Secure (https) access to antman

Easy https for antMan

With the introduction of antMan 0.9.1 we can set a subdomain to access antMan via https://<subdomain>.antsle.us

First we want to set the subdomain in antHill. We will assume you have activated your antsle in antHill, if you have not take a look at the release annoucement for 0.9.0. Once you login to antHill you should see your antsle in your dashboard.

The under the subdomain column click "Get one!". You can then set the subdomain you want for this antsle as long as its available. Lets say we set the subdomain to aster. After you submit the configuration you will be able to connect to antMan via https://aster.antsle.us!

antHill dashboard with subdomain column



Manual https to antMan

  1. Obtain your SSL certificate and key files
  2. Place them in the certs dirctory
  3. Create a virtualhosts .conf file
  4. Restart nginx
Note: This will conflict with an antsle.us subdomain. Please use one or the other.
Note: If using a self-signed certificate, as I will in this example, your browser will show warnings because the certificate has not been signed by a trusted CA.

If you have renamed your antsle, replace "myantsle.local" with "yourname.local" in the following instructions.

First lets create a new directory to store the certificate files

  mkdir -p /etc/ssl/certs/mycerts

Create a self-signed certificate

  openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/certs/mycerts/antman-selfsigned.key -out /etc/ssl/certs/mycerts/antman-selfsigned.crt

You will be prompted with serveral questions. Enter myantsle.local when prompted for "Common Name"

Common Name (e.g. server FQDN or YOUR name) []: myantsle.local

Disable the current nginx myantsle.local.conf file by renaming it

mv /etc/nginx/virtualhosts/myantsle.local.conf /etc/nginx/virtualhosts/myantsle.local.conf.bak

Create and edit a new nginx virtualhosts configuration file

  nano /etc/nginx/virtualhosts/ssl.myantsle.local.conf

Paste the following content into the file.

map $http_upgrade $connection_upgrade {
  default upgrade;
    ''      close;
}

# redirect http request
server {
  listen 80;
  server_name myantsle.local;
  rewrite ^ https://myantsle.local$request_uri redirect;
}

server {
  listen 443 ssl;
  ssl on;
  ssl_certificate /etc/ssl/certs/mycerts/antman-selfsigned.crt;
  ssl_certificate_key /etc/ssl/certs/mycerts/antman-selfsigned.key;
  server_name myantsle.local;
  root /var/www;

  location / {
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    Host                 $host;
    proxy_set_header    X-Real-IP            $remote_addr;
    proxy_set_header    X-Forwarded-For      $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto    $scheme;
    proxy_set_header    X-Forwarded-Protocol $scheme;
    proxy_set_header    X-Forwarded-Ssl      off;
    proxy_set_header    X-Url-Scheme         $scheme;
    proxy_set_header    X-Frame-Options      SAMEORIGIN;

    # Forward WebSocket.
    proxy_http_version  1.1;
    proxy_set_header    Upgrade              $http_upgrade;
    proxy_set_header    Connection           $connection_upgrade;

    proxy_pass http://127.0.0.1:3000;
  }
}

server {
  listen 6843 ssl;
  ssl_certificate /etc/ssl/certs/mycerts/antman-selfsigned.crt;
  ssl_certificate_key /etc/ssl/certs/mycerts/antman-selfsigned.key;
  root /var/www;

  location / {
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    Host                 $host;
    proxy_set_header    X-Real-IP            $remote_addr;
    proxy_set_header    X-Forwarded-For      $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto    $scheme;
    proxy_set_header    X-Forwarded-Protocol $scheme;
    proxy_set_header    X-Forwarded-Ssl      off;
    proxy_set_header    X-Url-Scheme         $scheme;
    proxy_set_header    X-Frame-Options      SAMEORIGIN;

