Port 80 conundrum

I have a networking / remote access question that is very loosely related to OpenHab.
I have several devices on my home network that I are accessible through non-standard ports (Openhab, Cameras, Grafana Charts, etc, etc, etc). For security reasons, I setup a web server so that I can funnel all communications through a single port. Since my ISP blocks traffic on ports 80 and 443, I had to use a non-standard port.
This solution works fine from most locations. The problem that I have now though is that my company only allows traffic on ports 80 and 443, so I cannot access my system from my office (which is where I need access 90% of the time).
Does anyone have any suggestions for bridging this divide? I’ve tried to forward my domain name (example.com) to my open port (myIP:Port#) and it appears seamless, I’ve also tried using an iFrame in an externally hosted web page.

I’m pretty sure that your company uses a proxy for http(s) connections.
I’m using a ssh tunnel connection to control my home:

  • At home, sshd listens on port 22 (ssh). My router is redirecting requests on port 443 to port 22 on the sshd-machine.
  • At work I’m using putty, which is configured to use the http proxy on port 8080. So putty asks the proxy to connect to my.home.ip.address:443. When the connection is established, I’m using a ssh tunnel to control openHAB by using http://localhost:10000/....
    putty is tunneling this through ssh to my.openhab.home.ip:8080)

I used port 443 as this is for ssl connections, which are encrypted and therefor the proxy doesn’t know how to filter, but this should work at other ports as well.

hmmm… I don’t see how you will be able to solve this one…

You may need to involve a 3rd host where you will establish a VPN server there and connect to it from the other 2 nodes (OH2 and work pc)

Or… try to complain to your ISP to allow incoming http/s to your home connection… this filtering stuff is crap :slight_smile:

Blockquote… this filtering stuff is crap :slight_smile:

Yes indeed! ISP monopolies are bad for consumers!

I don’t want to do anything that my company would frown on (like using a VPN) I want the IT guys to do their jobs and keep our network safe.

I was considering using a VSP as a proxy to direct traffic on http://example.com/openhab/ to http://mypublicip:OHPORT. I’m not sure if this would work though. Would this work just forward traffic to http://mypublicip:OHPORT, which would be blocked, or would this be transparent to the browser?

You can use a reverse proxy but you would still need a 3rd host (since you can’t connect on 80/443 to your OH machine and these are the only 2 allowed ports from work :))

place a nginx or apache on a separate host, connect to it using 80/443 from work (allowed) and use it to connect to some other port (not 80/443) to your OH2 host at home.

There are some posts in this forum on reverse proxies (the reverse proxy doesn’t have to run on the same host as OH2)

1 Like

Would the ssh tunnel have already set up end-to-end encryption? So you are encrypting your HTTP traffic within the already encrypted ssh tunnel. You are already bypassing the proxy because you are never leaving your computer as HTTP/HTTPS. And if your work is using a MITM proxy, it is decrypting, inspecting, and re-encrypting the HTTPS traffic anyway so using HTTPS wouldn’t buy you anything in terms of privacy.

So HTTPS in your ssh tunnel is redundant and HTTPS through your company’s proxy doesn’t provide confidentiality.

Maybe I’m not reading your setup correctly…

No, I don’t ssl anything :slight_smile: I did only setup port 443 at WAN to be forwarded to port 22 at my.ssh.computer.LAN. I only used port 443 as this port isn’t blocked for connections through the proxy.

In fact, I’m not sure if this mapping is really necessary. Maybe the connection did not work because my router blocked port 22.

OK, now I think I understand. You are using 443 because the proxy does not allow connections out on port 22. So you are fooling the proxy into thinking it is HTTPS traffic by using port 443.

Be aware though that many if not most companies will use a MITM proxy to decrypt the traffic leaving the company even through SSL connections. All your work computers will have the company CA in their trust store so the browser and every other SSL/TLS program will see your proxy’s cert and trust it, the proxy decrypts and inspects the traffic, then establishes its own encrypted connection to the destination.

Many of these proxies will be protocol aware which means they will detect and block SSH traffic going over port 443. So YMMV with this trick.

Thanks, I solved this by setting up a VPS and using NGINX to reverse proxy to my home network. It did cost me a few bucks though.

I am also able to run grafana locally on the VPS instead of proxying traffic. Brower -> VPS / Grafana -> Homeserver/InfluxDB. I’m not sure if this is faster or not though.

As a side note, it doesn’t appear that you can address openhab through a folder in reverse proxy (ie http://example.com/openhab does not work) It does work fine as a subdomain though (ie openhab.example.com)

1 Like