Category Archives: Security

setup your own linux based router

What is all about
short story ...
This post will help you to configure a linux PC in order to function as a router too.
long story ...
If you like me have a very low energy consumption PC (a NAS equivalent) running all the time you might prefer it to act as a router too. This way you'll be able to:
- use the full Linux power to control the network traffic (especially the malicious connections)
- use the better performing PC hardware (compared to one of a dedicated router) to deal with the network traffic
- have fun because you're a linux enthusiast :)
The setup explained below uses NetworkManager.service; if you use something else the main difference will be related to configuring the pppoe connection while the other aspects should be the same or anyway helpful for your setup.
But using your PC as a router doesn't mean you won't be able to use it for something else too. I for example use my PC as a router while also as a desktop PC, as a server (for this blog, Transmission, ssh, nginx, etc) and as HTPC (Plex based).

What's to achieve
In the end you'll achieve these:
- connect directly to Internet using your PC router
- Internet users directly access your websites running on your PC router
- when having at least 2 ethernet cards you'll use one for Internet access while the other to setup a LAN
- with 2 ethernet cards one could be connected to a dedicated wireless router; its wireless users could be considered part of a LAN accessing the Internet through the PC router (the gateway for the dedicated router)
- secure your PC router against malicious Internet access
- setup other goodies e.g. dnsmasq with or without dhcp, sshttp, Plex

How to do it
In order to achieve the above you'll have do these:
- secure the access to your PC router
- setup a pppoe connection in order to access the Internet
- share the Internet access
- setup dnsmasq (NetworkManager's plugin) in order to ... long story, I'll explain later
- setup a dedicated wireless router in order to have wireless access to Internet when your PC router isn't able to provide by itself wireless access
- solve miscellaneous other issues e.g. dealing with sshttp and/or Plex

Secure the access to your PC router
This is a vital step!
You should do this first before having your PC accessed from all over the Internet.
You can do this by using the default firewall of your Linux distribution, e.g. for Ubuntu is UFW (Uncomplicated Firewall) while for RedHat/CentOS/Fedora is firewalld (check firewall-cmd man page and usage examples here and here).
Before continuing just check your opened ports with the commands below.
List opened ports using UFW:
sudo ufw status numbered
List opened ports using firewalld:
firewall-cmd --get-active-zones
firewall-cmd --list-ports

Setup a pppoe connection in order to access Internet
Use your graphical NetworkManager connection editor (nm-connection-editor on Ubuntu) in order to create a DSL connection (e.g. named RDS). In General tab check the options Automatically connect to this network when it is available and All users may connect to this network. In DSL tab fill in the username and password handed to you by your Internet provider. In Ethernet tab let MTU to automatic (it won't apply to pppoe connection) and choose the card which will be used for Internet access (e.g. eth0). In IPv6 Settings tab disable ipv6 connections if you don't have a reason to use it; if you intend to use it then this post won't help you.

Check the pppoe setup
On Ubuntu you'll be able to see your configuration from the command line:
sudo cat /etc/NetworkManager/system-connections/RDS
or using the graphical NetworkManager applet (Connection Information menu).

With the ifconfig command you'll see a new network interface (e.g. ppp0) when the pppoe connection is active.
Using the command below:
nmcli connection show
you'll also see that the pppoe connection is related to eth0 (chosen by you when creating the RDS connection).
With the command below:
nmcli device show
you'll see that eth0 has as IP4.GATEWAY the ip of your internet provider.
Check the pppoe connection with these commands too:
ifconfig ppp0
netstat -i

The MTU configuration
When MTU of your pppoe connection is not correctly set you'll experience internet web pages hanging/loading forever. 1500 is the maximum MTU possible and seems to be the default for the ethernet devices. For pppoe connections the maximum MTU is 1492. Check more about these at http://www.dslreports.com/faq/695.

You'll have to edit manually the [ppp] section in /etc/NetworkManager/system-connections/RDS in order to add/change it:

[ppp]
mru=1492
mtu=1492
With mtu=1492 the commands below:
sudo ip route flush cache
ping -c 1 -M do -s 1464 8.8.8.8
should yield among other:
1 packets transmitted, 1 received, 0% packet loss
or an error similar to the below:
ping: local error: Message too long, mtu=1492
1 packets transmitted, 1 received, 0% packet loss
If ping with 1464 (1464 = 1492 - 28) value yields an error then change it to a lower value e.g. subtract 10 then try again and so on. When found the maximum working value add 28 to it then use it for [ppp] section in RDS and restart RDS connection (use the NetworkManager applet to disconnect then reconnect).

When an ip package flows through e.g. eth1 (another ethernet card on your PC router) to ppp0 a MTU conversion must be done. This is accomplished with iptables or with the help of the firewall e.g. UFW. After finding the proper MTU you'll have to put this in /etc/ufw/before.rules: 

-A ufw-before-forward -p tcp -i eth1 -o ppp0 --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452
-A ufw-before-forward -p tcp -i eth1 -o ppp1 --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452

just before # ufw-not-local though when left at the end I guess it will work too. Replace 1452 with your pppoe MTU minus 40.

Why adding 28 and why using 1464 in the first place? check at http://www.dslreports.com/faq/695.