    # Forward WebSocket.
    proxy_http_version  1.1;
    proxy_set_header    Upgrade              $http_upgrade;
    proxy_set_header    Connection           $connection_upgrade;

    proxy_pass http://127.0.0.1:6822;
  }
}

map $server_port $vnc_port {
    ~67(?<id>\d\d) 69$id;
}
server {
# These 'listen' lines are for the vncConsoles in antMan. If you will have more
# than 10 kvm antlets you can add more. Just increment the port number for each
# additional line.
  listen 6700 ssl;
  listen 6701 ssl;
  listen 6702 ssl;
  listen 6703 ssl;
  listen 6704 ssl;
  listen 6705 ssl;
  listen 6706 ssl;
  listen 6707 ssl;
  listen 6708 ssl;
  listen 6709 ssl;
  listen 6710 ssl;

  ssl_certificate /etc/ssl/certs/mycerts/antman-selfsigned.crt;
  ssl_certificate_key /etc/ssl/certs/mycerts/antman-selfsigned.key;
  root /var/www;

  location / {
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    Host                 $host;
    proxy_set_header    X-Real-IP            $remote_addr;
    proxy_set_header    X-Forwarded-For      $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto    $scheme;
    proxy_set_header    X-Forwarded-Protocol $scheme;
    proxy_set_header    X-Forwarded-Ssl      off;
    proxy_set_header    X-Url-Scheme         $scheme;
    proxy_set_header    X-Frame-Options      SAMEORIGIN;

    # Forward WebSocket.
    proxy_http_version  1.1;
    proxy_set_header    Upgrade              $http_upgrade;
    proxy_set_header    Connection           $connection_upgrade;

    proxy_pass http://127.0.0.1:$vnc_port;
  }
}

If you have renamed your antsle, edit the 'server_name' in the first two server blocks.
Your certificate path/file names must be reflected in all but the first server block.

Restart the nginx service

service nginx restart

With this configuration an http request will be redirected to https.



SSH Reverse Tunnel to antMan

SSH can be used to create a 'reverse tunnel' to antMan. The nice thing about this is the only configuration required is to create the port forwarding rule in the router. No additional nginx configuration or ssl certificates are required.

For example:

  • router public IP: 2.2.2.2
  • antsle private IP: 192.168.1.3
  • router is forwarding port 22 to the antsle's private IP 192.168.1.3 port 22

We can run the following command from a remote location

ssh [email protected] -L 3333:localhost:3000

The command maps a local port (3333 in this case) to the remote port (3000) via an ssh tunnel - antMan is listening on port 3000.
Now you can enter the following url in your browser to open the remote antMan

http://localhost:3333

Using port 3333 is just an arbitrary choice. You can uses different local port numbers to connect to different antlets e.g. 3333 for the San Diego antsle and 4444 for the Dallas antsle.

In the first example the standard ssh port is used (22). But you could forward a different port on the public side of your router. In this next example we will use port 44761 on the public side of the router.

  • router is forwarding port 44761 to the antsle's private IP 192.168.1.3 port 22

For this use the '-p' option to designate the target ssh port.

ssh -p 44761 [email protected] -L 3333:localhost:3000

The url used in your browser is the same as the first example.

To be able to open remote kvm antlet vncConsoles via antMan add these port mappings to the ssh command

ssh -p 44761 [email protected] -L 3333:localhost:3000 -L 6900:localhost:6900 -L 6901:localhost:6901 -L 6902:localhost:6902

You can add as many '-L' mappings as you like. The first kvm antlet started will use port 6900 for its console. The second kvm antlet started will use port 6901... and so on.

https to antlets

To set up an ssl certificate for an antlet we have a couple of options

  • Install the certificate in the antlet
  • Use nginx proxy to handle the certificate

The first option requires the antlet to have a bridged NIC and be addressed directly. The traffic for each antlet/webserver would require a unique public IP address or use a unique port number for the router to direct the traffic to the correct antlet IP address. Here the certificate files are installed and handled by the antlet

The second option allows nginx to connect to the proper antlet based on the URL in the header of the request. This is desireable because you can forward traffic (at the router) for multiple sites to one IP address, the private IP address of the antsle. The certificate files are installed and handled by nginx on the edgeLinux OS.

