I’ve been looking into this because I did not want to spend more money on extra IP addresses for SSL connects. But I do have several websites I want to access encrypted (that is .. not over plain HTTP).

There definitely are some articles (and forum threads) out there that come close, but this is how it’s done 🙂

Some predefs

The goal is to be able to connect to multiple VirtualHost’s on an Apache webserver.

We have a localpc behind a NAT-ed internet connection (yourpc.locality.lan) and the aforementioned publicly accessible webserver on the net somewhere (yourserver.example.com).

I’m assuming you can already connect to your server via SSH, based on a pub/priv keypair.

Local to remote

There are some things that need to be set local AND remote to make sure that Apache knows to which (not publicly accessible) VirtualHost it must redirect your HTTP request. That is, make up a name and put it in your /etc/hosts file and have it resolve to 127.0.0.1. E.g:

$ cat /etc/hosts
127.0.0.1 localhost

# For ssh tunneling
127.0.0.1 mysuperadminsite.locality.lan

Important! You need to put the ‘mysuperadminsite’  entry in your /etc/hosts file on your server as well. Otherwise it won’t work because Apache can’t figure out where this needs to go (more on apache config in a sec).

Then, the actual SSH tunnel command is this:

ssh  -L 9002:mysuperadminsite.locality.lan:80 yourname@yourserver.example.com

There are ofcourse nicer ways to fully hide/automate the SSH tunnel, but by doing it manually like this you are explicitly remembered that you’re in ‘admin-mode’ 🙂

Apache trickery

Ok, so how does Apache know where to go when your HTTP request hits the server side? As your mysuperadminsite request is resolved to 127.0.0.1 (on the server), apache needs this as a NameVirtualHost. So put this in your global Apache config somewhere.

# For admin work over SSH
NameVirtualHost 127.0.0.1:80

Then you create an apache VirtualHost config with a setup like this.

<VirtualHost 127.0.0.1:80>
	ServerName mysuperadminsite.locality.lan

	# Here you put your docroot, includes, logfile entries and whatever else you want.

</VirtualHost>

And so, apache resolves the request to 127.0.0.1 where, based on the X-Header (containing the mysuperadminsite name) sent by your browser, it actually finds a vhost to handle your request.

This is a very safe way to handle your secure access because the VirtualHost is only handled by apache when it comes in on your loopback interface. Moreover FQDN’s based on “locality.lan” are not resolvable in the outside world.

It does however require a second website instance. You could combine an externally accesible VirtualHost by starting your config with this.

<VirtualHost [external_ip]:80, 127.0.0.1:80>

This way you don’t have to have a second VirtualHost config (and thus website instance) for management. But it’s easier to overlook going secure and thus have your passwords or whatever sniffed.

Gotcha’s

None that I know of, but feel free to point them out 🙂

Safe computing!