Nowadays many govermental authorities or network administrators think that blocking all the network traffic for security reasons is a good idea. One common approach is to block everything, but allow some traffic that is whitelisted. Thus it is not possible to do all the interesting stuff that the firewall prevents to do. But by blocking http or https no webserver would be available any more. So normally these ports are open and thus this is the way to go.
Ingredients
Let’s take some http/s, some socks, don’t forget proxytunnel and the apache webserver. Furthermore take mod_proxy_http as well as mode_proxy_connect. Don’t forget ssh for setting up a socks proxy.
This scenario assumes that you already own a webserver that can be configured without any restrictions. Furthermore it is not possible to access the ssh server on port 80/443 as a webserver is already running on this port. Otherwise an application layer firewall might allow only http/s traffic to the ports 80/443 that really represents such http/s traffic. In case connecting with the ssh protocol a connection would be declined by the firewall.
In order to tunnel all the network traffic via a http/s server the following steps are required:
- Proxying the ssh traffic via
http/sport - Setting up the
sshclient configuration - Connecting to the
sshserver - Enabling
socksproxying viassh - Redirecting traffic via
socks
Setting up the apache proxy
In order to be able to proxy all the network traffic to a ssh server via http/s you must run an apache webserver. In this case it is possible to modify the configuration for adding a proxy server that redirects the traffic to a ssh server of your choice.
Furthermore some apache modules are required for running a ssh over https/s proxy. The modules required for running this proxy are mod_proxy as well as mod_proxy_connect. When running on a debian linux system those modules can be enabled by simply running
a2enmod mod_proxy
and
a2enmod mod_proxy_connect
on command line. An additional site must be added to the apache webserver configuration. In this example an the extra site is located within /etc/apache2/sites-available/proxy.example.com. The following snipped describes such a configuration:
<VirtualHost *:80> ServerName proxy.example.com ServerAdmin webmaster@example.com DocumentRoot /webroot ProxyRequests On AllowConnect 22 <Proxy *> Order deny,allow Deny from all </Proxy> <ProxyMatch (proxy.example.com)> Order allow,deny Allow from all </ProxyMatch> </VirtualHost>
This configuration can be enabled via
a2ensite proxy.example.com
Setting up the ssh client
Installing proxytunnel
In order to be able to configure the client, it’s required that the tool proxytunnel is installed. Proxytunnel supports connecting a ssh server by proxying the conection via a http/s server. On a debian linux simply install proxytunnel via running the command
apt-get install proxytunnel
After that using proxytunnel within the ssh configuration is possible.
Configuring the ssh client
For connecting the ssh server via http some configuration in the ssh client is necessary. For this simply the ssh configuration must be edited. For this add the following entry to the configuration file of the ssh client. On a linux system this is ~/.ssh/config by default.
Host example.com Hostname proxy.example.com ProxyCommand proxytunnel -p proxy.example.com:80 -d %h:%p -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
| Command | Description |
|---|---|
-p {proxy} |
The address of the proxy server to tunnel the ssh traffic with |
-d {destination} |
Defines the destination the proxy routes to. Either %h:%p or otherwise the address of the ssh server that will be used for socks proxying. E.g. proxy.example.com:22 |
-H {header} |
Adds an additional header to the proxy |
In case there is a corporate or proxy or something like that, the proxies can be chained.
Host example.com Hostname proxy.example.com ProxyCommand proxytunnel -p additionalproxy.example.com -r proxy.example.com:80 -d %h:%p -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
| Command | Description |
|---|---|
-r |
Adding a second proxy server for chaining |
How to setup a socks proxy with ssh
Setting up a socks proxy is quite easy. Simply connect to a host that supports ssh. When providing the option -D {port} dynamic port forwarding is enabled on the given port. E.g. when executing ssh -D 8118 example.com all the traffic that redirected over port 8118 is being routed over the host example.com via socks.
In order to use the given port simply add localhost:port as socks proxy to your application or operating system configuration. Then all the traffic is redirected via localhost:port to the remote system and then to the target. In case a firewall or proxy would disallow a connection to the target system, this doesn’t mattter any more as there is only a connection to the remote system using ssh via http/s.
Getting everything running
In case the full setup is completed simply run:
ssh -D {port} {host}
E.g. by using the host example.com and the local port 8118 by running
ssh -D 8118 example.com
Then set the socks proxy to:
localhost:8118
for all protocols. Then simply surf, browse or communicate as usual. But in this case all the network traffic is redirected via the host by using the port on localhost.
In order to have a lot of fun when changing to such a network regularly simply try the tool privoxy. With this tool you dynamically can switch the proxy on or off.