There are other commands that show the MTU value:
ip ad
netstat -i
ifconfig ppp0 | grep MTU
but they don't provide you an option to test a wrong MTU value (as ping does).
The MTU for eth0 (used by ppp0) should be 1500.

There's another way of testing MTU value but with a more complicated setup and impractical for pppoe connection but useful for LAN connections. It works like this: on another computer (PC2) using e.g. eth0 (192.168.0.1) and connected to your PC router on e.g. eth1 run the command below in order to check received network packets:
sudo tcpdump -i eth0 --direction=in -n ip proto \\icmp
then from your PC router send network packets like this:
ping -c 1 -s 1472 -I eth3 192.168.0.1
ping -c 1 -s 1464 -I eth3 192.168.0.1
For any packet received on PC2 you'll get one line of console output so when the ping value (1464, 1472) is too large you'll see more than one line in PC2's console. You should change the ping value till you reach the maximum one while still showing only one line in PC2's console. Then to that maximum value add 28 and that's will be the MTU for the connection PC router on eth1 to PC2 on eth0.

I have no idea how to check the current MRU value but seems a good idea to set it to the same value as MTU; please post a comment when you have a clue about it.

Share the Internet access
You'll have to enable packet forwarding by editing /etc/sysctl.conf:
net.ipv4.ip_forward=1
then activate the new sysctl configuration with:
sudo sysctl -p
Check current configuration with:
sysctl net.ipv4.ip_forward

Also you'll have to configure your firewall to allow ip forwarding.
e.g. with UFW you'll have to edit /etc/default/ufw to have this:

DEFAULT_FORWARD_POLICY="ACCEPT"

In /etc/ufw/before.rules you'll need:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# when having no other *nat rules uncomment the line below:
# -F
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp1 -j MASQUERADE
COMMIT

At this point when having multiple ethernet cards you'll be able to share the internet connection with them. This means that a PC2 directly connected to PC router's eth1 will be able to access the Internet but only with a proper configuration: 
- PC2 must have an ip in the same network class as PC router's eth1
- PC2 must have the gateway pointing to PC router eth1's ip
- PC2's DNS servers must be the same as those used by PC router (check nmcli device show eth0 | grep '.DNS')
This setup is an annoying complication mostly because of the DNS setup which might change depending on the Internet provider. The following section solves this with the help of a DNS and DHCP server.

Internet connection sharing: the big picture
Let's suppose that your PC router has an additional network interface (e.g. eth1). You could connect to it:
a) another PC on a wired connection when eth1 is wire only accessible
b) many other wireless devices when eth1 is a wireless device
c) a dedicated wireless router (when eth1 is wire only accessible) in order to share the Internet connection with other wireless and wired devices
For the b case you'll need to setup dnsmasq as a DNS and DHCP server. For a and c you won't really need the DHCP server but won't harm you anyway.

Setup dnsmasq as a DNS and DHCP server
When using NetworkManager then dnsmasq is already used as a plugin; just check /etc/NetworkManager/NetworkManager.conf for something like dns=dnsmasq. You'll need to customize dnsmasq's configuration; create the file /etc/NetworkManager/dnsmasq.d/custom-dnsmasq.conf with the following content:

addn-hosts=/etc/hosts-dnsmasq.conf
local-ttl=3600
log-facility=/var/log/dnsmasq/dnsmasq.log
interface=eth1
except-interface=eth0
except-interface=ppp0
strict-order
all-servers
clear-on-reload
cache-size=5000
dhcp-range=192.168.0.2,192.168.0.255,255.255.255.0,192.168.0.255,1h
dhcp-option=option:router,192.168.0.1
dhcp-option-force=option:mtu,1500
dhcp-lease-max=1
log-dhcp
dhcp-leasefile=/var/log/dhcpd.leases.log

Make sure to create /var/log/dnsmasq/ (owned by root only) used for keeping dnsmasq.log.

Be aware to exclude with except-interface at least the pppoe connections (e.g. ppp0) and the network interfaces used by them (e.g. eth0). You can change the cache-size in case you want less RAM to be used. Related to dhcp-range I assume you have only one network interface available (e.g. eth1) besides the one used for the pppoe connection (e.g. eth0). So when something is connected to eth1 it will automatically get the proper ip (between 192.168.0.2 and 192.168.0.255) and the DNS configuration. On your side eth1 should have the ip 192.168.0.1 and no gateway or DNS configured. 

I don't know what one should do when having multiple network interface available; the problem is with the dhcp-option=option:router,192.168.0.1 which should be different for every interface.

Sometimes you'll notice that the network won't start with dnsmasq complaining that can't bind port 53 to 192.168.0.1 (see interface=eth1 option). This happens because sometimes eth1 (having 192.168.0.1 ip) is activated after dnsmasq. The solution I found is to start with the "interface=eth1" option commented; after eth1 is started I uncomment it then kill dnsmasq which will then be restarted automatically by NetworkManager. On PC router shutdown or eth1 down I'll have to comment again the "interface=eth1" option and do again the uncommenting-kill-dnsmasq after restarting eth1.

