Please see the main notes on the Apache SSL VNC Portal for background and details.
This page contains notes on using a helper script connect_switch to redirect incoming
port 443 (the default https:// port) connections to either apache listening on
localhost:443 for normal HTTPS tasks or to redirect VNC
CONNECT requests directly to the workstations running x11vnc.
The idea is you just want to open a single, https (i.e. SSL encrypted) port to the internet and you want it to serve as both a regular https server and also a VNC SSL tunnel. Users often want that port to be 443, since sometimes that (and 80) is the only external port their company firewall lets them connect to. But you could choose any port if you desired some obscurity, etc.
It doesn't seem possible to do this entirely inside the apache framework (please show us how if you know!).
Although inelegant, one can have a helper program listening in front of apache to redirect the two different types of requests.
So basically you run connect_switch
listening on port 443 of your IP address interface. Then you configure
apache mod_ssl to listen only on localhost:443
by putting this in ssl.conf:
Listen 127.0.0.1:443Incoming connections to port 443 first get intercepted by
connect_switch.
If it notices the "CONNECT host:port" request, it checks if
host:port is in its allowed list, and if so makes a direct connection
to the workstation and forwards data to and from the client, bypassing apache completely.
If it does not detect "CONNECT" it instead forwards the connection
to apache listening on localhost:443 for normal processing.
If you look at the top portion of connect_switch you will see how
to configure it for different hosts, IP addresses, and VNC servers.
# You can/should override the host/port settings here:
#
# $listen_host = '23.45.67.89'; # set to your interface IP number.
# $listen_port = 555; # and nonstandard port.
# $httpd_host = 'somehost'; # maybe redir https to another machine.
# $httpd_port = 666; # and nonstandard port.
# You must set the allowed host:port CONNECT redirection list.
# Only these host:port pairs will be redirected to.
#
my @allowed = qw(
machine1:5915
machine2:5900
);
# Or you could also use an external "allow file".
# They get added to the @allowed list.
# The file is re-read for each new connection.
#
# Format of $allow_file:
#
# host1 vncdisp
# host2 vncdisp
#
# where, e.g. vncdisp = 15 => port 5915, say
#
# joesbox 15
# fredsbox 15
my $allow_file = '/dist/apache/conf/vnc.hosts';
This tool possibly has other applications outside of VNC SSL tunnelling for which it was created.
To run it, download it and then type "chmod 755 ./connect_switch"
Edit the line in Apache file ssl.conf to be Listen 127.0.0.1:443
You also need to put in the RewriteRules for ssl.conf
in the normal SSL VNC portal page.
You do not need to change httpd.conf since this is pure SSL/https.
Note that the RewriteRules for /vnc443 are the only ones we need.
Well, you don't need to do this if you put all of the parameters CONNECT= PORT= on
the URL line in the browser.
Then restart apache, often it is:
apachectl stop
apachectl startssl
To have it listen on port 443 you need to run it as root. Run it like this:
./connect_switch
Then on a remote host (outside your firewall probably) enter a URL like this:
https://www.gateway.east/vnc443/host2(with the names changed to your situation of course). You can rename the prefix "
/vnc443" to something shorter, easier to remember
in the config file if you like.
To terminate connect_switch type Ctrl-C in the shell you started it in.
Be sure to change the apache parameter back to Listen 443 if you do
not want to use it anymore.
For a more robust setup you can have a cron job check if it is still running
and restart it if it isn't; or have a wrapper script do this.