Difference between revisions of "HTTP tunneling"

From ArchWiki
Jump to: navigation, search
m (not a quote)
(Using corscrew and HTTP CONNECT: Typo)
 
(14 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
[[Category:Networking]]
 
[[Category:Networking]]
 
[[Category:Secure Shell]]
 
[[Category:Secure Shell]]
 +
[[ja:HTTP トンネリング]]
 
In networking, tunneling is using a protocol of higher level (in our case HTTP) to transport a lower level protocol (in our case TCP).
 
In networking, tunneling is using a protocol of higher level (in our case HTTP) to transport a lower level protocol (in our case TCP).
  
== Create the tunnel using httptunnel ==
+
== Creating the tunnel ==
  
[http://www.nocrew.org/software/httptunnel.html httptunnel] [available in extra] creates a bidirectional virtual data connection tunneled in HTTP requests. The HTTP requests can be sent via an HTTP proxy if so desired. This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and, say, telnet or PPP to connect to a computer outside the firewall.
+
=== Using corkscrew and HTTP CONNECT ===
 
 
If you already have a web server listening on port 80 you are probably going to want to create a virtual host and tell your web server to proxy request to the hts server. This is not covered here.
 
 
 
If you do not have any web server listening on port 80 you can do:
 
*on the server:
 
hts --forward-port localhost:22 80
 
*on the client:
 
htc --forward-port 8888 example.net:80
 
ssh -ND user@localhost -p 8888
 
{{Note|As SSH thinks it is connecting to localhost it will not recognize the fingerprint and display a warning.}}
 
You can now use {{Ic|localhost:8888}} as a [http://en.wikipedia.org/wiki/SOCKS SOCKS] proxy.
 
 
 
== Using the tunnel ==
 
See [[Using a SOCKS proxy]].
 
 
 
{{Style|The content below has been merged from [[Tunneling SSH through HTTP proxies using HTTP Connect]] and is in the process of being integrated with the page above.}}
 
  
 
To open the connection to the server running the SSH daemon we will use the HTTP CONNECT method which allows a client to connect to a server through an HTTP proxy by sending an HTTP CONNECT request to this proxy.
 
To open the connection to the server running the SSH daemon we will use the HTTP CONNECT method which allows a client to connect to a server through an HTTP proxy by sending an HTTP CONNECT request to this proxy.
  
{{Tip|If your proxy does not support the HTTP Connect method, see [[HTTP Tunneling]].}}
+
{{Note|If your proxy does not support the HTTP Connect method, see the other methods below.}}
  
== Creating the tunnel ==
+
For this we will use [http://www.agroman.net/corkscrew/ corkscrew], a tool for tunneling SSH through HTTP proxies available in the [[official repositories]] as {{Pkg|corkscrew}}.
 
 
For this we will use [http://www.agroman.net/corkscrew/ corkscrew], available in [community], which is «a tool for tunneling SSH through HTTP proxies».
 
  
 
Opening an SSH connection is pretty simple:
 
Opening an SSH connection is pretty simple:
Line 38: Line 21:
 
which creates a [[wikipedia:SOCKS|SOCKS]] proxy on {{Ic|localhost:$port}}.
 
which creates a [[wikipedia:SOCKS|SOCKS]] proxy on {{Ic|localhost:$port}}.
  
== Tunneling Git through HTTP proxies ==
+
==== Tunneling Git ====
  
Restrictive corporate firewalls typically block the port that git uses. However, git can be made to tunnel through HTTP proxies using utilities such as corkscrew. When git sees the environment variable {{ic|GIT_PROXY_COMMAND}} set, it will run the command in {{ic|$GIT_PROXY_COMMAND}} and use that program's stdin and stdout, instead of a network socket.
+
Restrictive corporate firewalls typically block the port that [[git]] uses. However, git can be made to tunnel through HTTP proxies using utilities such as corkscrew. When git sees the environment variable {{ic|GIT_PROXY_COMMAND}} set, it will run the command in {{ic|$GIT_PROXY_COMMAND}} and use that program's stdin and stdout, instead of a network socket.
  
 
Create a script file {{ic|corkscrewtunnel.sh}}
 
Create a script file {{ic|corkscrewtunnel.sh}}
Line 54: Line 37:
 
Now, git should be able to tunnel successfully through the HTTP proxy.
 
Now, git should be able to tunnel successfully through the HTTP proxy.
  
