Proxy: Difference between revisions

From miki
Jump to navigation Jump to search
(→‎Using socat: Trying to emulate Yobi ssh-tunnel with socat and sed only...)
Line 20: Line 20:


== Bypassing proxy - SSH ==
== Bypassing proxy - SSH ==
=== Port forwarding ===
If you have a connection to a remote host server on which you can connect using ''SSH'', there is good chance that this method will work for you. The principle is the same as for the method '''Remote HOst''' described above: First setup a SSH connection to that remote SSH server, and then do port forwarding through this SSH connection from a port on the local machine to another port on either the same SSH server or even another machine. Port forwarding is a standard feature in ''SSH'' (command-line option <tt>'''-L'''</tt>).
If you have a connection to a remote host server on which you can connect using ''SSH'', there is good chance that this method will work for you. The principle is the same as for the method '''Remote HOst''' described above: First setup a SSH connection to that remote SSH server, and then do port forwarding through this SSH connection from a port on the local machine to another port on either the same SSH server or even another machine. Port forwarding is a standard feature in ''SSH'' (command-line option <tt>'''-L'''</tt>).


Line 26: Line 27:


Now, you just need to configure ''SSH'' to connect through the proxy. For this, check the excellent [http://wiki.yobi.be/wiki/Bypass_Proxy Yobi Wiki page].
Now, you just need to configure ''SSH'' to connect through the proxy. For this, check the excellent [http://wiki.yobi.be/wiki/Bypass_Proxy Yobi Wiki page].

=== Browser SOCKS proxy ===
The easiest is to use '''Firefox''' along with extension '''FoxyProxy'''.

First create a SOCKS proxy on '''localhost:8080''' to remote '''hostname''' using SSH:
<source lang="bash">% ssh -f -N -D8080 hostname</source>
Then configure '''FoxyProxy''':
* ''Options'' &rarr; ''Global Settings'' &rarr; '''Use SOCKS proxy for DNS lookups'''.
* Create new proxy, eg. '''SSH''':
** Select '''Manual Proxy Configuration'''
** IP Address '''127.0.0.1''', Port '''8080'''
** Select '''SOCKS proxy?'''
* In FoxyProxy menu, select '''Use proxy "SSH" for all URLs'''


== Using <tt>'''socat'''</tt> ==
== Using <tt>'''socat'''</tt> ==

Revision as of 09:17, 17 June 2009

References

Bypassing proxy - HTTP

The principle is to install a software on local machine that will map local port to the target server port. The desired application will then connect to this local port, and all traffic is transfered by this extra software, through the proxy. They are basically 2 methods:

  • Port Forwarding (SSL/CONNECT)- This method doesn't require a remote host server, but requires proxy to support SSL/CONNECT command for other protocols than HTTPS (which usually is not the case). Also traffic is not encrypted (and so all activity is visible in the proxy log in clear).
    Bypass software opens a port locally. When application connects to that port, the bypass sw first sends a CONNECT command to the proxy, that will establish a connection to the target host/port, and then that will simply feed all traffic from the local port through this newly opened connection.
    Note that CONNECT command does not per se imply SSL protocol, but is used by SSL to establish connection. So the target server does not need to support SSL on the target port. This is actually a mere port forwarding.
  • Remote Host - This method assumes user has an access to a remote host that will forward all traffic from the proxy to the target server/port. There are some public proxies offering this services. Alternatively user may set up his own relaying remote host with some custom server software. This method supports encryption if this intermediate host does have support for it. This method is very similar to the one using SSH.

Using HTTHost + HHTPort

HTTHost+HTTPort is a free HTTP Tunneling package, that supports both methods described above. HTTHost is the client software, and HTTPort is the software that can be used to setup a remote relaying server. Installation is quite straightforward.

! Privacy/confidentiality Issues! - In remote host mode, if no remote host is specified, HTTHost will then automatically try to connect to some public proxies. This means that all unencrypted data (including passwords) will be send to these public proxies. If that's an issue, then for maximum safety choose explicitly mode SSL/CONNECT, and don't use option auto.

Bypassing proxy - SSH

Port forwarding

If you have a connection to a remote host server on which you can connect using SSH, there is good chance that this method will work for you. The principle is the same as for the method Remote HOst described above: First setup a SSH connection to that remote SSH server, and then do port forwarding through this SSH connection from a port on the local machine to another port on either the same SSH server or even another machine. Port forwarding is a standard feature in SSH (command-line option -L).

Example of command to connect to remote IMAP and SMTP server, using SSH port forwarding on a remote SSH server:

ssh -f -N -L143:imap.server:143 -L25:smtp.server:25 ssh.server.org

Now, you just need to configure SSH to connect through the proxy. For this, check the excellent Yobi Wiki page.

Browser SOCKS proxy

The easiest is to use Firefox along with extension FoxyProxy.

First create a SOCKS proxy on localhost:8080 to remote hostname using SSH:

% ssh -f -N -D8080 hostname

Then configure FoxyProxy:

  • OptionsGlobal SettingsUse SOCKS proxy for DNS lookups.
  • Create new proxy, eg. SSH:
    • Select Manual Proxy Configuration
    • IP Address 127.0.0.1, Port 8080
    • Select SOCKS proxy?
  • In FoxyProxy menu, select Use proxy "SSH" for all URLs

Using socat

socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It is a very powerful utility that can be used to establish connection between various type of interfaces (TCP/Serial/...).

Manpages are here. Don't forget Yobi.

For instance, the following command do the same as SSL/CONNECT' method above (using HTTHost), in just one line. It opens a local port 143, that maps to a remote IMAP server through corporate proxy (requires socat v2.0):

/usr/local/bin/socat -ly 'TCP4-LISTEN:143,reuseaddr,fork' PROXY:imap.server:143|TCP:proxy.server:8080

Alternatively, one can also use socat as the ssh ProxyCommand in ~/.ssh/config:

ProxyCommand /usr/local/bin/socat -ly - 'PROXY:%h:%p|TCP:proxy.server:8080'

In some case, the proxy might wait for the client (ie. local pc) to send an authentication string as it is the case in the SSL protocol. A solution for this is described in Yobi. It consists in sending immediately the client SSH banner, and strip it when it is sent by the client. The solution described uses a custom Perl script. Let's see if we can do it with socat only.

For this we would need a small process that would output the client SSH banner in stdout, and afterwards simply pipe stdin to stdout, except if the piped line matches the client SSH banner. For this we could use sed as follows (assuming client banner is SSH-2.0-OpenSSH_5.1):

sed -n "1 s/^/SSH-2.0-OpenSSH_5.1\n/p; /SSH-2.0-OpenSSH_5.1/d; /SSH-2.0-OpenSSH_5.1/! p"