For the uncommenting and dnsmasq killing part I use /etc/network/if-up.d/eth1-up:
#!/bin/sh -e
# eth1 post-up

# sudo cp -v /********/bin/config/eth1-up /etc/network/if-up.d/ && sudo chown -c root: /etc/network/if-up.d/eth1-up && sudo chmod -c 755 /etc/network/if-up.d/eth1-up

[ "$IFACE" = "eth1" ] || exit 0
[ "$PHASE" = "post-up" ] || exit 0
if [ -e /etc/NetworkManager/dnsmasq.d/custom-dnsmasq.conf ]; then
	if [ "`grep -P "^interface=eth1$" /etc/NetworkManager/dnsmasq.d/custom-dnsmasq.conf`" = "" ]; then
		echo "[$(date +"%d.%m.%Y %H:%M:%S") eth1-up] activating \"interface=eth1\" in custom-dnsmasq.conf" | tee -a /var/log/RDS.log
		sed -i s/"^#\s*interface=eth1$"/"interface=eth1"/ /etc/NetworkManager/dnsmasq.d/custom-dnsmasq.conf
		kill `pidof dnsmasq` 2>/dev/null
		if [ "$?" != "0" ]; then
			echo "[$(date +"%d.%m.%Y %H:%M:%S") eth1-up] couldn't find dnsmasq to kill" | tee -a /var/log/RDS.log
		else
			echo "[$(date +"%d.%m.%Y %H:%M:%S") eth1-up] killed dnsmasq (in order to restart it)" | tee -a /var/log/RDS.log
		fi
	else
		echo "[$(date +"%d.%m.%Y %H:%M:%S") eth1-up] custom-dnsmasq.conf already uses eth1" | tee -a /var/log/RDS.log
	fi
fi
For the commenting part I use /etc/network/if-post-down.d/eth1-post-down:
#!/bin/sh -e
# eth1 post-down

# sudo cp -v /********/bin/config/eth1-post-down /etc/network/if-post-down.d/ && sudo chown -c root: /etc/network/if-post-down.d/eth1-post-down && sudo chmod -c 755 /etc/network/if-post-down.d/eth1-post-down

[ "$IFACE" = "eth1" ] || exit 0
[ "$PHASE" = "post-down" ] || exit 0
if [ -e /etc/NetworkManager/dnsmasq.d/custom-dnsmasq.conf ]; then
	if [ "`grep -P "^interface=eth1$" /etc/NetworkManager/dnsmasq.d/custom-dnsmasq.conf`" = "" ]; then
		echo "[$(date +"%d.%m.%Y %H:%M:%S") eth1-post-down] \"interface=eth1\" already commented in custom-dnsmasq.conf" | tee -a /var/log/RDS.log
	else
		echo "[$(date +"%d.%m.%Y %H:%M:%S") eth1-post-down] commenting \"interface=eth1\" in custom-dnsmasq.conf" | tee -a /var/log/RDS.log
		sed -i s/"^interface=eth1$"/"# interface=eth1"/ /etc/NetworkManager/dnsmasq.d/custom-dnsmasq.conf
	fi
fi
I notice anyway that when shutdowning PC router the eth1-post-down script above doesn't work so I also use /etc/systemd/system/NetworkManager.service.d/network-manager-override.conf:
# sudo cp -v bin/systemd-services/network-manager-override.conf /etc/systemd/system/NetworkManager.service.d/ && sudo chown root: /etc/systemd/system/NetworkManager.service.d/network-manager-override.conf && sudo chmod 664 /etc/systemd/system/NetworkManager.service.d/network-manager-override.conf && sudo systemctl daemon-reload
[Service]
ExecStartPre=/bin/sed -i s/"^interface=enp1s0$"/"# interface=enp1s0"/ /etc/NetworkManager/dnsmasq.d/custom-dnsmasq.conf
ExecStopPost=/bin/sed -i s/"^interface=enp1s0$"/"# interface=enp1s0"/ /etc/NetworkManager/dnsmasq.d/custom-dnsmasq.conf
You'll also have to open the DNS (53) and DHCP (67) ports only on eth1:

sudo ufw allow in on eth1 to any port 53 comment 'allow DNS access from LAN'
sudo ufw allow in on eth1 to any port 67 comment 'allow DHCP access from LAN'

Useful commands:
sudo kill -s USR1 `pidof dnsmasq` -> generates dnsmasq statistics in /var/log/dnsmasq/dnsmasq.log
tailf /var/log/dnsmasq/dnsmasq.log
tailf /var/log/RDS.log
tailf /var/log/dhcpd.leases.log
journalctl -fu NetworkManager
grep -P "interface=eth1$" /etc/NetworkManager/dnsmasq.d/custom-dnsmasq.conf
to be continued ...

Spring security with kerberos

What is a keytab, and how do I use one?
Introduction to Kerberos for Managers
Crash Course to Kerberos
Appendix D. Troubleshooting
JAAS authentication with Kerberos
http://www.roguelynn.com/words/explain-like-im-5-kerberos/
KDC = Kerberos Key Distribution Center
TGT = Ticket Granting Ticket
TGS = Ticket Granting Server

For the configuration below (just a copy from spring security reference):
<sec:authentication-manager alias="authenticationManager">
	<sec:authentication-provider ref="kerberosAuthenticationProvider"/>
</sec:authentication-manager>

<bean id="kerberosAuthenticationProvider"
	class="org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider">
	<property name="kerberosClient">
		<bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient">
			<property name="debug" value="true"/>
		</bean>
	</property>
	<property name="userDetailsService" ref="dummyUserDetailsService"/>
</bean>

<bean
	class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
	<property name="debug" value="true" />
	<property name="krbConfLocation" value="/path/to/krb5.ini"/>
</bean>

<bean id="dummyUserDetailsService"
	class="org.springframework.security.kerberos.docs.DummyUserDetailsService" />
The file /path/to/krb5.ini could be an exact copy of /etc/krb5.conf from the KDC machine. You'll have to make sure the host names used in krb5.ini's default_realm are accessible for the application.

