http-proxy-tunnel
=================
Http-proxy-tunnel creates TCP tunnels through http proxies
that permit the CONNECT method. Any proxy that allows
https will permit the CONNECT method, so in practice this
means almost all of them.
It differs from other proxy tunnelling programs in that it
can tunnel through multiple proxies, and can use SSL
tunnels. These abilities mean that in combination with a
web server that can proxy (such as Apache) you can serve
normal web pages from ports 80 and 443 and connect to the
server (using ssh say) via those ports at the same time.
Usage documentation is in the man page. Help on configuring
Apache2 and ssh is in this file.
The documentation is readable online at the home page:
http://http-proxy-tunnel.sourceforge.net/
Dependencies
------------
Python2 or Python3, http://www.python.org
Building and Installing
-----------------------
Packages are available for Debian and RedHat style
distributions at the home page. If you install using one
of them you can skip this section.
Building is optional. There is only one source file which can
can be run directly.
The build dependencies are:
- Python2 development system, http://www.python.org
- A POSIX system (make, unix shell, sed, etc).
To build the re-distributable in the directory containing
this file run:
make
To install in the directory containing this file run:
make install
How to Configure Ssh and Apache
-------------------------------
The ssh server needs no special setup. The ssh client
requires a ProxyCommand like this:
ssh -o 'ProxyCommand http-proxy-tunnel.py . "http://%h" "localhost:%p"' \
-o 'ProtocolKeepAlives 5' \
...normal-ssh-arguments...
The ProtocolKeepAlives are only needed if the http proxy
server times out if there is no activity. It is easier to
do this by ssh's configuration file. It normally lives in
~/.ssh/config. For example, if its contents were:
host host1
HostName host1.com.xx
User me
host host2
HostName host2.com.xx
User you
This simplistic modification to it would permit connection
via port 80 and via port 443 using SSL:
host host1
HostName host1.com.xx
User me
host host2
HostName host2.com.xx
User you
host host1-http
HostName host1.com.xx
User me
ProtocolKeepAlives 5
ProxyCommand http-proxy-tunnel.py . "http://%h" "localhost:%p"
host host2-http
HostName host2.com.xx
User you
ProtocolKeepAlives 5
ProxyCommand http-proxy-tunnel.py . "http://%h" "localhost:%p"
host host1-https
HostName host1.com.xx
User me
ProtocolKeepAlives 5
ProxyCommand http-proxy-tunnel.py . "https://%h" "localhost:%p"
host host2-https
HostName host2.com.xx
User you
ProtocolKeepAlives 5
ProxyCommand http-proxy-tunnel.py . "https://%h" "localhost:%p"
It can be made more compact using wildcards. This has
the same effect as above:
host host1 host1-http host1-https
HostName host1.com.xx
User me
host host2 host2-http host2-https
HostName host2.com.xx
User you
host *-http
ProtocolKeepAlives 5
ProxyCommand http-proxy-tunnel.py . "http://%h" "localhost:%p"
host *-https
ProtocolKeepAlives 5
ProxyCommand http-proxy-tunnel.py . "https://%h" "localhost:%p"
Apache needs these lines added to is configuration,
assuming the ssh server is listening on port 22:
AllowCONNECT 22
ProxyRequests on
Require all denied
The configuration of other web servers such as lighttpd
and nginx is similar. There are a few things you should
be aware of with Apache:
- Use version 2.4.1 or newer. Prior versions of Apache2
had bugs in its SSL handling. Yes, really. See:
http://issues.apache.org/bugzilla/show_bug.cgi?id=29744
(Reported in 2004, patch to fix submitted in 2004, fix
done fixed in 2012 - it only took 8 years, and I suspect
losing some of their userbase to ngix and node.js.)
- If you can't use 2.4.1 or newer, apply the one of
patches shown attached to the bug mentioned in the
previous point.
- Beware that currently (ie, at least up to version 2.2.6)
if more than one and blocks matches
the CONNECT url, the one Apache2 uses is random. In
particular, they are NOT evaluated in the order then are
written, and you will get not warning about this. Thus
this may work when you write it, but is doomed to fail
at some random point in the future:
Allow from all
Deny from all
Note that this is very different from how Alias,
Location and Directory work, which form a nice, some
might even say sane heirarchical structure.
- If you get Apache's proxy configuration wrong it will
become an open proxy: ie it will allow anyone on the
Internet to use it as a proxy. This _will_ be
discovered and when it is your server will used to
send spam, hack web sites, and in general wreck mayhem
on the net.
Acknowledgements
----------------
Mark Suter gave me a copy of his http proxy tunnelling
script, which you can find here:
http://zwitterion.org/software/ssh-https-tunnel
It worked provided the proxy allows you to connect to
an otherwise unused port on your server. But I found
some proxy's only allow you to connect to port 443,
and I had Apache running on that ...
License
-------
Copyright (c) 2007-2017,2018,2019,2021,2024 Russell Stuart.
This program is free software: you can redistribute it and/or modify it
under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or (at your
option) any later version.
The copyright holders grant you an additional permission under Section 7
of the GNU Affero General Public License, version 3, exempting you from
the requirement in Section 6 of the GNU General Public License, version 3,
to accompany Corresponding Source with Installation Information for the
Program or any work based on the Program. You are still required to
comply with all other Section 6 requirements to provide Corresponding
Source.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
--
Russell Stuart
2014-05-04