Dropbox 5 – Dropbox Relay (SSH over SSL/TLS)

The focus of this series isn’t the relay server. Any solution can be used as long as it supports tunneling SSH over SSL/TLS as one of our stipulations is not to require outbound SSH from the client environment.

For the solution documented here we’ve gone with HAProxy (http://www.haproxy.org/).

I found Ch-M.D’s website very helpful – http://blog.chmd.fr/ssh-over-ssl-episode-4-a-haproxy-based-configuration.html

A lesson learned was that to support SSL/TLS you must be running HAProxy version 1.5-dev19+. At the time of installation, I believe the Ubuntu repository only had version 1.4. The solution is to enable a dedicated PPA.

apt-get install software-properties-common

add-apt-repository ppa:vbernat/haproxy-1.6

Then run the following commands.

apt-get update

apt-get install haproxy

You will then have the latest release of HAProxy 1.6 installed.

My /etc/haproxy/haproxy.cfg file looks like the below.

 log /dev/log local0
 log /dev/log local1 notice
 chroot /var/lib/haproxy
 stats socket /run/haproxy/admin.sock mode 660 level admin
 stats timeout 30s
 user haproxy
 group haproxy

maxconn 2048
 tune.ssl.default-dh-param 2048

# Default SSL material locations
 ca-base /etc/ssl/certs
 crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
 # For more information, see ciphers(1SSL). This list is from:
 # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
 ssl-default-bind-options no-sslv3

 log global
 mode http
 option httplog
 option dontlognull
 timeout connect 5000
 timeout client 50000
 timeout server 50000
 errorfile 400 /etc/haproxy/errors/400.http
 errorfile 403 /etc/haproxy/errors/403.http
 errorfile 408 /etc/haproxy/errors/408.http
 errorfile 500 /etc/haproxy/errors/500.http
 errorfile 502 /etc/haproxy/errors/502.http
 errorfile 503 /etc/haproxy/errors/503.http
 errorfile 504 /etc/haproxy/errors/504.http

backend secure_http
 reqadd X-Forwarded-Proto:\ https
 rspadd Strict-Transport-Security:\ max-age=31536000
 mode http
 option httplog
 option forwardfor
 server local_http_server

backend ssh
 mode tcp
 option tcplog
 server ssh
 timeout server 2h

frontend ssl
 bind :443 ssl crt //etc/haproxy/certs/<FQDN of Dropbox Relay>.pem no-sslv3
 mode tcp
 option tcplog
 tcp-request inspect-delay 5s
 tcp-request content accept if HTTP

acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30

use_backend ssh if !HTTP
 use_backend ssh if client_attempts_ssh
 use_backend secure_http if HTTP

Now since we’ll be tunneling a lot of traffic over this connection somebody monitoring the network where our Dropbox Server is deployed might get curious as to what’s so interesting at https://<FQDN of Dropbox Relay>. We’ll if they use a browser to peruse it they’ll see whatever website you setup.

If they poke around a bit more they’ll see that things are not necessarily as they appear.

ncat -v --ssl-verify <FQDN of Dropbox Relay> 443

Will produce a response similar to the following. Note the OpenSSH banner!

Ncat: Version 6.49BETA4 ( http://nmap.org/ncat )
Ncat: SSL connection to <IP of Dropbox Relay>:443.
Ncat: SHA-1 fingerprint: 6AC1 80C6 01E6 DE07 4DE6 CF29 D9A4 4F9D 4C6D 8493

SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
Protocol mismatch.
close: Result too large


Leave a Reply

Your email address will not be published. Required fields are marked *