Ufw (uncomplicated firewall)

documentation
https://help.ubuntu.com/lts/serverguide/firewall.html
http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw.8.html
http://manpages.ubuntu.com/manpages/xenial/en/man8/ufw-framework.8.html

important files
/etc/ufw/user.rules

Uncomplicated Firewall
# https://help.ubuntu.com/community/UFW
sudo ufw show added
sudo ufw status verbose
sudo ufw show listening
sudo ufw limit ssh
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 32400
sudo ufw allow in from 192.168.1.0/24
sudo ufw allow in on eth1 to 192.168.0.1/32 port 3389 proto tcp comment 'allow RDP access from LAN'
sudo ufw allow from 86.124.74.35/32 to any proto gre comment 'allow VPN with MarchenGarten'
sudo ufw allow from 82.41.48.239 to any port 3389 proto tcp
sudo ufw allow in on enp1s0 to any port 8083
# sudo ufw delete limit 1443
# sudo ufw delete 11 -> removes rule with order number 11
tailf /var/log/kern.log | grep "\[UFW BLOCK\]"
tailf /var/log/syslog | grep "\[UFW BLOCK\]"

transmission firewall with peer-port-random-on-start = false
grep port /********/.config/transmission-daemon/settings.json
sed -i s/"peer-port-random-on-start\": true"/"peer-port-random-on-start\": false"/ /********/.config/transmission-daemon/settings.json
peerport="`grep peer-port\\" /********/.config/transmission-daemon/settings.json | awk '{sub(/,/,\"\",$2); print $2;}'`"
sudo ufw allow $peerport

transmission firewall with peer-port-random-on-start = true
sed -i s/"peer-port-random-on-start\": false"/"peer-port-random-on-start\": true"/ /********/.config/transmission-daemon/settings.json
grep peer-port-random-low /********/.config/transmission-daemon/settings.json
grep peer-port-random-high /********/.config/transmission-daemon/settings.json
# sudo ufw allow proto udp to any port 49152:65535
# sudo ufw allow proto tcp to any port 49152:65535
sudo ufw allow 49152:65535/tcp
sudo ufw allow 49152:65535/udp

show ufw logs
tailf /var/log/kern.log | grep "\[UFW BLOCK\]"
tailf /var/log/syslog | grep "\[UFW BLOCK\]"

enable at startup
# theoretically should work only this but practically doesn't:
sudo sed -i s/"ENABLED=no"/"ENABLED=yes"/ /etc/ufw/ufw.conf
# you should add this too to /etc/rc.local before "exit 0" line:
if ! ufw enable; then 
	echo "Can't start ufw!"
else
	echo "UFW started!"
fi

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
sudo sed -i s/"IPV6=yes"/"IPV6=no"/ /etc/default/ufw

Configuring port forwarding (add rules to /etc/ufw/before.rules)
# see also http://askubuntu.com/questions/660972/port-forwarding-with-ufw
sudo sed -i s/"DEFAULT_FORWARD_POLICY=\"DROP"/"DEFAULT_FORWARD_POLICY=\"ACCEPT"/ /etc/default/ufw
sudo sed -i s/"#net\/ipv4\/ip_forward"/"net\/ipv4\/ip_forward"/ /etc/ufw/sysctl.conf

turn off ipv6 autoconfiguration
sudo sed -i s/"#net\/ipv6\/conf\/default\/autoconf=0"/"net\/ipv6\/conf\/default\/autoconf=0"/ /etc/ufw/sysctl.conf
sudo sed -i s/"#net\/ipv6\/conf\/all\/autoconf=0"/"net\/ipv6\/conf\/all\/autoconf=0"/ /etc/ufw/sysctl.conf

configuration status
grep -nr 'ENABLED' /etc/ufw/ufw.conf
grep -nr -P "DEFAULT_FORWARD_POLICY|IPV6=" /etc/default/ufw
grep -nr -P "net\/ipv4\/ip_forward|net\/ipv6\/conf\/default\/autoconf|net\/ipv6\/conf\/all\/autoconf" /etc/ufw/sysctl.conf

deny access to an ip
sudo ufw deny from 146.185.223.4

limit access to an ip
sudo ufw insert 1 limit from 154.16.3.214 comment 'uri abuser limited to anywhere'
sudo ufw insert 1 limit in proto tcp from 154.16.3.214 to 192.168.1.31 port 80,443,49152:65535 comment 'tcp abuser limited to 192.168.1.31 on 80,443,49152:65535'
sudo ufw insert 1 limit in proto udp from 154.16.3.214 to 192.168.1.31 port 80,443,49152:65535 comment 'udp abuser limited to 192.168.1.31 on 80,443,49152:65535'

