed on the console, which makes sense since it's the application opening those ports.


Subject: Re: SSH tunnel to secure RPC traffic on HTTPS url
From: Grant Taylor
Newsgroups: comp.security.ssh
Organization: TNet Consulting
Date: Sat, 29 May 2021 01:30 UTC
References: 1
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.security.ssh
Subject: Re: SSH tunnel to secure RPC traffic on HTTPS url
Date: Fri, 28 May 2021 19:30:34 -0600
Organization: TNet Consulting
Message-ID: <s8s5kf$hph$1@tncsrv09.home.tnetconsulting.net>
References: <77a7395e-6494-4d8d-88e3-3a28a6991dcan@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 29 May 2021 01:33:03 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="18225"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <77a7395e-6494-4d8d-88e3-3a28a6991dcan@googlegroups.com>
Content-Language: en-US
View all headers
On 5/10/21 8:29 PM, Jonathan Larsen wrote:
Hello.  I've been struggling to implement a secure solution for communication on RPC.  The server application that I am running is using RPC specifically on 127.0.0.1 on port 10854.  For those that might need to access my RPC server, the URL I want to give them is: https://cortex-coeus.asuscomm.com:8545. FWIW, http://{LOCALIP SERVERNAME}:8545 currently works using either of the following ssh commands:

sudo ssh -D 10.1.1.120:443  -L 10.1.1.120:8545:127.0.0.1:10854 -L 10.1.1.120:8546:127.0.0.1:10900 effofx@10.1.1.120 -p 44322

I've also tried: sudo ssh -L *:443:10.1.1.120:8545  -L 10.1.1.120:8545:127.0.0.1:10854 -L 10.1.1.120:8546:127.0.0.1:10900 effofx@10.1.1.120 -p 44322

Are you sshing from yourself to yourself explicitly for the purpose of the port forwarding from 10.1.1.120:<port> to 127.0.0.1:<port>?

My router is forwarding 8545 and 443 to my internal server.

Okay.

The server application is started so that the RPC port and address are: 127.0.0.1:10854.

I am mostly confused because the URL I want to give out has "two" associated ports with it.  the HTTPS part of the URL and 8545.

The HTTPS as in https:// is not a port in and of itself.  Instead it's a communications method / scheme to use across whatever port is specified.   If you don't explicitly specify a port, browsers default to port 443.

So http://{LOCALIP SERVERNAME}:8545 really only specifies one port; namely 8545.

I wasn't sure if potentially setting up a socks proxy would resolve the issues because I believe this to be a headers problem in the forwarding.

No.  I would expect that having the SSH client behave like a SOCKS proxy would not help.

Below are results when connecting using the second ssh command from above.  When using -D for a socks connection, I get a connection refused in the curl response.

root@cortex-coeus:/home/effofx# curl -H "Host: cortex-coeus.asuscomm.com" -L 10.1.1.120:443 curl: (52) Empty reply from server

It looks like you are trying to have curl connect to 10.1.1.120:443 as an HTTP server, when your first command has that as the Dynamic (SOCKS) proxy.  Those are two different protocols that are incompatible with each other.

root@cortex-coeus:/home/effofx# lsof -i -n -P | grep :443
sshd       727            root    3u  IPv4  20175      0t0  TCP 10.1.1.120:44322 (LISTEN)
sshd       887            root    4u  IPv4  27671      0t0  TCP 10.1.1.120:44322->10.1.1.101:56713 (ESTABLISHED)
sshd       999          effofx    4u  IPv4  27671      0t0  TCP 10.1.1.120:44322->10.1.1.101:56713 (ESTABLISHED)
sshd      1009            root    4u  IPv4  27919      0t0  TCP 10.1.1.120:44322->10.1.1.101:56721 (ESTABLISHED)
sshd      1078          effofx    4u  IPv4  27919      0t0  TCP 10.1.1.120:44322->10.1.1.101:56721 (ESTABLISHED)
ssh       1927            root    3u  IPv4  86835      0t0  TCP 10.1.1.120:52538->10.1.1.120:44322 (ESTABLISHED)
ssh       1927            root    4u  IPv4  86839      0t0  TCP *:443 (LISTEN)
ssh       1927            root    5u  IPv6  86840      0t0  TCP *:443 (LISTEN)
sshd      1928            root    4u  IPv4  88739      0t0  TCP 10.1.1.120:44322->10.1.1.120:52538 (ESTABLISHED)
sshd      2007          effofx    4u  IPv4  88739      0t0  TCP 10.1.1.120:44322->10.1.1.120:52538 (ESTABLISHED)

What are all the 44322 ports?  They seem unrelated.

When starting the server, I see this in the auth.log
May 11 02:24:56 cortex-coeus sshd[2050]: pam_unix(sshd:session): session opened for user effofx by (uid=0)
May 11 02:24:56 cortex-coeus systemd-logind[699]: New session 12 of user effofx.
May 11 02:24:57 cortex-coeus sshd[2129]: error: connect_to 127.0.0.1 port 10854: failed.

I don't see enough information to know what is causing the error.

And the prompt continues to display:
channel 3: open failed: connect failed: Connection refused

I don't know if "channel 3" is significant or not.  The number may just be the arbitrary communications channel within the SSH connection.

"Connection refused" means that something isn't allowing the connection.

I am really confused, if I am being 100% honest, mostly because of this dual-port thing.  Maybe I've overcomplicated it in my head? I am unsure of how to properly forward the https traffic externally on port 8545 to my internal server.

If you're doing what I think you are doing, I wouldn't use SSH as part of this tool chain.  I'd use a firewall port redirection / NAT capability -or- a TCP proxy / redirection application.

Yes, OpenSSH can probably be pressed into service to do this.  But I think it's quite a bit more complicated and definitely more overhead than is needed to achieve the the result.

The reasoning behind needing a URL that is 'HTTPS' versus 'HTTP', is that when connecting to my nodes RPC server, metamask requires that the URL be HTTPS when not an internal address.

1st:  OpenSSH isn't going to do any HTTPS <-> HTTP protocol translation for you.

2nd:  What does "internal address" mean in this context?  Any RFC 1918 private IP or 127.0.0.1/8 on the loopback interface?



--
Grant. . . .
unix || die


1
rocksolid light 0.7.2
clearneti2ptor