# How do I port forward SSL?

## audiodef

I have one of these:

http://www.ehow.com/how_4663412_enable-miwr-verizon-fios-router.html

I know about setting up port forwarding. What I want to do is set up SSL port forwarding. https://localhost works. When I get the router's IP and put that in my browser (using http, not https), it gets forwarded to http://localhost. Now I want to do the same thing, except with https. 

In other words, if the router's IP is 12.345.67.89, I want to be able to put https://12.345.67.89 in my browser have it forward to https://localhost, the same way it works with http. I have SSL set up on my localhost already. 

I've done this before, just on a different router, and I've forgotten what needs to be done.

----------

## chiefbag

Not sure about this router but I imagine that setting up port 443 instead of 80 will do the trick.

----------

## audiodef

It doesn't appear to be that simple. 

I wonder if I still have to configure something for apache. Is it enough to see that https://localhost works to expect a port forward to work on SSL?

----------

## titanofold

Yeah, not that simple. What you need is a page or a redirect rule to send people from HTTP to HTTPS.

So you'd have a virtual host listening on port 80 only to serve that redirect page or to issue that redirect command.

EDIT: Whoops! Now that I read your post again, I realize that's not what you were looking to have happen.

Would you post your SSL config for Apache?

----------

## chiefbag

Ok maybe I misread this post in the first place, let me try and clarify the problem.

1: Is this a question of your apache setup on your server?

If so I think what you are trying to do is to redirect a http request and proxy it to a https one either to your local server or another server.

If you want to switch from http to https on the local server you can simply add a redirect rule assuming that your https is already setup:

RedirectMatch /(.*) https://localhost

RedirectMatch / https://localhost

If you want to proxy and use ssl also then you need to setup an ssl proxy directive also

SSLProxyEngine 	On

ProxyRequests      Off

ProxyPreserveHost  Off

ProxyPass           / https://other-server

ProxyPassReverse    / https://other-server

Hope I have understood the question  :Laughing: 

----------

## audiodef

Here's my /etc/apache2/httpd.conf:

```

ServerRoot "/usr/lib64/apache2"

LoadModule actions_module modules/mod_actions.so

LoadModule alias_module modules/mod_alias.so

LoadModule auth_basic_module modules/mod_auth_basic.so

LoadModule authn_alias_module modules/mod_authn_alias.so

LoadModule authn_anon_module modules/mod_authn_anon.so

LoadModule authn_dbm_module modules/mod_authn_dbm.so

LoadModule authn_default_module modules/mod_authn_default.so

LoadModule authn_file_module modules/mod_authn_file.so

LoadModule authz_dbm_module modules/mod_authz_dbm.so

LoadModule authz_default_module modules/mod_authz_default.so

LoadModule authz_groupfile_module modules/mod_authz_groupfile.so

LoadModule authz_host_module modules/mod_authz_host.so

LoadModule authz_owner_module modules/mod_authz_owner.so

LoadModule authz_user_module modules/mod_authz_user.so

LoadModule autoindex_module modules/mod_autoindex.so

<IfDefine CACHE>

LoadModule cache_module modules/mod_cache.so

</IfDefine>

LoadModule cgi_module modules/mod_cgi.so

LoadModule cgid_module modules/mod_cgid.so

<IfDefine DAV>

LoadModule dav_module modules/mod_dav.so

</IfDefine>

<IfDefine DAV>

LoadModule dav_fs_module modules/mod_dav_fs.so

</IfDefine>

<IfDefine DAV>

LoadModule dav_lock_module modules/mod_dav_lock.so

</IfDefine>

LoadModule deflate_module modules/mod_deflate.so

LoadModule dir_module modules/mod_dir.so

<IfDefine CACHE>

LoadModule disk_cache_module modules/mod_disk_cache.so

</IfDefine>

LoadModule env_module modules/mod_env.so

LoadModule expires_module modules/mod_expires.so

LoadModule ext_filter_module modules/mod_ext_filter.so

<IfDefine CACHE>

LoadModule file_cache_module modules/mod_file_cache.so

</IfDefine>

LoadModule filter_module modules/mod_filter.so

LoadModule headers_module modules/mod_headers.so

LoadModule include_module modules/mod_include.so

<IfDefine INFO>

LoadModule info_module modules/mod_info.so

</IfDefine>

LoadModule log_config_module modules/mod_log_config.so

LoadModule logio_module modules/mod_logio.so

<IfDefine CACHE>

LoadModule mem_cache_module modules/mod_mem_cache.so

</IfDefine>

LoadModule mime_module modules/mod_mime.so

LoadModule mime_magic_module modules/mod_mime_magic.so

LoadModule negotiation_module modules/mod_negotiation.so

LoadModule rewrite_module modules/mod_rewrite.so

LoadModule setenvif_module modules/mod_setenvif.so

LoadModule speling_module modules/mod_speling.so

<IfDefine SSL>

LoadModule ssl_module modules/mod_ssl.so

</IfDefine>

<IfDefine STATUS>

LoadModule status_module modules/mod_status.so

</IfDefine>

LoadModule unique_id_module modules/mod_unique_id.so

<IfDefine USERDIR>

LoadModule userdir_module modules/mod_userdir.so

</IfDefine>

LoadModule usertrack_module modules/mod_usertrack.so

LoadModule vhost_alias_module modules/mod_vhost_alias.so

User apache

Group apache

Include /etc/apache2/modules.d/*.conf

Include /etc/apache2/vhosts.d/*.conf

