EVE-NG Labs over the internet

Moderator: mike

Post Reply
monotok
Posts: 3
Joined: Mon May 08, 2017 12:46 pm

EVE-NG Labs over the internet

Post by monotok » Mon May 08, 2017 12:58 pm

Hi All,

I have tested EVE-NG at home and works fine with Windows servers and a few routers. I have deployed the VM to my ESXi server and I would like to access the labs from the internet.

I have a NGINX reverse proxy VM that secures many VM's using SSL; eg nextcloud and wordpress. I secure a server block for eve-ng and i can successully login to eve-ng over the internet with SSL.

However the html 5 client doesn't seem to work, it says "connected to guacamole" but times out. I did briefly see a VNC screen but it was frozen and timed out. I noticed that the apache2 config is using apache2 to reverse proxy to localhost:8080. Maybe I need to configure NGINX to reverse proxy directly to that? I did try using the same settings as in apache2 but it didn't make a difference.

Anyone got a recommended way of doing this?

Thanks!

ecze
Posts: 510
Joined: Wed Mar 15, 2017 1:54 pm

Re: EVE-NG Labs over the internet

Post by ecze » Mon May 08, 2017 5:30 pm

Not sure it will work
Guacamole use websocket tunnels

Other way is to enable https on Eve-ng and just use a nat forward from your firewall to EVE
E.

monotok
Posts: 3
Joined: Mon May 08, 2017 12:46 pm

Re: EVE-NG Labs over the internet

Post by monotok » Mon May 08, 2017 9:18 pm

Hi,

I have been looking at this a little further and seem to have got it working. I will share the config here.

Firstly on the reverse proxy server install nodejs and npm (only a few dependencies). I am using CentOS 7 for the reverse proxy. Please note you might not have to install this but I used it to test a websocket connection with:

Code: Select all

wscat --connect ws://192.168.20.20:8080

Code: Select all

yum install nodejs npm
Then install the ws program.

Code: Select all

npm install -g ws
Next create a new server config (The SSL certs etc are defined in other configs, you can see this on my blog).

Code: Select all

nano -c /etc/nginx/conf.d/reverseproxyLABS.conf

Code: Select all

  upstream websocket {
    server 192.168.20.20:8080;
}

server  {
  listen  443 ssl;   # Example config for EVE-NG, browsable at https://labs.example.com
  server_name  labs.example.com;
  client_max_body_size  0;
  add_header Strict-Transport-Security "max-age=31536000" always;
  ssl  on;

  location /.well-known {
    root /usr/share/nginx/html/;
  }

  location /html5/ {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass  http://websocket/guacamole/;
  }

  location /html5/websocket-tunnel {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://websocket/guacamole/websocket-tunnel;
  }


  location  / {
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_pass  http://192.168.20.20/;
  }
}
Now save this file and restart NGINX. Next SSH into your EVE appliance (I have deployed the EVE-NG Ubuntu VM on ESXi).

Now edit the tomcat server.xml to allow connects to port 8080 from another host.

Code: Select all

nano /var/lib/tomcat8/conf/server.xml
Find the connector section and change the address="127.0.0.1" to "0.0.0.0" to listen on any address.

Code: Select all

<Connector port="8080" protocol="HTTP/1.1"
      address="0.0.0.0"
      connectionTimeout="20000"
      URIEncoding="UTF-8"
      redirectPort="8443" />
Save the file and exit.

Restart both apache2 and tomcat8.

Code: Select all

systemctl restart tomcat8
systemctl restart apache2
You should be able to access at https://labs.example.com. Don't forget to update the DNS to point at the reverse proxy!

This seems to work fine, I noticed that if I have two VNC devices loaded in a lab and click on one, it opens the VNC connection in a new tab. If I then click on another it opens in the same tab. Is this known behaviour or something to do with the way I have proxied it?