Redirect from 172.20.19.7:80 to 127.0.0.1:3000 (172.20.19.7 is on eth0 interface)
http://ipset.netfilter.org/iptables-extensions.man.html

# http://serverfault.com/questions/211536/iptables-port-redirect-not-working-for-localhost
# The locally generated packets does not pass via the PREROUTING chain!
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -a | grep 'net.ipv4.ip_forward'

https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
http://unix.stackexchange.com/questions/111433/iptables-redirect-outside-requests-to-127-0-0-1
sudo sysctl -w net.ipv4.conf.eth0.route_localnet=1
sudo sysctl -a | grep 'net.ipv4.conf.eth0.route_localnet'

# It seems that you could configure the above in /etc/ufw/sysctl.conf too though I haven't tested it.
/etc/default/ufw should have DEFAULT_FORWARD_POLICY="ACCEPT"

# in /etc/ufw/before.rules before filter section:
*nat
:PREROUTING ACCEPT [0:0]
# -A = append last
# -I = insert first
#
# sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000
# -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000
#
# sudo iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3000
-I PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3000
#
COMMIT

# you'll need also the rule below  
sudo ufw allow to 127.0.0.1 port 3000
# otherwise external users won't be allowed on port 80 and you'll see logs like this:
[UFW BLOCK] IN=eth0 OUT= MAC=3c:11:11:f0:21:11:00:11:0f:09:00:04:08:00 SRC=11.111.114.201 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54696 DF PROTO=TCP SPT=9194 DPT=3000 WINDOW=26280 RES=0x00 SYN URGP=0

sudo ufw disable && sudo ufw enable

ssh, http and https multiplexing

This is about how to have the ssh and http(s) server share the same port (e.g. 80 or 443 port).
This is really cool :).

# Used sources:
# http://yalis.fr/cms/index.php/post/2014/02/22/Multiplex-SSH-and-HTTPS-on-a-single-port
# http://blog.cppse.nl/apache-proxytunnel-ssh-tunnel
# http://serverfault.com/questions/355271/ssh-over-https-with-proxytunnel-and-nginx
# http://tyy.host-ed.me/pluxml/article4/port-443-for-https-ssh-and-ssh-over-ssl-and-more
# http://ipset.netfilter.org/iptables.man.html
# http://ipset.netfilter.org/iptables-extensions.man.html
# http://man7.org/linux/man-pages/man8/ip-rule.8.html
# http://lartc.org/howto/lartc.netfilter.html
# http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=Unassigned
# https://cloud.githubusercontent.com/assets/2137369/15272097/77d1c09e-1a37-11e6-97ef-d9767035fc3e.png
# http://www.adminsehow.com/2011/09/iptables-packet-traverse-map/

### begin sshttp setup 1
# https://github.com/stealth/sshttp
# Below are the preparations for this setup:
# sshttpd listens on 80 for ssh and http connections. It forwards to ssh:1022 and nginx:880.
# Will work these:
ssh -p 1022 gigi@127.0.0.1		-> access tried from within 192.168.1.31 host
ssh -p 1022 gigi@192.168.1.31	-> access tried from within 192.168.1.31 host
ssh -p 80 gigi@adrhc.go.ro		-> access tried from within 192.168.1.31 host or from internet
http://127.0.0.1/public/		-> access tried from within 192.168.1.31 host
http://127.0.0.1:880/public/	-> access tried from within 192.168.1.31 host
http://192.168.1.31:880/public/	-> access tried from within 192.168.1.31 host
http://192.168.1.31/public/		-> access tried from 192.168.1.31's LAN
http://adrhc.go.ro/public/		-> access tried from within 192.168.1.31 host or from internet
# Won't work this:
ssh -p 1022 gigi@adrhc.go.ro	-> access tried from within 192.168.1.31 host or from internet
http://192.168.1.31/public/		-> access tried from within 192.168.1.31 host
http://adrhc.go.ro:880/public/	-> access tried from within 192.168.1.31 host or from internet

# /etc/modules
modprobe nf_conntrack_ipv4
modprobe nf_conntrack
echo "nf_conntrack" >> /etc/modules
echo "nf_conntrack_ipv4" >> /etc/modules

# in /etc/ssh/sshd_config make sure to have:
# Port 1022
# Banner /etc/sshd-banner.txt 
# Makefile uses the content of /etc/sshd-banner.txt, e.g.:
# SSH_BANNER=-DSSH_BANNER=\"adrhc\'s\ SSH\ server\"
cat /etc/sshd-banner.txt
adrhc's SSH server

# configure nf-setup, e.g. for sshttpd.service below should be:
DEV="eth0"
SSH_PORT=1022
# HTTP_PORT=1443
HTTP_PORT=880
# also you could add this afterwards in order not to run nf-setup if already run:
if [ "`iptables -t mangle -L | grep -v -P "^ufw-" | grep -P "^DIVERT.+tcp spt:$HTTP_PORT"`" != "" ]; then
	echo "sshttp netfilter rules already applied ..."
	exit 0
fi
echo "applying sshttp netfilter rules ..."

