Proxy: Difference between revisions

From miki
Jump to navigation Jump to search
No edit summary
Line 8: Line 8:
** http://djsyndrome.homestead.com/proxies1.html
** http://djsyndrome.homestead.com/proxies1.html
** http://proxys4all.cgi.net/
** http://proxys4all.cgi.net/

== Bypassing proxy - SSH ==
Check Yobi wiki page [[Proxy#References|above]] to bypass proxy using SSH.

Example of commands to connect to remote IMAP server, tunneling through a SSH proxy:
<source lang="bash">ssh -f -N -L143:ton.imap.server:143 un.serveur.ssh.quelconque</source>


== Bypassing proxy - HTTP ==
== Bypassing proxy - HTTP ==
The principle is to install a software on local machine that will map local port to the target server port. The desired application will then connect to this local port, and all traffic is transfered by this extra software, through the proxy. They are basically 2 methods:
The principle is to install a software on local machine that will map local port to the target server port. The desired application will then connect to this local port, and all traffic is transfered by this extra software, through the proxy. They are basically 2 methods:
* '''SSL/CONNECT''' - This method doesn't require a remote host server, but requires proxy to support SSL/CONNECT command (which usually is not the case). Also traffic is not encrypted (and so all activity is visible in the proxy log in clear).<br/>Bypass software opens a port locally. When application connects to that port, the bypass sw first sends a <tt>CONNECT</tt> command to the proxy, that will establish a connection to the target host/port, and then that will simply feed all traffic from the local port through this newly opened connection.<br/>Note that CONNECT command does not ''per se'' imply SSL protocol, but is used by SSL to establish connection. So the target server does not need to support SSL on the target port. This is actually a mere ''port forwarding''.
* '''Port Forwarding (SSL/CONNECT)'''- This method doesn't require a remote host server, but requires proxy to support SSL/CONNECT command for other protocols than HTTPS (which usually is not the case). Also traffic is not encrypted (and so all activity is visible in the proxy log in clear).<br/>Bypass software opens a port locally. When application connects to that port, the bypass sw first sends a <tt>CONNECT</tt> command to the proxy, that will establish a connection to the target host/port, and then that will simply feed all traffic from the local port through this newly opened connection.<br/>Note that CONNECT command does not ''per se'' imply SSL protocol, but is used by SSL to establish connection. So the target server does not need to support SSL on the target port. This is actually a mere ''port forwarding''.
* '''Tunneling''' - This method assumes user has an access to a remote host that will forward all traffic from the proxy to the target server/port. There are some public proxies offering this services. Alternatively user may set up his own relaying remote host with some custom server software. This method supports encryption if this intermediate host does have support for it (SSH forwarding).
* '''Remote Host''' - This method assumes user has an access to a remote host that will forward all traffic from the proxy to the target server/port. There are some public proxies offering this services. Alternatively user may set up his own relaying remote host with some custom server software. This method supports encryption if this intermediate host does have support for it. This method is very similar to the one using ''SSH''.


=== Using HTTHost + HHTPort ===
=== Using HTTHost + HHTPort ===
Line 24: Line 18:


<font color="red">'''! Privacy/confidentiality Issues!'''</font> - In ''remote host'' mode, if no remote host is specified, HTTHost will then automatically try to connect to some public proxies. This means that all unencrypted data (including passwords) will be send to these public proxies. If that's an issue, then for maximum safety choose explicitly mode ''SSL/CONNECT'', and don't use option ''auto''.
<font color="red">'''! Privacy/confidentiality Issues!'''</font> - In ''remote host'' mode, if no remote host is specified, HTTHost will then automatically try to connect to some public proxies. This means that all unencrypted data (including passwords) will be send to these public proxies. If that's an issue, then for maximum safety choose explicitly mode ''SSL/CONNECT'', and don't use option ''auto''.

== Bypassing proxy - SSH ==
If you have a connection to a remote host server on which you can connect using ''SSH'', there is good chance that this method will work for you. The principle is the same as for the method '''Remote HOst''' described above: First setup a SSH connection to that remote SSH server, and then do port forwarding through this SSH connection from a port on the local machine to another port on either the same SSH server or even another machine. Port forwarding is a standard feature in ''SSH'' (command-line option <tt>'''-L'''</tt>).