Hope this helps others! Thanks for all the hardwork, EVE-NG is really cool!! Going to be using it as a VMWARE lab!
Last edited by monotok on Tue May 09, 2017 6:44 pm, edited 1 time in total.

Primaltech
Posts: 2
Joined: Thu Apr 27, 2017 5:01 pm

Re: EVE-NG Labs over the internet

Post by Primaltech » Mon May 08, 2017 11:05 pm

another easy solution is to just set up an openvpn server and then just vpn into your home network.

monotok
Posts: 3
Joined: Mon May 08, 2017 12:46 pm

Re: EVE-NG Labs over the internet

Post by monotok » Mon May 08, 2017 11:08 pm

Yes, VPN is ideal but you don't always have access to VPN :)

ecze
Posts: 510
Joined: Wed Mar 15, 2017 1:54 pm

Re: EVE-NG Labs over the internet

Post by ecze » Tue May 09, 2017 12:42 am

monotok wrote:
Mon May 08, 2017 9:18 pm
Hi,

I have been looking at this a little further and seem to have got it working. I will share the config here.

Firstly on the reverse proxy server install nodejs and npm (only a few dependencies). I am using CentOS 7 for the reverse proxy. Please note you might not have to install this but I used it to test a websocket connection with:

Code: Select all

wscat --connect ws://192.168.20.20:8080

Code: Select all

yum install nodejs npm
Then install the ws program.

Code: Select all

npm install -g ws
Next create a new server config (The SSL certs etc are defined in other configs, you can see this on my blog).

Code: Select all

nano -c /etc/nginx/conf.d/reverseproxyLABS.conf

Code: Select all

  upstream websocket {
    server 192.168.20.20:8080;
}

server  {
  listen  443 ssl;   # Example config for EVE-NG, browsable at https://labs.example.com
  server_name  labs.example.com;
  client_max_body_size  0;
  add_header Strict-Transport-Security "max-age=31536000" always;
  ssl  on;

  location /.well-known {
    root /usr/share/nginx/html/;
  }

  location /html5/ {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass  http://websocket/guacamole/;
  }

  location /html5/websocket-tunnel {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://websocket/guacamole/websocket-tunnel;
  }


  location  / {
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_pass  http://192.168.20.20/;
  }
}
Now save this file and restart NGINX. Next SSH into your EVE appliance (I have deployed the EVE-NG Ubuntu VM on ESXi).

Now edit the tomcat server.xml to allow connects to port 8080 from another host.

Code: Select all

nano /var/lib/tomcat8/conf/server.xml
Find the connector section and change the address="127.0.0.1" to "0.0.0.0" to listen on any address.

Code: Select all

<Connector port="8080" protocol="HTTP/1.1"
      address="0.0.0.0"
      connectionTimeout="20000"
      URIEncoding="UTF-8"
      redirectPort="8443" />
Save the file and exit. Now open the apache2 vhost config file and comment out the reverse proxy section.

Code: Select all

nano /etc/apache2/sites-enabled/unetlab.conf

Code: Select all

#       <Location /html5/>
#               Order allow,deny
#               Allow from all
#               ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
#               ProxyPassReverse http://127.0.0.1:8080/guacamole/
#       </Location>
#
#       <Location /html5/websocket-tunnel>
#               Order allow,deny
#               Allow from all
#               ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
#               ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
#       </Location>
Restart both apache2 and tomcat8.

Code: Select all

systemctl restart tomcat8
systemctl restart apache2
You should be able to access at https://labs.example.com. Don't forget to update the DNS to point at the reverse proxy!

This seems to work fine, I noticed that if I have two VNC devices loaded in a lab and click on one, it opens the VNC connection in a new tab. If I then click on another it opens in the same tab. Is this known behaviour or something to do with the way I have proxied it?

Hope this helps others! Thanks for all the hardwork, EVE-NG is really cool!! Going to be using it as a VMWARE lab!
use different node name to get different tabs ....

Post Reply