```

It's pretty much the default. 

Currently, I host a chat server for a small number of people. I have port forwarding set up. I get the IP from my router and put it in my browser's address bar, along with the path to the chat server. So while I can get to the chat from http://localhost/chat, others can get to it from http://(ip_address)/chat. 

I'd like to be able to do all this, except have users go through https://(ip_address)/chat. I can currently get to https://localhost/chat, but not https://(ip_address)/chat.

----------

## chiefbag

In that case your apache setup may be fine, to double check this I would attempt to connect from another machine on your LAN to the actual IP of your server just to prove the SSL is listing on the external and not just (localhost)

If you setup a redirect on the apache side this may solve the issue you have add the below. now when you connect to http://localhost it should redirect you to https://localhost

vi  /etc/apache2/vhosts.d/default_vhost.include

```
RedirectMatch /(.*) https://localhost

RedirectMatch / https://localhost
```

----------

## titanofold

In your 00_default_ssl_vhost.conf, are you allowing connections from all, or just from localhost?

----------

## chiefbag

This is what I would put there unless you have good reason not to.

```
Listen 443

<VirtualHost *:443>
```

----------

## titanofold

 *chiefbag wrote:*   

> This is what I would put there unless you have good reason not to.
> 
> ```
> Listen 443
> 
> ...

 

That only tells Apache to listen on that port, not who it should allow.

----------

## chiefbag

That will bind apache to all network cards that are up if I'm not mistaking, 

Which line of the config are you refering to?

----------

## titanofold

 *chiefbag wrote:*   

> That will bind apache to all network cards that are up if I'm not mistaking, 
> 
> Which line of the config are you refering to?

 

Binding could be an issue, but we won't know until the OP posts his/her 00_default_ssl_vhost.conf.

By allowing, I mean just that:

```
<Directory /path>

  Order allow,deny

  Allow from all

</Directory>
```

----------

## chiefbag

 *Quote:*   

> By allowing, I mean just that:
> 
> Code:
> 
> <Directory /path>
> ...

 

The setup would not need to be altered in the SSL file as https access is already allowed.

The redirect has no effect on the SSL setup which is seperate.

----------

## chiefbag

@titanofold

The point I was making was if the config was as follows then it would not be listening as an external interface and this ~I think would cause a problem

```
<VirtualHost 127.0.0.1:443>
```

Anyhow I'm not convinced that the router will allow subsequent requests from an external client back in on https if the port forwarding is not setup.

----------

## titanofold

 *chiefbag wrote:*   

>  *Quote:*   By allowing, I mean just that:
> 
> Code:
> 
> <Directory /path>
> ...

 

Except that we don't actually know if HTTPS access is allowed to all until the OP posts his/her SSL host configuration.

The redirect rule isn't the issue:

 *Quote:*   

> I'd like to be able to do all this, except have users go through https://(ip_address)/chat. I can currently get to https://localhost/chat, but not https://(ip_address)/chat.

 

Emphasis mine.

Outside connections can't access the SSL host. So, not a redirect issue, but a permission or port forwarding issue.

----------

## chiefbag

 *Quote:*   

> 
> 
> In other words, if the router's IP is 12.345.67.89, I want to be able to put https://12.345.67.89 in my browser have it forward to https://localhost, the same way it works with http. I have SSL set up on my localhost already.
> 
> I've done this before, just on a different router, and I've forgotten what needs to be done.

