29 Dec 2009 dangermaus   » (Journeyer)

One solution to escape the cage of firewalls around you and reach your beloved server is

Install Ajaxterm on Gentoo

These are the steps I followed, they should complement the explanation of the wiki of Ajaxterm, created by Antony Lesuisse.

1. setup a Dyndns account and ddclient

Publish the IP address of your router first with these steps:

Visit Dyndns, register an account and your host. Choose a freely available DNS name like delta.dyndns.org. On your Gentoo box, install ddclient


USE="ssl" emerge ddclient
su
vi /etc/ddclient/ddclient.conf

In ddclient.conf enter your account details for Dyndns.

Launch and register ddclient with


/etc/init.d/ddclient start
rc-update add ddclient default

2. install Ajaxterm


ACCEPT_KEYWORDS="~x86" emerge ajaxterm
/etc/init.d/ajaxterm start

If launching ajaxterm fails with [!!], do the following:


vi /etc/services

At the bottom of the file services add


ajaxterm     8022/tcp
ajaxterm     8022/udp

If launching ajaxterm still fails with [!!], in /etc/init.d/ajaxterm, change the DAEMON variable to /usr/bin/python2.5.

Once ajaxterm starts with a green [OK], point a Javascript enabled browser (the text based links or lynx do not work!) to http://localhost:8022/. If your Gentoo box does not have Gnome or KDE on it, you can also point a browser on the same network segment, e.g. to http://192.168.1.33:8022/. Ajaxterm will welcome you with the login window :-).

It's time to register ajaxterm to the default runlevel with


rc-update add ajaxterm default
so that it survives reboot...

3. Emerge and configure Apache

In the wiki of Ajaxterm, it is suggested to use Apache as SSL tunnel to Ajaxterm, this for security reasons.

Let's build an apache with some modules ;-)


su
echo 'APACHE2_MODULES="authz_host actions alias auth_basic
auth_digest authn_anon authn_dbd authn_dbm authn_default
authn_file authz_dbm authz_default authz_groupfile
authz_host authz_owner authz_user autoindex cache dav dav_fs
dav_lock dbd deflate dir disk_cache env expires ext_filter
file_cache filter headers ident imagemap include info
log_config logio mem_cache mime mime_magic negotiation proxy
proxy_ajp proxy_balancer proxy_connect proxy_http rewrite
setenvif speling status unique_id userdir usertrack
vhost_alias"' >> /etc/make.conf


USE="ssl" emerge -av apache

Make sure that D_PROXY and D_PROXY_HTTP are defined in the apache2 file:


vi /etc/conf.d/apache2
[...]
APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D
SSL_DEFAULT_VHOST -D PROXY -D P
ROXY_HTTP" 
[...]

Configure the SSL tunnel with


vi /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
[...]
VirtualHost *:443>
       ServerName localhost
       SSLEngine On


ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /ajaxterm/ http://localhost:8022/ ProxyPassReverse /ajaxterm/ http://localhost:8022/ </VirtualHost>

[...]

Start and register Apache2 with


/etc/init.d/apache2 start
rc-update add apache2 default

4. create a certificate for Apache

Here the steps to create a self-signed certificate are described:


openssl req -new > new.cert.csr
When asked for the CommonName, give the DNS name you chose (e.g. delta.dyndns.org). This is important to make the self-signed certificate valid.

Remove the passphrase with


openssl rsa -in privkey.pem -out new.cert.key

Convert the request into the signed certificate:


openssl x509 -in new.cert.csr -out new.cert.cert -req
-signkey new.cert.key -days 3650

Indicate to apache where to find the signed certificate and the key:


vi /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
[...]
SSLCertificateFile /path/to/certs/new.cert.cert
SSLCertificateKeyFile /path/to/certs/new.cert.key
[...]

Source for these steps: Apache SSL docs

5. configure NAT on your router

Login to your router, go to the NAT section and forward the port 443 to the server where Ajaxterm is running...

That's all, from a caged environemnt, simply point your browser to a https://delta.dyndns.org/ajaxterm/ and add a certificate exception, as the certificate was self signed and not issued by a CA authority.

Have fun!

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!