Tunneling socks via http/s

Nowadays many govermental authorities or network administrators think that blocking all the network traffic for security reasons is a good idea. One common approach is to block everything, but allow some traffic that is whitelisted. Thus it is not possible to do all the interesting stuff that the firewall prevents to do. But by blocking http or https no webserver would be available any more. So normally these ports are open and thus this is the way to go.

Ingredients

Let’s take some http/s, some socks, don’t forget proxytunnel and the apache webserver. Furthermore take mod_proxy_http as well as mode_proxy_connect. Don’t forget ssh for setting up a socks proxy.

This scenario assumes that you already own a webserver that can be configured without any restrictions. Furthermore it is not possible to access the ssh server on port 80/443 as a webserver is already running on this port. Otherwise an application layer firewall might allow only http/s traffic to the ports 80/443 that really represents such http/s traffic. In case connecting with the ssh protocol a connection would be declined by the firewall.

In order to tunnel all the network traffic via a http/s server the following steps are required:

  1. Proxying the ssh traffic via http/s port
  2. Setting up the ssh client configuration
  3. Connecting to the ssh server
  4. Enabling socks proxying via ssh
  5. Redirecting traffic via socks

Setting up the apache proxy

In order to be able to proxy all the network traffic to a ssh server via http/s you must run an apache webserver. In this case it is possible to modify the configuration for adding a proxy server that redirects the traffic to a ssh server of your choice.

Furthermore some apache modules are required for running a ssh over https/s proxy. The modules required for running this proxy are mod_proxy as well as mod_proxy_connect. When running on a debian linux system those modules can be enabled by simply running

a2enmod mod_proxy

and

a2enmod mod_proxy_connect

on command line. An additional site must be added to the apache webserver configuration. In this example an the extra site is located within /etc/apache2/sites-available/proxy.example.com. The following snipped describes such a configuration:

<VirtualHost *:80>
	ServerName proxy.example.com
	ServerAdmin webmaster@example.com

	DocumentRoot /webroot

	ProxyRequests On
	AllowConnect 22

	<Proxy *>
	  Order deny,allow
	  Deny from all
	</Proxy>

	<ProxyMatch (proxy.example.com)>
  	  Order allow,deny
  	  Allow from all
	</ProxyMatch>
	
</VirtualHost>

This configuration can be enabled via

a2ensite proxy.example.com

Setting up the ssh client

Installing proxytunnel

In order to be able to configure the client, it’s required that the tool proxytunnel is installed. Proxytunnel supports connecting a ssh server by proxying the conection via a http/s server. On a debian linux simply install proxytunnel via running the command

apt-get install proxytunnel

After that using proxytunnel within the ssh configuration is possible.

Configuring the ssh client

For connecting the ssh server via http some configuration in the ssh client is necessary. For this simply the ssh configuration must be edited. For this add the following entry to the configuration file of the ssh client. On a linux system this is ~/.ssh/config by default.


Host example.com
  Hostname proxy.example.com
  ProxyCommand proxytunnel -p proxy.example.com:80 -d %h:%p -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
Command Description
-p {proxy} The address of the proxy server to tunnel the ssh traffic with
-d {destination} Defines the destination the proxy routes to. Either %h:%p or otherwise the address of the ssh server that will be used for socks proxying. E.g. proxy.example.com:22
-H {header} Adds an additional header to the proxy

In case there is a corporate or proxy or something like that, the proxies can be chained.


Host example.com
  Hostname proxy.example.com
  ProxyCommand proxytunnel -p additionalproxy.example.com -r proxy.example.com:80 -d %h:%p -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
Command Description
-r Adding a second proxy server for chaining

How to setup a socks proxy with ssh

Setting up a socks proxy is quite easy. Simply connect to a host that supports ssh. When providing the option -D {port} dynamic port forwarding is enabled on the given port. E.g. when executing ssh -D 8118 example.com all the traffic that redirected over port 8118 is being routed over the host example.com via socks.

In order to use the given port simply add localhost:port as socks proxy to your application or operating system configuration. Then all the traffic is redirected via localhost:port to the remote system and then to the target. In case a firewall or proxy would disallow a connection to the target system, this doesn’t mattter any more as there is only a connection to the remote system using ssh via http/s.

Getting everything running

In case the full setup is completed simply run:

ssh -D {port} {host}

E.g. by using the host example.com and the local port 8118 by running

ssh -D 8118 example.com

Then set the socks proxy to:

localhost:8118

for all protocols. Then simply surf, browse or communicate as usual. But in this case all the network traffic is redirected via the host by using the port on localhost.

In order to have a lot of fun when changing to such a network regularly simply try the tool privoxy. With this tool you dynamically can switch the proxy on or off.

Sources

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.