# for nginx or apache take care of address binding not to overlap with sshttpd.service, e.g.:
#    server {
#        listen	127.0.0.1:80;
#        listen	127.0.0.1:880;
#        # listen 192.168.1.31:80; -> used/bound by sshttpd.service below
#        listen	192.168.1.31:880;

# install the systemd sshttpd.service defined below:
sudo chown root: /etc/systemd/system/sshttpd.service && sudo chmod 664 /etc/systemd/system/sshttpd.service && sudo systemctl daemon-reload; cp -v $HOME/compile/sshttp/nf-setup $HOME/apps/bin

# systemd sshttpd.service:
[Unit]
# see https://github.com/stealth/sshttp
Description=SSH/HTTP(S) multiplexer
# for any address binding conflict that occurs between ufw, ssh, nginx and sshttp I want ufw, ssh and nginx to win against sshttp
After=network.target
# sudo iptables -L | grep -v -P "^ufw-" | grep -P "1022|1443|880|DIVERT|DROP|ssh"
# sudo iptables -t mangle -L | grep -v -P "^ufw-" | grep -P "1022|1443|880|DIVERT|DROP|ssh"
[Service]
Type=forking
RuntimeDirectory=sshttpd
ExecStartPre=-/bin/chown nobody: /run/sshttpd
ExecStartPre=-/home/gigi/apps/bin/nf-setup
Restart=on-failure
RestartSec=3
TimeoutStartSec=5
TimeoutStopSec=5
# using 443 for sshttpd:
# ssh -p 443 gigi@adrhc.go.ro
# wget --no-check-certificate https://adrhc.go.ro/
# ExecStart=/home/gigi/apps/bin/sshttpd -n 4 -S 1022 -H 1443 -L 443 -l 192.168.1.31 -U nobody -R /run/sshttpd
# using 80 for sshttpd:
# ssh -p 80 gigi@adrhc.go.ro
# wget http://adrhc.go.ro/public
ExecStart=/home/gigi/apps/bin/sshttpd -n 4 -S 1022 -H 880 -L 80 -l 192.168.1.31 -U nobody -R /run/sshttpd
[Install]
WantedBy=multi-user.target

### begin sshttp setup 2 (read first sshttp step 1)
# Below are the preparations for this setup:
# sshttpd listens on 444 for ssh and https connections. 
# sshttpd forwards to ssh:1022 or stunnel:1443.
# stunnel:1443 forwards to nginx:127.0.0.1:1080 or ssh:127.0.0.1:22 based on sni.
# the original remote client's ip is accessible (only for https but not ssh) with $realip_remote_addr (http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header)

# Issue: any redirect (301 or 302) used in the server 127.0.0.1:1080 defined below will set Location header to http instead of https
# - see sshttp setup 3 for a solution 
# - see https://forum.nginx.org/read.php?2,269623,269647#msg-269647 (listen proxy_protocol and rewrite redirect scheme) for a better? solution:
src/http/ngx_http_header_filter_module.c: 
#if (NGX_HTTP_SSL) 
if (c->ssl || port == 443) { 
*b->last++ ='s'; 
} 
#endif 

# Won't work Transmission remote GUI but the web page will still work.
# ERROR (while using Transmission remote GUI):
	2016/09/19 15:03:42 [error] 5562#0: *2431 broken header: ">:azX���g��^}q�/���A��Rp(���n3��0�,�(�$��
	����kjih9876�����2�.�*�&���=5��/�+�'�#��	����g@?>3210����EDCB�1�-�)�%���</�A���
	�                                                                                      ��
	�g
		127.0.0.1
	" while reading PROXY protocol, client: 127.0.0.1, server: 127.0.0.1:443
	NӾHu|���4|�sf��Q�j$������0�,�(�$��432 broken header: ">:LM2V
	����kjih9876�����2�.�*�&���=5��/�+�'�#��	����g@?>3210����EDCB�1�-�)�%���</�A���
	�                                                                                      ��
	�g
		127.0.0.1
	" while reading PROXY protocol, client: 127.0.0.1, server: 127.0.0.1:443

# in systemd sshttpd.service change to:
# router: 443 -> 444 -> also make sure ufw allows 444
# ssh -p 443 gigi@adrhc.go.ro
# wget --no-check-certificate https://adrhc.go.ro/
ExecStart=/********/apps/bin/sshttpd -n 4 -S 1022 -H 1443 -L 444 -l 192.168.1.31 -U nobody -R /run/sshttpd

# in nginx add this "magic" server:
server {
	listen 127.0.0.1:1080 default_server proxy_protocol;
	include xhttpd_1080_proxy.conf;
	port_in_redirect off;
	# change also fastcgi_params! (see below)
	... your stuff ...
}

# xhttpd_1080_proxy.conf:
set_real_ip_from 192.168.1.0/24;
set_real_ip_from 127.0.0.0/8;
# set_real_ip_from ::1/32; -> doesn't work for me
real_ip_header proxy_protocol;
set $real_internet_https "on";
set $real_internet_port "443";

# in fastcgi_params have (besides your stuff):
# This special fastcgi_params must be used only by "magic server" (127.0.0.1:1080)!
fastcgi_param HTTPS $real_internet_https if_not_empty;
fastcgi_param SERVER_PORT $real_internet_port if_not_empty;

