vincentkong.com

If you want to browse the internet without having to go through the hassle of building a SSH Tunnel, then a quick and dirty solution would be to use a web proxy. There are limitations to what kind of websites it can work with since browsers cookies aren’t fully supported. e.g. GMail doesn’t work.  phpMyProxy is a php web proxy script written by eProxies.info.

Installing phpMyProxy in Ubuntu

Download phpMyProxy_1.0.3.zip and extract it into the web host directory.

$unzip phpMyProxy_1.0.3.zip /var/www

phpMyProxy requires the client URL library for PHP.

$ sudo apt-get install php5-curl

Modify the proxy.config.php file; it’s recommended to change the 'url_var_name' from 'q' to something else like 'url' otherwise Google search would not work with phpMyProxy.

To hide your traffic it’s recommend do encryption with SSL which can be easily setup with Apache.

Browsing Futureshop.ca with phpMyProxy

In my previous blog I talked about setting up a HTTP tunnel using BoutDuTunnel. To setup the server-side, a command line application was used: BdtServer. BoutDuTunnel also provides a web application solution BdtWebServer which lets you host the application inside a web server. To host BdtWebServer in Ubuntu, BoutDuTunnel recommends to use Apache/mod_mono, however I decided to use an alternative approach.

Configuring BdtWebServer

Mono XSP is a lightweight and simple webserver written in C# which runs run ASP.NET applications.

To install Mono XSP run the following:

$ apt-get install mono-xsp2
$ apt-get install libmono-system-runtime2.0-cil

To ensure that XSP is properly installed you can install the ASP.NET 1.1 and 2.0 demo pages.

$ apt-get install asp.net2-examples
$ xsp2 --applications /:/usr/share/asp.net2-demos

When the server has successfully started, point your browser to http://localhost:8080 (the default port for XSP web server is 8080) to display the web page below:

ASP.NET Examples

If the following error is encountered:

System.InvalidOperationException: Standard output has not been redirected or process has not been started.

Run the following command to address the issue:

ln -s /usr/bin/gmcs2 /usr/bin/gmcs

Now the BdtWebServer is ready to be started:

xsp2 --port 8080 --nonstop --applications /:/opt/bdt.bin.1.4.3066.mono/BdtWebServer

--nonstop don’t stop the server by pressing enter. Must be used when the server has no controlling terminal.

Configuring BdtClient

Setting up the BdtClient to establish a connection to BdtWebServer is similar to BdtServer with the exception that the name attribute is set to BdtServer.soap in the service tag of the configuration file.

<service name="BdtServer.soap" .../>

Security Issue

When hosting the BdtWebServer application in a web server the BdtServerCfg.xml (which contains the username and passwords) will be exploit when you point the web browser http://my.server:8080/BdtServerCfg.xml.

To address this issue I setup XSP to integrate with Apache/mod_proxy by configuring the following Apache configuration to forbid access to BdtServerCfg.xml

    <Location /BdtServerCfg.xml>
        Order deny,allow
        Deny from all
    </Location>

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    ProxyRequests off
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

Finally, I setup a firewall to block port 8080 from public access.

About a year ago I wrote about creating a HTTP tunnel through a HTTP proxy server using GNU HTTP Tunnel.   Unfortunately if the proxy server was run by a ISA server then GNU HTTP Tunnel would not work since it doesn’t support NTLM authentication.

BoutDuTunnel is an open source project written in C# and is compatible with HTTP proxy servers, even if they use NTLM authentication (like ISA Server) and even if they prohibit the “connect method”.

To setup BoutDuTunnel on Ubuntu I had to install Mono.  When using Mono 2.0.1 or 2.4 an error occurred Unexpected binary element: 21 when running the BdtClient.exe. Therefore I installed Mono 1.9.1 by building it from the source.

Instead of installing the latest version of BoutDuTunnel, I installed 1.4.3066 because an error would occur on the BoutDuTunnel server moments after the BoutDuTunnel client connected to it.

Unhandled Exception: System.MethodAccessException: Method `Bdt.Server.Service.TunnelSession:CheckTimeout (Bdt.Shared.Logs.ILogger)' is inaccessible from method `Bdt.Server.Service.TimeoutObject:CheckTimeout (Bdt.Shared.Logs.ILogger,System.Collections.Generic.Dictionary`2)'

Setting Up the HTTP Tunnel

Setting Up BdtServer (on the home computer)

The BdtServer can be setup through the command line or hosted inside Apache/mod_mono.  To setup BdtServer with the command line extract the BoutDuTunnel and modify the BdtServer configuration file.

$ unzip bdt.bin.1.4.3066.mono.zip
$ cd bdt.bin.1.4.3066.mono/BdtServer
$ nano BdtServerCfg.xml

The configuration file is well commented and should be similar to the following:

Configure binary stream/HTTP as the communication protocol to be used.

