Another article in this blog described how remote port forwarding can be used to make services in the home network available for access from the Internet. The solution described there only works if the required SSH server can be configured as an open gateway on the Internet.
If this is not the case, there would be a possible alternative with a combination of remote and local port forwarding, which in turn only works if the client accessing the Internet has access to the SSH server itself.
However, this is usually not the case if the client is, for example, a customer for whom a website is being developed and who only occasionally wants to see the current status of the development. Normally one does not want or cannot provide the customer with SSH access to our own server on the Internet and one cannot assume that the customer is familiar with setting up a local port forwarding on his computer.
A solution is therefore required that can be used for any external client without great effort and this solution consists of a combination of remote port forwarding and a reverse proxy which is described here.
You need a server on the Internet that can be accessed with SSH and that runs a web server that can be configured as a proxy. For the Apache web server used in this example, the modules
mod_proxy_http must already be activated or at least could be activated.
Knowledge of bash and the configuration of the Apache web server are helpful for understanding this article. In addition, reference is made to the three articles mentioned above in this blog for information on setting up port forwarding.
A laptop called Caboto is used below to develop a website for a customer. The website should be accessible at the address
http://customer1.mydomain.de/ both on the laptop and customer's computer.
Most of the time you are on the home network with your computer, but sometimes you are also on the go and logged into another network or you connect to the Internet via your cellular provider. Regardless of where one works, the website under development should be accessible to the customer when required.
In addition to a development environment, Caboto also has a web server (on port
80) which can be used to locally view and test the website under development.
Furthermore, a server on the Internet - a so-called VPS - called Cayenne is used, which can be accessed with SSH and on which a web server also runs. This server should have the host name
Setting up Name Resolution
So that the website with the name
http://customer1.mydomain.de/ can be displayed in a browser, it must be ensured that this name is resolved both from the local computer and from any computer outside the home network and converted into an IP Address. To do this, the name
customer1.mydomain.de must be entered in the DNS with the IP address of the VPS Cayenne.
As soon as this is done, however, the Cayenne computer will also be contacted on the Caboto computer on which the website is hosted when calling
http://customer1.mydomain.de/. However, this is not desirable, because it should be possible to access the website locally even if the Caboto computer has no connection to the Internet for whatever reason or if access from the Internet is not activated.
The best way to resolve the name on Caboto is in the
/etc/hosts file. This has priority over the resolution via the DNS and would then look like this:
127.0.0.1 localhost 127.0.0.1 customer1.mydomain.de
While the name
customer1.mydomain.de now resolves to the IP address of the VPS Cayenne from every computer in the world, on Caboto the local network interface is addressed with the IP
Configuration of the Local Web Server
The web server on Caboto or a virtual host resp. must receive and answer requests to the address
127.0.0.1:80 for the name
<VirtualHost 127.0.0.1:80> ServerName customer1.mydomain.de DocumentRoot "/srv/vhosts/customer1/htdocs" <Directory "/srv/vhosts/customer1/htdocs"> AllowOverride All </Directory> </VirtualHost>
After restarting the web server, this virtual host is active.
Activate Port Forwarding
Caboto must also be able to set up remote port forwarding using SSH. The best way to do this is to use the
ReverseTunnel bash script presented in this article, in which you only need to change the value of the
RPORT variable to
8881 for the current application, because we assume that the web server on Cayenne already serves other websites on port
#!/bin/bash ... RPORT="8881" # Remote Port on Remote Host ...
All other variable values from the above script can be retained.
The activation of the remote port forwarding would then look like this:
uwe@Caboto:~$ ReverseTunnel start Reverse tunnel from server.example.com:8881 -> localhost:80 established PID 11266 uwe@Caboto:~$
This means that port
80 on the local Caboto computer can be reached by the Cayenne server on port
8881. The forwarding can be ended with
- The web server or a virtual host on Caboto listens to the address
80and accepts requests for the name
- On the Caboto laptop, the website under development can be seen in a browser with the URL
- In the background, a reverse port forwarding is activated on Caboto, which forwards network requests on the VPS Cayenne from
80of the Caboto computer.
Calling the URL
http://customer1.mydomain.de/ from a computer other than Caboto - regardless of whether it is in the same network or somewhere else - still leads to an error message because the web server on Cayenne or the virtual host for the address
customer1.mydomain.de is not yet configured.
Configuration of the Reverse Proxy
The task of the web server on Cayenne is now to forward requests on its external network interface (the IP) on port
80 to Caboto. However, this does not just work because the remote port forwarding only forwards requests that are received on Cayenne's local network interface and port
8881 to Caboto.
What is missing on Cayenne is the connection between the request on the external network interface on port
80 and the local network interface on port
This is where the reverse proxy comes in. It does exactly this forwarding from a request to the external network interface to the internal network interface. This is completely transparent for the external visitor to the website, i.e. she cannot see whether the website is provided on Cayenne or is from elsewhere.
The configuration of the web server or the virtual host has only a few instructions:
<VirtualHost <IP>:80> ServerName customer1.mydomain.de ProxyRequests Off ProxyPass / http://localhost:8881/ ProxyPassReverse / http://localhost:8881/ ProxyPreserveHost On </VirtualHost>
The configuration must take into account that the request comes via the IP of the Cayenne computer on port
80 but with the name
customer1.mydomain.de. The placeholder
<IP> must of course be replaced with the correct IP of the Cayenne computer.
The instructions are in detail:
ProxyRequests Offswitches off the functionality of a forward proxy. This is important so that the proxy cannot be misused to temporarily store and distribute any content.
ProxyRequests Offdoes not switch off the functionality of a reverse proxy.
ProxyPass / http://localhost:8881/activates the proxy. All incoming requests (
/) are forwarded to the specified address (
http://localhost:8881/). Since this is the address of the SSH tunnel to the web server on Caboto, the requests are forwarded there.
ProxyPassReverse / http://localhost:8881/ensures that URLs that are written by the web server on Caboto in the HTTP response header
URIare rewritten by the proxy so that they contain the address valid on the proxy before they are returned to the requesting client .
ProxyPreserveHost Onforwards the name
customer1.mydomain.derequested on Cayenne to Caboto, since Caboto may also serve several virtual hosts and otherwise would not know which virtual host the request is for.
After restarting the web server on Cayenne, the website hosted on the Caboto computer can be accessed by the customer with the address
http://customer1.mydomain.de, regardless of the networks in which the Caboto computer and the customer are located.
Summary and Outlook
With the help of a server on the Internet, it is relatively easy to make websites under development that are provided on a workstation accessible to external visitors. Only the SSH program and a web server such as Apache are needed. Access can be switched on and off from the workstation computer as required.
This relatively simple setup will be expanded upon in later articles. Topics include:
- Authentication and SSL encryption of the connection
- Make multiple websites available
- Caching of content on the reverse proxy
- Content filter for complex websites