Example of command to connect to remote IMAP server, using SSH port forwarding on a remote SSH server:
<source lang="bash">ssh -f -N -L143:imap.server:143 ssh.server.org</source>

Now, you just need to configure ''SSH'' to connect through the proxy. For this, check the excellent [http://wiki.yobi.be/wiki/Bypass_Proxy Yobi Wiki page].


== Using <tt>'''socat'''</tt> ==
== Using <tt>'''socat'''</tt> ==
'''socat''' is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It is a very powerful utility that can be used to establish connection between various type of interfaces (TCP/Serial/...).
'''socat''' is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It is a very powerful utility that can be used to establish connection between various type of interfaces (TCP/Serial/...).


Manpages are [http://www.dest-unreach.org/socat/doc/socat.html here].
Manpages are [http://www.dest-unreach.org/socat/doc/socat.html here]. Don't forget [http://wiki.yobi.be/wiki/Bypass_Proxy#Client_side:_using_socat Yobi].


Example of commands to open a local port 143, that maps to a remote IMAP server through corporate proxy:
For instance, the following command do the same as ''SSL/CONNECT''' method above (using HTTHost), in just one line. It opens a local port 143, that maps to a remote IMAP server through corporate proxy:
<source lang="bash">/usr/local/bin/socat -ly 'TCP4-LISTEN:143,reuseaddr,fork' PROXY:ton.imap.server:143|TCP:134.27.168.36:8080</source>
<source lang="bash">/usr/local/bin/socat -ly 'TCP4-LISTEN:143,reuseaddr,fork' PROXY:imap.server:143|TCP:proxy.server:8080</source>

Revision as of 15:47, 24 September 2008

References

Bypassing proxy - HTTP

The principle is to install a software on local machine that will map local port to the target server port. The desired application will then connect to this local port, and all traffic is transfered by this extra software, through the proxy. They are basically 2 methods:

  • Port Forwarding (SSL/CONNECT)- This method doesn't require a remote host server, but requires proxy to support SSL/CONNECT command for other protocols than HTTPS (which usually is not the case). Also traffic is not encrypted (and so all activity is visible in the proxy log in clear).
    Bypass software opens a port locally. When application connects to that port, the bypass sw first sends a CONNECT command to the proxy, that will establish a connection to the target host/port, and then that will simply feed all traffic from the local port through this newly opened connection.
    Note that CONNECT command does not per se imply SSL protocol, but is used by SSL to establish connection. So the target server does not need to support SSL on the target port. This is actually a mere port forwarding.
  • Remote Host - This method assumes user has an access to a remote host that will forward all traffic from the proxy to the target server/port. There are some public proxies offering this services. Alternatively user may set up his own relaying remote host with some custom server software. This method supports encryption if this intermediate host does have support for it. This method is very similar to the one using SSH.

Using HTTHost + HHTPort

HTTHost+HTTPort is a free HTTP Tunneling package, that supports both methods described above. HTTHost is the client software, and HTTPort is the software that can be used to setup a remote relaying server. Installation is quite straightforward.

! Privacy/confidentiality Issues! - In remote host mode, if no remote host is specified, HTTHost will then automatically try to connect to some public proxies. This means that all unencrypted data (including passwords) will be send to these public proxies. If that's an issue, then for maximum safety choose explicitly mode SSL/CONNECT, and don't use option auto.

Bypassing proxy - SSH

If you have a connection to a remote host server on which you can connect using SSH, there is good chance that this method will work for you. The principle is the same as for the method Remote HOst described above: First setup a SSH connection to that remote SSH server, and then do port forwarding through this SSH connection from a port on the local machine to another port on either the same SSH server or even another machine. Port forwarding is a standard feature in SSH (command-line option -L).

Example of command to connect to remote IMAP server, using SSH port forwarding on a remote SSH server: 

ssh -f -N -L143:imap.server:143 ssh.server.org

Now, you just need to configure SSH to connect through the proxy. For this, check the excellent Yobi Wiki page.

Using socat

socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It is a very powerful utility that can be used to establish connection between various type of interfaces (TCP/Serial/...).

Manpages are here. Don't forget Yobi.

For instance, the following command do the same as SSL/CONNECT' method above (using HTTHost), in just one line. It opens a local port 143, that maps to a remote IMAP server through corporate proxy: 

/usr/local/bin/socat -ly 'TCP4-LISTEN:143,reuseaddr,fork' PROXY:imap.server:143|TCP:proxy.server:8080
Retrieved from "https://miki.immie.org/mediawiki/index.php?title=Proxy&oldid=199"