Install Pagekite for easy SSH and HTTPS access on Ubuntu

Pagekite provides an easy way to bring your homeserver/SSHd capabale devices online without a need for port forwarding.

In the consumer version this basically works by tunneling all your traffic through Pagekite's servers. It costs you some speed, bandwith, money and in case of unencrypted data security but it's charmingly convenient.

But if you feel ambitious you can take their software and run your own endpoint - both the client part als well as the server part are open source.

Content
1. Install on Ubuntu/Debian
2. Enter Pagekite account credentials
3. Enable SSH
4. On the client: set up HTTPS tunneling
5. On the first connect: verify the fingerprint
6. Force HTTPS
7. Activate HTTP auth
8. Bring multiple ports online

Install on Ubuntu/Debian [src]

  1. Become the superuser:
    sudo -i
  2. Add the .list-file:
    cat >> /etc/apt/sources.list.d/pagekite.list << EOF deb http://pagekite.net/pk/deb/ pagekite main EOF
  3. Install the GPG-keys:
    apt-key adv --recv-keys --keyserver keys.gnupg.net AED248B1C7B2CAC3
  4. Install pagekite:
    apt-get update && \\ apt-get install pagekite

Configure

Enter Pagekite account credentials

  1. Enter your credentials:
    nano /etc/pagekite.d/10_account.rc
    You find the kitesecret on the Pagekite website in the "Your details"-section. It's called Default Kite Secret there.
  2. Cut (Ctrl+k) or comment the following line out:
    abort_not_configured
  3. (Re-)start the Pagekite daemon:
    service pagekite restart

Enable SSH

  1. Copy/move the configuration file:
    cp /etc/pagekite.d/80_sshd.rc.sample /etc/pagekite.d/80_sshd.rc
  2. Instill some safety regarding broot-force attacks by installing fail2ban:
    apt-get install fail2ban
  3. Restart pagekite:
    service pagekite restart

On the client: set up HTTPS tunneling

In order to be able to establish a connection you need to tell your SSH client to tunnel over HTTPS when connecting to a Pagekite domain: [src]

  1. Open on your client e.g. Notebook or PC:
    ~/.ssh/config
  2. Add the follwing:
Host *.pagekite.me
  CheckHostIP no
  ProxyCommand /bin/nc -X connect -x %h:443 %h %p

On the first connect: verify the fingerprint [thx]

When you establish a SSH connection for the first time you will get asked if you accept and store the fingerprint.

On your server (connected through the local network, not over pagekite) type the following to display the fingerprint and then compare with the output on your client:
ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub

Force HTTPS

Pagekite allows HTTPS-connections by default but we want to force it and disallow regular HTTP.

You can either use your own SSL-certificate for the HTTPS-encryption or rely on Pagekite in which case Pagekite would be your weak link: if the transferred data is not encrypted by itself, Pagekite could read and/or manipulate it.

  1. Copy/move the configuration file:
    cp /etc/pagekite.d/80_httpd.rc.sample /etc/pagekite.d/80_httpd.rc
  2. Edit /etc/pagekite.d/80_httpd.rc and choose your way:
    • If you use your own certificate you maybe have to use the following which does not force HTTPS on it's own. So better try both ways:
      service_on = https : @kitename : localhost:80 : @kitesecret
    • If you rely on Pagekite's integrity:
      service_on = http/443 : @kitename : localhost:80 : @kitesecret
  3. Restart pagekite:
    service pagekite restart

Activate HTTP auth

If you want to enable HTTP auth for some of your Pagekite domains you basicaly just add the following line to your 80_httpd.rc:

service_cfg = @kitename/443 : password/USERNAME: PASSWORD

Bring multiple ports online

If you want have various ports delivering content you can just add additional lines to 80_httpd.rc as seen below. HTTP auth works analogous.

service_on = http/443 : OtherKiteName : localhost:DifferentPort : @kitesecret
The author

Written by Per

Free software enthusiast and transhumanist residing in Stuttgart, Germany.


comments powered by Disqus