== See also ==
+
=== Using httptunnel ===
 +
 
 +
[http://www.nocrew.org/software/httptunnel.html httptunnel], available in the [[official repositories]] as {{Pkg|httptunnel}}, creates a bidirectional virtual data connection tunneled in HTTP requests. The HTTP requests can be sent via an HTTP proxy if so desired. This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and, say, telnet or PPP to connect to a computer outside the firewall.
 +
 
 +
If you already have a web server listening on port 80 you are probably going to want to create a virtual host and tell your web server to proxy request to the hts server. This is not covered here.
 +
 
 +
If you do not have any web server listening on port 80 you can do:
 +
*on the server:
 +
hts --forward-port localhost:22 80
 +
*on the client:
 +
htc --forward-port 8888 example.net:80
 +
ssh -ND user@localhost -p 8888
 +
{{Note|As SSH thinks it is connecting to localhost it will not recognize the fingerprint and display a warning.}}
 +
You can now use {{Ic|localhost:8888}} as a [[wikipedia:SOCKS|SOCKS]] proxy.
 +
 
 +
=== Using proxytunnel ===
  
* {{Pkg|proxytunnel}}
+
[[Install]] the {{Pkg|proxytunnel}} package from the [[official repositories]].
:{{bc|ProxyCommand /usr/bin/proxytunnel -p some-proxy:8080 -d www.muppetzone.com:443}}
+
 
* {{Pkg|httptunnel}}
+
$ ProxyCommand /usr/bin/proxytunnel -p some-proxy:8080 -d www.muppetzone.com:443
* {{Pkg|openbsd-netcat}}
+
 
:To open a connection using the openbsd netcat version:
+
=== Using openbsd-netcat ===
:{{bc|1=ssh user@final_server -o "ProxyCommand=nc -X connect -x some-proxy:$proxy_port %h %p"}}
+
 +
[[Install]] the {{Pkg|openbsd-netcat}} package from the [[official repositories]].
 +
 
 +
To open a connection using the openbsd netcat version:
 +
 
 +
$ ssh user@final_server -o "ProxyCommand=nc -X connect -x some-proxy:$proxy_port %h %p"
 +
 
 +
== Using the tunnel ==
 +
 
 +
See [[Using a SOCKS proxy]].

Latest revision as of 14:04, 8 December 2016

In networking, tunneling is using a protocol of higher level (in our case HTTP) to transport a lower level protocol (in our case TCP).

Creating the tunnel

Using corkscrew and HTTP CONNECT

To open the connection to the server running the SSH daemon we will use the HTTP CONNECT method which allows a client to connect to a server through an HTTP proxy by sending an HTTP CONNECT request to this proxy.

Note: If your proxy does not support the HTTP Connect method, see the other methods below.

For this we will use corkscrew, a tool for tunneling SSH through HTTP proxies available in the official repositories as corkscrew.

Opening an SSH connection is pretty simple:

ssh user@server -o "ProxyCommand corkscrew $proxy_ip_or_domain_name $proxy_port $destination_ip_or_domain_name $destination_port"

but that just opens a shell yet what we want is a SOCKS tunnel, so we do this:

ssh -ND $port user@server -o "ProxyCommand corkscrew $proxy_ip_or_domain_name $proxy_port $destination_ip_or_domain_name $destination_port"

which creates a SOCKS proxy on localhost:$port.

Tunneling Git

Restrictive corporate firewalls typically block the port that git uses. However, git can be made to tunnel through HTTP proxies using utilities such as corkscrew. When git sees the environment variable GIT_PROXY_COMMAND set, it will run the command in $GIT_PROXY_COMMAND and use that program's stdin and stdout, instead of a network socket.

Create a script file corkscrewtunnel.sh

#! /bin/bash

corkscrew proxyhost proxyport $*

Set GIT_PROXY_COMMAND

export GIT_PROXY_COMMAND=path-to-corkscrewtunnel.sh

Now, git should be able to tunnel successfully through the HTTP proxy.

Using httptunnel

httptunnel, available in the official repositories as httptunnel, creates a bidirectional virtual data connection tunneled in HTTP requests. The HTTP requests can be sent via an HTTP proxy if so desired. This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and, say, telnet or PPP to connect to a computer outside the firewall.

If you already have a web server listening on port 80 you are probably going to want to create a virtual host and tell your web server to proxy request to the hts server. This is not covered here.

If you do not have any web server listening on port 80 you can do:

  • on the server:
hts --forward-port localhost:22 80
  • on the client:
htc --forward-port 8888 example.net:80
ssh -ND user@localhost -p 8888
Note: As SSH thinks it is connecting to localhost it will not recognize the fingerprint and display a warning.

You can now use localhost:8888 as a SOCKS proxy.

Using proxytunnel

Install the proxytunnel package from the official repositories.

$ ProxyCommand /usr/bin/proxytunnel -p some-proxy:8080 -d www.muppetzone.com:443

Using openbsd-netcat

Install the openbsd-netcat package from the official repositories.

To open a connection using the openbsd netcat version:

$ ssh user@final_server -o "ProxyCommand=nc -X connect -x some-proxy:$proxy_port %h %p"

Using the tunnel

See Using a SOCKS proxy.