# Port based firewall, encryption, poxy, http security

## augury

I've emerged www-apache/anyterm.  It provides a console terminal to a web browser.

The problem is that the terminal is not only an unencrypted transmission -- its already logged in!

I really like the idea of having a terminal on a web browser interface.  It requires at least two security features that should apply to this port exclusively:

1.  password login for http capable browser

2.  encryption handled by a web browser (ssl?)

Anyterm is started by a deamon to a specified port.  Although it is www-apache it does not have an apache folder or config files.

----------

## hdcg

Hi augury,

I am not an anyterm user myself, but I would assume that authentication/authorization as well as encryption should be handled by an Apache server in front of anyterm.

A look at the anyterm homepage http://anyterm.org/howitworks.html confirms this.

So you should setup anyterm to only listen on localhost. Place Apache in front with a suitable authentication module and the proxy module enabled. Then you can proxy a URL of our choice to the anyterm daemon.

I would assume that stunnel could also be used for such a setup. As it is SSL centric it offers less options than Apache when it comes to authentication/authorization.

Best Regards,

Holger

----------

## augury

I swear to god I am the the international error code tourist.

OK I got it to work.  

```

<VirtualHost *:80>

        ServerName 192.99.12.70

        Include /etc/apache2/vhosts.d/default_vhost.include

        ProxyPass /console http://127.0.0.1:7676             #this is the forward proxy to the localhost

        ProxyPassReverse /console http://127.0.0.1:7676 #this is the proxy reverse 

        ProxyPassReverseCookiePath /console /                 #anyterm.html does not set cookies

        ProxyPassReverseCookieDomain http://127.0.0.1:7676 http://192.99.12.70

        ProxyHTMLExtended On    #this allows the .js and .css to be loaded -- had to emerge mod_proxy_html and add -D PROXY_HTML to the options line in /etc/conf.d/apache2

        ProxySourceAddress 127.0.0.2                               #this was not required but it reenforces the fact

<Location /console/anyterm.html>                                

        AuthType Basic

        AuthName "Authentication Required"

        AuthUserFile "/etc/htpasswd/htpasswd"

        Require valid-user

</Location>

</VirtualHost>

```

Now what I need to do is use add the secure connection encryption.

----------

## augury

I enabled all the APACHE2_MODULES= (why not) and had to add -D PROXY and -D PROXY_HTML (from the mod_proxy_html port).

----------

## augury

Another thing, it is sort of useless if anytermd is not run without --user root.

----------

## augury

OK now I want to run a gkrellmd over the internet.  gkrellmd is as bad as an open terminal, SO I need to secure a log in.

But gkrellm clients do not have a means of authenticating.

Is apache able to authenticate with another apache and connect my proxys?

----------

## Hu

Perhaps it would be a better use of your time to find a way to make ssh work reliably over whatever excuse for an Internet connection you are stuck on.  Once that works, ssh port forwarding will handle the rest.  You could also try an OpenVPN TCP-TLS tunnel over 443, which should work in the absence of an SSL-cracking proxy.

----------