# stunnel.conf for server side
# sudo killall stunnel; sleep 1; sudo bin/stunnel etc/stunnel/stunnel.conf
pid = /run/stunnel.pid
debug = 4
output = /********/apps/log/stunnel.log
options = NO_SSLv2
compression = deflate
cert = /********/apps/etc/nginx/certs/adrhc.go.ro-server-pub.pem
key = /********/apps/etc/nginx/certs/adrhc.go.ro-server-priv-no-pwd.pem
[tls]
accept = 192.168.1.31:1443
connect = 127.0.0.1:1080
protocol = proxy
[ssh]
sni = tls:tti.go.ro
connect = 127.0.0.1:22
renegotiation = no
debug = 5
cert = /********/apps/etc/nginx/certs/adrhc.go.ro-server-pub.pem
key = /********/apps/etc/nginx/certs/adrhc.go.ro-server-priv-no-pwd.pem
[www on any]
sni = tls:*
connect = 127.0.0.1:1080
protocol = proxy

# stunnel.conf for client side
# killall stunnel; sleep 1; stunnel ****stunnel.conf && tailf ****stunnel.log
# ssh -p 1194 gigi@localhost
pid = /****************/temp/stunnel.pid
debug = 4
output = /****************/****stunnel.log
options = NO_SSLv2
[tti.go.ro]
# Set sTunnel to be in client mode (defaults to server)
client = yes  
# Port to locally connect to
accept = 127.0.0.1:1194  
# Remote server for sTunnel to connect to
connect = adrhc.go.ro:443
sni = tti.go.ro
verify = 2
CAfile = /****************/****Temp/Zyxel/adrhc.go.ro-server-pub.pem
# checkHost = certificate's CN field (see "Rejected by CERT at" in stunnel.log for learning CN)
checkHost = adrhc.go.ro
# CAfile = /****************/****Temp/Zyxel/adr-pub.pem
# checkHost = adr

### begin sshttp setup 3 (read first sshttp step 2)
# any redirect (301 or 302) used in the server 127.0.0.1:1080 defined above will go to the https server
# Issue: the original remote client's ip is not accessible (https or ssh)

# you'll need the https nginx configuration for your site listening at least on 127.0.0.1:443
# you no longer need the "magic" server defined above
# How this works:
# browser/stunnel-client useing ssl -> sshttpd:443 -> stunnel[tls to http] using ssl -> stunnel[http to https]

# stunnel.conf for server side
# sudo killall stunnel; sleep 1; sudo bin/stunnel etc/stunnel/stunnel.conf
pid = /run/stunnel.pid
debug = 4
output = /********/apps/log/stunnel.log
options = NO_SSLv2
compression = deflate
cert = /********/apps/etc/nginx/certs/adrhc.go.ro-server-pub.pem
key = /********/apps/etc/nginx/certs/adrhc.go.ro-server-priv-no-pwd.pem
[tls]
accept = 192.168.1.31:1443
connect = 127.0.0.1:1081
protocol = proxy
[ssh]
sni = tls:tti.go.ro
connect = 127.0.0.1:22
renegotiation = no
debug = 5
cert = /********/apps/etc/nginx/certs/adrhc.go.ro-server-pub.pem
key = /********/apps/etc/nginx/certs/adrhc.go.ro-server-priv-no-pwd.pem
[tls to http]
sni = tls:*
connect = 127.0.0.1:1081
# connect = 127.0.0.1:1080
# protocol = proxy
[http to https]
accept = 127.0.0.1:1081
connect = 127.0.0.1:443
client = yes

### begin sslh setup
# https://github.com/yrutschle/sslh
# Here I use ssh:1021 instead of ssh:1022.
sudo apt-get install sslh

sudo useradd -d /nonexistent -M -s /bin/false sslh
# according to https://github.com/yrutschle/sslh#capabilities-support I need:
sudo setcap cap_net_bind_service,cap_net_admin+pe /usr/sbin/sslh-select
sudo getcap -rv /usr/sbin/sslh-select

cat /etc/default/sslh
RUN=yes
DAEMON=/usr/sbin/sslh-select
# with --transparent the local ip is not acceptable:
DAEMON_OPTS="--transparent --timeout 1 --numeric --user sslh --listen 192.168.1.31:334 --ssh 192.168.1.31:1021 --http 192.168.1.31:80 --pidfile /var/run/sslh/sslh.pid"
# without --transparent is acceptable also local ip:
# DAEMON_OPTS="--transparent --timeout 1 --numeric --user sslh --listen 192.168.1.31:334 --ssh 192.168.1.31:1021 --http 127.0.0.1:80 --pidfile /var/run/sslh/sslh.pid"

cat /etc/systemd/system/sslh.service.d/custom.conf 
# cp -v $HOME/bin/systemd-services/sslh-setup.sh $HOME/apps/bin
[Service]
ExecStartPre=-/********/apps/bin/sslh-setup.sh
ExecStart=
ExecStart=/usr/sbin/sslh-select --foreground $DAEMON_OPTS
SuccessExitStatus=15

cat sslh-setup.sh
#!/bin/sh
if [ "`sudo iptables -t mangle -L | grep -P "^SSLH\s.+\sspt:1021"`" != "" ]; then
	echo "SSLH netfilter rules already applied ..."
	exit 0
fi
iptables -t mangle -N SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 1021 --jump SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 80 --jump SSLH
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

sudo systemctl daemon-reload
sudo systemctl enable sslh
sudo systemctl start sslh

