[ale] [OT] Inbound web access using pfSense

DJ-Pfulio DJPfulio at jdpfu.com
Tue Jun 30 08:20:22 EDT 2020 

I'm afraid of using http/https for any admin access over the internet. Would rather not trust DNS and/or Cert providers since those have been spoofed by authoritative govts for decades.

I would never allow Windows to be directly accessible over the internet. It always requires a 'hop' on the LAN to get to any Windows system.

Plus, there are lots of easy ways to have remote access into a Linux system, then run a remote desktop from it to the Windows system.  x2go is pretty easy AND fast.

When it comes to remote access - either ssh, ssh-tunnels or a full VPN are it. Let's raise the bar just a little beyond - I have a web browser - for the attackers.

IMHO.

On 6/28/20 1:00 AM, Jeff Hubbs via Ale wrote:
> Now that I've got a static IP (just one) I'm starting to work on hosting my own web servers and the first thing I'm trying to do is make a nginx and Apache Guacamole rig export Windows Server Remote Desktop sessions via HTML5 (that's the Guacamole part) out to people who come in with a URL I give them. I do not yet have internet DNS involved so the URL I plan to give to one person I want to demonstrate the capability to will have the form https://<internet_ip_address>/abcd.
> 
> I have all this set up behind a pfSense machine. From behind the pfSense machine, I can point a browser to a URL in the form of http://<nginx-guac_machine_ip_address>/wxyz, log in to Guacamole, and I get an RDP session on the adjacent Windows server painted in the browser window. In fact, I've got nginx where if I start the URL with http: it will "auto-escalate" to https: using a self-signed certificate. What I'm unclear about is what needs to happen in pfSense such that 1) someone over the internet can come in at .../abcd as described above and pfSense will change that to .../wxyz and 2) the https escalation still gets handled.
> 
> I expect that I will be using the nginx-Guacamole server for other internet-reachable services so I won't want to do anything that will pave over that flexibility.

More information about the Ale mailing list