Redirect SSTP traffic from Ubuntu Apache2 server to internal Windows Server

Question

So this weekend i have been working on migrating my apache2 server to a docker container which i have no issues with.

I currently have a windows server with SSTP and Exchange 2016 both using port 443 for traffic.

The idea is to have incoming 443 traffic to be forwarded to my ubuntu server and apache will decide based on the aliases i gave the virtual hosts, where the user will be redirected to. This i have working BUT what if a user is trying to connect to the VPN that also uses port 443? How would i be able to redirect that traffic to my server?

What i had thought was to create a rule for IPTABLES to have the destination be vpn.domain.com and forward it to the server but since all subdomains/CNames are just aliases leading to the same host (my external IP), therefore all requests on port 443 will just be sent to the windows server bypassing my webhost which is not what i want.

What i also actually tried was to use apache to forward any incoming connections on 443 via ServerAlias vpn.domain.com to the windows server since its on 443 but that did not work.

Im not sure how i can go about this and im thinking i would just need to create a new VPN service on my ubuntu server afterall. If there is any way i can achieve what i need, that would save me the hassle.

Thanks

Answer 1

Try with SSLH

Install SSLH

SSLH is packaged for most Linux distributions, so you can install it using the default package managers.

sudo apt install sslh

Configure Apache

As you already know, Apache will listen on all network interfaces (i.e 0.0.0.0:443) by default. We need to change this setting to tell the webserver to listen on the localhost interface only (i.e 127.0.0.1:443 or localhost:443).

To do so, edit the webserver (nginx or apache) configuration file and find the following line:

 listen 443 ssl;

And, change it to:

listen 127.0.0.1:443 ssl;

If you’re using Virutalhosts in Apache, make sure you have changed that it too.

VirtualHost 127.0.0.1:443

Save and close the config files. Do not restart the services.

Configure SSLH

Once you have made the webservers to listen on local interface only, edit SSLH config file:

sudo vi /etc/default/sslh

Find the following line:

Run=no

And, change it to:

Run=yes

Then, scroll a little bit down and modify the following line to allow SSLH to listen on port 443 on all available interfaces (Eg. 0.0.0.0:443).

DAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --openvpn 127.0.0.1:1194 --pidfile /var/run/sslh/sslh.pid"

Where,

• user sslh : Requires to run under this specified username.
• listen 0.0.0.0:443 : SSLH is listening on port 443 on all available interfaces.
• sshs 127.0.0.1:22 : Route SSH traffic to port 22 on the localhost.
• ssl 127.0.0.1:443 : Route HTTPS/SSL traffic to port 443 on the localhost.
• openvpn 127.0.0.1:1194 : Route openvpn traffic to port 1194 on the localhost

Save and close the file.

Finally, enable and start sslh service to update the changes.

sudo systemctl enable sslh

sudo systemctl start sslh

Change ip, port and protocols to accomplish your needs.