First cretae a directory for your certificate files on the edgeLinux OS.

mkdir -p /etc/ssl/certs/mycerts

Use SCP or SFTP to copy your certificate files to this directory.

Create and edit a new nginx virtualhosts configuration file for your domain name. Replace example.com with your domain name.

  nano /etc/nginx/virtualhosts/ssl.example.com.conf

Paste the following content into the file and replace 'example.com' with your domain name.

# SSL to antlet

# If you want to use your domain example.com in HTTPS mode (with SSL),
# rename this file to ssl.example.com.conf (from ssl.example.com.conf.HTTPS)
# Replace example.com with your domain name.
# Make sure you have your SSL certificate installed properly.
# The certificate files are not required to be in the directories presented here, but
# the path must be the correct path to your certificate files.

# The webserver on your antlet will listen on port 80 (http).
# Nginx on edgeLinux handles SSL (https).

# Redirect http://www.example.com to https://example.com
# If your domain name does include 'www' then remove this server block and use the full
# domain name in the last server block.
server {
  listen 80;
  server_name www.example.com;
  rewrite ^ https://example.com$request_uri redirect;
}

# Redirect http://... to https://...
server {
  listen 80;
  server_name example.com;
  rewrite ^ https://example.com$request_uri redirect;
}

# Redirect https://www... to https://example.com
# If your domain name does include 'www' then remove this server block and use the full
# domain name in the last server block.
server {
  listen 443 ssl;
  ssl on;
  ssl_certificate /etc/ssl/certs/mycerts/example.com.crt;
  ssl_certificate_key /etc/ssl/certs/mycerts/example.com.key;
  server_name www.example.com;
  rewrite ^ $scheme://example.com$request_uri redirect;
}

# Think of the word 'example' in 'upstream example' as a variable name which is
# used in other server blocks. This name must be unique among all your .conf
# files. It is used in the two 'proxy_pass' lines in the next server block.
# If you change the upstream variable name then be sure to update the proxy_pass
# lines also.
upstream example {
  # Enter the IP address and port number of your antlet handling this domain
  server 10.1.1.10:80;
}

server {
  listen 443 ssl;
  ssl on;
  ssl_certificate /etc/ssl/certs/mycerts/example.com.crt;
  ssl_certificate_key /etc/ssl/certs/mycerts/example.com.key;
  server_name example.com;
  root /var/www;

  location / {
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    proxy_buffers         4 256k;
    proxy_buffer_size       128k;
    proxy_busy_buffers_size 256k;

    proxy_set_header    Host                 $host;
    proxy_set_header    X-Real-IP            $remote_addr;
    proxy_set_header    X-Forwarded-For      $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto    $scheme;
    proxy_set_header    X-Forwarded-Protocol $scheme;
    proxy_set_header    X-Forwarded-Ssl      off;
    proxy_set_header    X-Url-Scheme         $scheme;
    proxy_set_header    X-Frame-Options      SAMEORIGIN;

    proxy_pass http://example;
  }

  location ~*  \.(jpg|jpeg|png|gif|ico|css|js|pdf|woff|woff2)(\?.*)?$ {
    expires 365d;
    add_header Cache-Control "public, max-age=315360000";
    access_log off;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    proxy_buffers         8 24k;
    proxy_buffer_size       2k;

    proxy_set_header    Host                 $host;
    proxy_set_header    X-Real-IP            $remote_addr;
    proxy_set_header    X-Forwarded-For      $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto    $scheme;
    proxy_set_header    X-Forwarded-Protocol $scheme;
    proxy_set_header    X-Forwarded-Ssl      off;
    proxy_set_header    X-Url-Scheme         $scheme;
    proxy_set_header    X-Frame-Options      SAMEORIGIN;

    proxy_cache            STATIC;
    proxy_cache_valid      200  1d;
    proxy_cache_use_stale  error timeout invalid_header updating
                           http_500 http_502 http_503 http_504;

    proxy_pass http://example;

  }
}

Restart the nginx service

service nginx restart