<service
name     = "BdtServer"
protocol = "Bdt.Shared.Protocol.HttpBinaryRemoting"
port     = "8080"
/>

Require user be authenticated before establishing a communication.

<users>
<username
enabled  = "true"
password = "password"
/>
</users>

To start up BdtServer execute the following:

$ cd bdt.bin.1.4.3066.mono/BdtServer/
$ mono BdtServer.exe

Setting Up BdtClient (on the office computer)

There are two types of client available for BoutDuTunnel:

• BdtClient run by the command line
• BdtGuiClient which provides a GUI interface

To setup BdtClient modify the BdtClientCfg.xml configuration file.

Configure hostname and communication protocol for server with BdtServer.

  <service
    name     = "BdtServer"
    protocol = "Bdt.Shared.Protocol.HttpBinaryRemoting"
    address  = "my.server"
    port     = "8080"
    username = "my.username"
    password = "my.password"
  />

Configure the proxy/ISA server to be used.

  <proxy
    enabled  = "true">
    <authentification
      auto     = "false"
      username = "proxy.username"
      password = "proxy.password"
      domain   = "proxy.domain"
    />
    <configuration
      auto     = "false"
      address  = "proxy.hostname"
      port     = "proxy.port"
    />
  </proxy>

Configure the ports to be forwarded.

  <forward>
    <port22
      shared  = "false"
      enabled = "true"
      address = "my.ssh.server"
      port    = "22"
    />
  </forward>

Run the BoutDuTunnel client to establish a tunnel connection to the BdtServer.

C:\bdt.bin.1.4.3066.mono\BdtClient>BdtClient

Now a SSH connection can be establish to your home computer by connecting through localhost:22

Sometimes, you are connected to an internet which is unknown/insecure such as public WiFi hotspots or you are just surfing the internet at work.  In these type of scenarios you might want to secure your connection so no one can sniff at what or where you’re surfing. One way to create a secure connection is to create an SSH tunnel, and have your web browser use it as a SOCKS proxy.

The first requirement is to have a remote host running an SSH server. e.g. a box at home running OpenSSH. Then, you need to have an SSH client installed on your local machine, for Windows you can use PuTTY.

Establish an SSH tunnel using PuTTY:

Create a new PuTTY session

Run PuTTY and create a new session to connect to the remote host. Fill in the hostname, the port (usually 22), make sure SSH is checked.

Configure the Secure Tunnel

Click on “Tunnels” on the left panel to set up dynamic fowarding for a local port. Under “Add new forwarded port” type in the port number (e.g. 4080) for the source port, leave the destination blank, and check Auto and Dynamic. Then click the “Add” button. You should see D4080 listed in the “Forwarded Ports” box.

Establish an SSH tunnel on Linux:

Use the following command:

$ ssh -D 4080 username@remote_host_server

The tunnel is created when you login to the SSH server.

Configuring Your Web Browser:

To use the SSH tunnel as a SOCKS proxy you need to change the connection settings in the browser.

In the Firefox Connection Settings:

• Check “Manual Proxy Configuration:”
• Fill in 127.0.0.1 for the “SOCKS Host:” and 4080 for “Port:”
• Check “SOCKS v5″

Once everything is done you are now surfing the web securely.

A couple of days ago my office implemented a new firewall which block almost all incoming and outgoing traffic, including SSH which prevented me from accessing my Linux server. The only thing that was accessible was the internet through a HTTP proxy which implemented filtering capabilties and required credentials. Fortunately, with this I’m able to create a tunnel and encapulate a SSH connection into HTTP.

To create a HTTP tunnel I chose to use the GNU HTTP Tunnel software which does the work to encapsulate TCP into HTTP requests. For the Windows platform a binary version is also available

Setting up the tunnel

On the home computer (server):

Install the GNU HTTP Tunnel with the following command:

$ apt-get install httptunnel

Start the HTTP Tunnel server:

$ hts --forward-port localhost:22 8080

Here the HTTP Tunnel server receives HTTP requests through port 8080, decapsulates and re-assembles the ssh stream and forwards it to port 22, the SSH server.

On the office computer (client):

Start the HTTP Tunnel client:

$ htc --forward-port 900 --proxy OfficeProxy:8080 HomeComputer:8080

Here the HTTP Tunnel client listens on port 900 for a ssh stream, as well it establishes a TCP connection which can pass data back and forth to the home computer through the HTTP proxy.

If the proxy requires authentication, add --proxy-authorization username:password to the htc command line.

Finally to establish a SSH connection run the following:

$ ssh username@localhost:900

For information: Punching holes into firewalls