Spring security

HTML translated to java config
see also Java Configuration
see also http://www.springframework.org/schema/security/spring-security.xsd

<http security="none" pattern="/resources/**"/>
<http pattern="/api1/**" create-session="stateless">
	<intercept-url pattern="/**" access="authenticated"/>
	<http-basic />
</http>
<http pattern="/api2/**" create-session="never">
	<intercept-url pattern="/api2/api21/**" access="hasRole('ROLE_ADMIN')"/>
	<intercept-url pattern="/api2/**" access="hasRole('ROLE_USER')"/>
	<http-basic />
</http>
<http pattern="/api3/**">
	<intercept-url pattern="/api3/api31/**" access="hasRole('ROLE_ADMIN')"/>
	<intercept-url pattern="/api3/api32/**" access="hasRole('ROLE_USER')"/>
	<intercept-url pattern="/**" access="authenticated"/>
	<http-basic />
</http>
<http>
	<intercept-url pattern="/logout" access="permitAll"/>
	<intercept-url pattern="/login" access="permitAll"/>
	<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
	...
	<form-login login-page="/services/session" login-processing-url="/login"
				password-parameter="password" username-parameter="username"
				logout-success-url="/services/session" ... />
	<http-basic />
	<logout invalidate-session="true"/>
</http>
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
    @Autowired
    private AuthenticationManager am;

    /**
     * @param auth
     * @throws Exception
     */
    @Autowired
    public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
        auth.parentAuthenticationManager(this.am);
    }
}
@Configuration
@Order(1)
public class Api1Authentication extends WebSecurityConfigurerAdapter {
	@Override
	protected void configure(final HttpSecurity httpSecurity) throws Exception {
		httpSecurity.antMatcher("/api1/**")
					.authorizeRequests().anyRequest().authenticated()
					.and()
					.httpBasic()
					.and()
					.sessionManagement()
					.sessionCreationPolicy(SessionCreationPolicy.STATELESS);    
	}
}
@Configuration
@Order(2)
public class Api2Authentication extends WebSecurityConfigurerAdapter {
	@Override
	protected void configure(final HttpSecurity httpSecurity) throws Exception {
		httpSecurity.antMatcher("/api2/**")
					.authorizeRequests()
					.antMatchers("/api2/api21/**").hasRole("ADMIN")
					.antMatchers("/api2/**").hasRole("USER")
					.and()
					.httpBasic()
					.and()
					.sessionManagement()
					.sessionCreationPolicy(SessionCreationPolicy.NEVER);    
	}
}
@Configuration
@Order(3)
public class Api3Authentication extends WebSecurityConfigurerAdapter {
	@Override
	protected void configure(final HttpSecurity httpSecurity) throws Exception {
		httpSecurity.antMatcher("/api3/**")
					.authorizeRequests()
					.antMatchers("/api3/api31/**").hasRole("ADMIN")
					.antMatchers("/api3/api32/**").hasRole("USER")
					.anyRequest().authenticated()
					.and()
					.httpBasic();    
	}
}
@Configuration
public class OtherAuthentication extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(final WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**");
    }

    @Override
    protected void configure(final HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                    .formLogin()
                    .loginPage("/services/session")
                    .loginProcessingUrl("/login")
                    .usernameParameter("username")
                    .passwordParameter("password")
                    .defaultSuccessUrl("/services/session")
                    .failureHandler(new DdcAuthenticationFailureHandler())
                    .permitAll()
                    .and()
                    .httpBasic()
                    .and()
                    .logout()
                    .logoutSuccessUrl("/services/session")
                    .invalidateHttpSession(true);
    }
}
Q1: why should I use antMatcher("/api2/**") while anyway the subsequent antMatchers(...) cover the entiy /api2/** paths?
A1: because antMatcher has the purpose of mapping the  security configuration while antMatchers accompanies authorizeRequests() in order to specify request access conditions (e.g. roles). antMatchers could accompany also requiresChannel() in order to specify the protocol (http, https, any). If not using antMatcher that would be like  security configuration wouldn't use the pattern attribute (equivalent to using /**).

OtherAuthentication allows the use of form and basic authentication (using the order of declaration). So when not authenticated user access /services/session (using no Authorization header) he would get back a response (e.g. json containing a CSRF token :D). When the user tries to POST /services/session using the received CSRF token he will then be authenticated using basic authentication when he use Authorization header or form authentication otherwise (suppose he uses a valid token otherwise spring will consider a CSRF attack). When one tries to access /some-not-resources-and-not-api123-path with the header Authorization filled with a valid user/password than the basic authentication will be enforced and the user will get the result; if user/password is wrong he will get http code 401. 

/api2/** has SessionCreationPolicy.NEVER which means it won't create a session (when using basic authentication) but it might use one when the user already created one like when authenticated with form-authentication.

/api1/** has SessionCreationPolicy.STATELESS which means it will not create a session but also it will invalidate it if found so it does not live well with OtherAuthentication which creates (in order to use) a session. This means that after a form authentication the user will be disconnected after trying to access /api1/**.