Start a new topic
Implemented

Web Pages over Secure Gateway

Possibility to open / use web pages over the Secure Gateway connections.

So that you don't need to make a VPN for viewing a webpage / management page of a device on a client / other location.

With the Secure Gateway that would be awesome that's not an option now: 


3 people like this idea

Now i have looked into royltsx and i have one idea more.

If actions for automated replacing of url and use automated local forwarding through secure gateway is little much complicated then is possible to add tunnels feature into secure gateway for making permanent tunnels.

Example:

From example before i made my self permanent tunnel in secure gateway 12345:10.10.10.2:443.

In web page properties should only be check field with label "uses permanent rules in secure gateway" and select field with secure gateways list.

Ok, now im out with ideas ;)


Have a nice day boys.

Hi, it looks that my message before is not arrieved into forum.

And one more Hi for Felix  Deimel (i hope we can solve this as before two years saving problem).


Ok i can shorten this:

When is not socks available (or not easy to implement on Mac), then why not use only LOCAL forwarding.

Example:

I'm in 192.168.0.0/24 and my jump server is 10.10.10.1.

I need to go to 10.10.10.2

I create secure gw 10.10.10.1

I create webpage with address https://10.10.10.2 and check to use secure gateway 10.10.10.1

I start webpage 10.10.10.2

Royaltsx create local forwarding (https=443 only if is not another port  in URI :<PORT>) 12345:10.10.10.2:443

Royal opens web page with replaced URI: https://127.0.0.1:12345


Cons:

- It uses only IP addresses

- web apps with redirect functions can make trouble, or can be disfuctional, but 99% pages for administration are ok, i use local forwardig more than 15 years. Automation can be very helpfull.


With best regards

Josef Svitak

Hi Josef,


I'm not quite sure I understand your suggestion.

Creating the port forward/tunnel is not the problem. The problem is getting all resources of a web page to use that tunnel instead of a direct connection.

For instance, a website might be hosted on 192.168.0.1, however resources defined in the actual HTML page, like images, javascript, css, etc. might use a completely different IP address/host and so wouldn't be affected by the tunnel.


cheers,

felix

Josef,


you're right in that it would be trivial to add basic Secure Gateway support for web sites. We could add this basically tomorrow. However, this would only work in cases where the web site is programmed to not include any absolute URLs and doesn't access any resources on other hosts. So IMHO this is of limited use and hard to explain to customers why it only works in some cases. It also means that if the initial page for instance is configured "properly" (not includes any absolute URLs) it would look good to the customer but if another page of the same web app has an absolute link embedded that particular resource then wouldn't load. Which would lead to one page working properly while another won't load at all, the next one loads the html but since the css is referenced absolutely it doesn't load, and so forth. Basically it's not transparent to the user why one page loads perfectly fine while the next one doesn't. Not a good user experience.


The problem with proxies in Apple's WebKit API is not that it's "hard" to implement. The problem is that an API to specify a custom proxy host simply doesn't exist. The WebKit components always use the proxy settings specified at system level (System Preferences - Network - Advanced - Proxies).


cheers,

felix

Hi everyone,


we've just released a new WebKit plugin beta update which includes experimental(!) Secure Gateway support.

You can get the beta here as usual.


Please be aware that this implementation will definitely not work under all circumstances since it basically only translates the URL we give to the underlying WebKit engine. We don't translate any absolute URLs that might be embedded in a website.


Feedback very welcome!


thx,

felix


1 person likes this

Wow just Wow!


This is Awesome!

It works only for http now.

I was trying to access a Router and switch.

Could reach the Switch (http) but not the Router https (Self Signed) 


But at least its a start.


Maybe there is a way to figure out the certificate warnings?

@Kay: We've just released an update for the WebKit plugin which should fix the https + Secure Gateway issue.

Please let me know if it works for you!


thx,

felix

Just amazing!


Works perfect!

If we can now get this also to work with a Chrome Engine than its 100% the best solution!

@Kay: Like previously mentioned, Chrome is off limits at the moment. Rest assured that if a new framework or library for Chrome integration on the Mac comes around, I'll be the first to give it a shot. ;)


1 person likes this

@felix: I know, but this is a first step ofcourse.

Now I can manage routers, Switches, Printers etc. without the need of a VPN.


Well done!!

@Kay: Perfect! Please let me know if you run into any issues!

@Feix: Many thanks Felix. It works as expected. Now you save me so much time with royaltsx and this extension... SSH Tunneling is my most used action when is going to administration of many hardware things (as mentioned Kay).

@Kay: I need it too under VPNs... you know it, you have only jumpserver accessible (behind this jumserver is everything)



Very Good Work

@josef what do you mean with "Under VPN's"?



@Kay: simple.... your usage of this is to bypass VPN access (if it is possible to ssh into sever from public)

But my usage of this (tunneling/secure gw) is under active VPN connection. We use in our environments jumpservers (ssh machines). It is functionaly same as in your scenario, but i have only access to server through VPN and jumpserver. After this jumpserver are accessible other servers. With this I can manage many of admin web pages without making this tunnels manualy.

Ah ok ;) Now i get the point.


We have it without the VPN we manage all routers (Ubiquiti Edgerouters) and do SSH to that.

So that's really easy for us.

Login or Signup to post a comment