On Fri, Oct 05, 2012 at 11:16:38AM +0100, Laurie Brown wrote:
On 04/10/2012 20:38, Keith Edmunds wrote:
On Thu, 4 Oct 2012 10:44:57 +0100, cl@isbd.net said:
I don't want it to provide any sort of access from outside, I just want to be able to reverse tunnel down the connection to access port 80 on the system on the boat.
In my opinion, you are making life unnecessarily complicated for yourself. The easy way to do this is to set up a VPN (OpenVPN is reasonably straightforward) from the boat to wherever you want, using multiple VPN connections if necessary. Then you can firewall incoming connections over the VPN to allow access from only those places you specify.
That would be a lot more secure, and, once set up, somewhat easier to manage.
I entirely agree. The combination of Shorewall and OpenVPN is pretty hard to beat, IMO.
Also, assuming your web pages aren't too heavy on graphics, how about using links in an SSH session direct to localhost?
I'm not sure if you've quite understood the set-up still.
The system on the boat running the apache web server (which I want to access from here at home) is a very basic server system running on a 2Gb (disk that is) eeePc with no GUI and not a lot of spare space. This is connected to the internet via a WiFi service at the place where the boat is moored, thus it's behind a NAT (presumably) firewall and cannot be accessed directly from the Internet.
I already have autossh running ssh connections out from the eeePc on the boat to my hosting service shell account. Thus to get command line access to the eeePc I can login to the hosting service shell account and ssh to the eeePc from there. As I said before the reason for going via the shell hosting service is that it means my home system's firewall only needs to open up port 22 to a couple of specific IP addresses and somoene getting access to the eeePc on the boat wouldn't be able to access my home PC without breaking the ssh passwords on the home PC.
What I now want to do in addition is make it easier to access the eeePc's web server from home without (seriously) impairing the existing security. I can already do this if I run another ssh tunnel out from the boat eeePc (exporting port 80) and then a further one from the hosting shell account to my home PC, but as I don't want any password/passphraseless access to my home PC this involves manually logging into the hosting shell, starting up the ssh tunnel (giving it my password) and then connecting my browser to the boat. I want to make this easier.