redirecting http to https with iptables
in [Linux Networking]
|
From: pfisterfarm on 4 Aug 2010 10:02 I'm using iptables to forward port 80 and port 443 through a proxy for several servers using rules like this: iptables -t nat -A PREROUTING -d <proxy address>/32 -p tcp -m tcp -- dport 80 -j DNAT --to-destination <real server>:80 iptables -t nat -A POSTROUTING -d <real server>/32 -p tcp -m tcp -- dport 80 -j SNAT --to-source <proxy address> iptables -t nat -A OUTPUT -d <proxy address>/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination <real server>:80 On the server side, the admin is redirecting http to https. He has asked me if it were possible to do the redirection on the proxy machine instead of the server (so users inside the firewall don't need to connect with https). I've found rules that look like: iptables -t nat -A PREROUTING -d <proxy address>/32 -p tcp -m tcp -- dport 80 -j REDIRECT --to-ports 443 in place of the three rules above, but it doesn't seem to work (connection refused). Is this something that's possible in this setup?
From: D. Stussy on 4 Aug 2010 14:51 "pfisterfarm" <pfisterfarm(a)gmail.com> wrote in message news:7f525ead-079e-430a-a40a-e3037673b142(a)g19g2000yqc.googlegroups.com... > I'm using iptables to forward port 80 and port 443 through a proxy for > several servers using rules like this: > > iptables -t nat -A PREROUTING -d <proxy address>/32 -p tcp -m tcp -- > dport 80 -j DNAT --to-destination <real server>:80 > iptables -t nat -A POSTROUTING -d <real server>/32 -p tcp -m tcp -- > dport 80 -j SNAT --to-source <proxy address> > iptables -t nat -A OUTPUT -d <proxy address>/32 -p tcp -m tcp --dport > 80 -j DNAT --to-destination <real server>:80 > > On the server side, the admin is redirecting http to https. He has > asked me if it were possible to do the redirection on the proxy > machine instead of the server (so users inside the firewall don't need > to connect with https). I've found rules that look like: > > iptables -t nat -A PREROUTING -d <proxy address>/32 -p tcp -m tcp -- > dport 80 -j REDIRECT --to-ports 443 > > in place of the three rules above, but it doesn't seem to work > (connection refused). Is this something that's possible in this setup? It doesn't work because there's nothing to tell the application that you're changing PROTOCOLs. All you're doing is changing the port, which means that the client application is trying NON-SSL'ed http on the https port and thus failing. You need to do a redirection at the http/https server application level, i.e. a 3xx response.
From: pfisterfarm on 5 Aug 2010 08:47 > It doesn't work because there's nothing to tell the application that you're > changing PROTOCOLs. That's kind of what I was afraid of... I'm installing apache now to handle redirection to https on port 80...
|
Pages: 1 Prev: Problems in sending mails to netdev@vger.kernel.org Next: NFS hangs during mount |