 

The Apache setup is one issue, but the router seems to be the main one as the person is unable to forward port 443.

With this suggested apache setup it may be possible to get apache to poke a hole through the router fire wall and then maintain an open route back in.

----------

## chiefbag

@audiodef

1 question to clarify . . .

1: Is Port forwarding setup on port 443 on your router?

If yes then stop apache and do the following as root

emerge net-analyzer/netcat

Run the following command as Root User

nc -l -p 443

Now get someone to connect externally over https

You should now see an output from the terminal you ran the command, this proves then that your port forwarding is working correctly so all you need to do is sort out your apache config.

----------

## audiodef

Here's the latest:

I get no output with that command, whether apache is running or not. However, reading through this thread sparked a suspicion. I put my router's current IP address into the exceptions for my TOR setup, and HTTPS sailed right through. I'll have to come back to this later, when I've solved the following problem:

HTTPS requests land on the login page for the router, not on my apache's localhost (HTTP requests land on my apache's localhost as expected). In my port forwarding section, I have two forwards:

192.168.1.3:80, HTTP TCP Any -> 80

192.168.1.3:443, Application TCP 443 -> 443

There's nothing about forwarding 443 to 192.168.1.1, which is the router. 

I wonder if the fact that the 443 forward rule is an "application" and not "http" has anything to do with it. I didn't see a way to have any control over this, though. 

Maybe at this point, my apache config needs to be tweaked. Here's my SSL config:

```

<IfDefine SSL>

<IfDefine SSL_DEFAULT_VHOST>

<IfModule ssl_module>

Listen 443

<VirtualHost _default_:443>

   ServerName localhost

   Include /etc/apache2/vhosts.d/default_vhost.include

   ErrorLog /var/log/apache2/ssl_error_log

   <IfModule log_config_module>

      TransferLog /var/log/apache2/ssl_access_log

   </IfModule>

   SSLEngine on

   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

   SSLCertificateFile /etc/ssl/apache2/server.crt

   SSLCertificateKeyFile /etc/ssl/apache2/server.key

   <FilesMatch "\.(cgi|shtml|phtml|php)$">

      SSLOptions +StdEnvVars

   </FilesMatch>

   <Directory "/var/www/localhost/">

      SSLOptions +StdEnvVars

   </Directory>

   <IfModule setenvif_module>

      BrowserMatch ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

   </IfModule>

   <IfModule log_config_module>

      CustomLog /var/log/apache2/ssl_request_log \

         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

   </IfModule>

</VirtualHost>

</IfModule>

</IfDefine>

</IfDefine>

```

----------

## titanofold

There should be a page that allows you to control the routers remote management. This may be what is actually interfering with the connections getting in on port 443.

You can certainly have SSL on a different port, you just need to be able to tell the user agent that it'll be SSL. That is, the browser should be looking for https://yo.ur.ip:444 rather than http://yo.ur.ip:444

----------

## audiodef

 *titanofold wrote:*   

> There should be a page that allows you to control the routers remote management. This may be what is actually interfering with the connections getting in on port 443.
> 
> 

 

I found it, but the router is not set to allow remote management. So I shouldn't even be seeing the router from an external IP!   :Shocked: 

EDIT: I found a system settings page for the router, which had port 443 as the https management port. I changed it to 444 and the router no longer comes up when try to access the router's IP address via https, but I'm still not getting to my localhost via https.

----------

## titanofold

You should be able to edit the port forwarding now so that  it points to the server now. And it should be HTTPS as its service for that port.

----------

## audiodef

I must have totally spaced on the fact that I should select HTTPS from the list of applications to forward. I did so, and now I have HTTPS forwarded to the local address of my server, but I'm still getting connection refused messages.   :Shocked: 

----------

## cach0rr0

what sort of router, out of curiosity? 

I had something like this with a Netgear WNR2000. Never had such an issue on any of my Linksys rigs. 

I could access everything fine coming in from outside, but internally, it ended up connecting to the web management interface for the router. 

Can't remember what I had to change. May have been one of the RIP settings, not sure. 

Highly suggest you find an external host with nmap, easier to figure this sort of thing out. Maybe you have a friend with a spare shell! 

```

nmap -sT -p389 -P0 x.x.x.x

```

(where x.x.x.x is your public IP of course)

filtered == firewall dropping packets

closed == it's being routed to a host *somewhere*, but nothing on said host is listening on that port

I'd check the router logs as well. It should show an access attempt from whichever IP you're coming from, if you're coming in from outside.

----------

