[ale] Proxy Raw sockets with apache

Chris Fowler cfowler at outpostsentinel.com
Thu Aug 25 22:02:11 EDT 2016


> From: "Atlanta Geek" <atlantageek at gmail.com>
> To: ale at ale.org
> Sent: Thursday, August 25, 2016 4:45:15 PM
> Subject: [ale] Proxy Raw sockets with apache

>> All,
> Im attempting to support a customer who is trying to port forward to a non http
> service from his firewall.
> He wants to use apache to do this.

> Im 98% sure he cannot do this and that he needs to use something like a Socks
> proxy or iptable.
> However I just want to confirm this with some Linux Elite.

> So please confirm that apache only proxies http(s) traffic and not a raw socket
> proxy.

I've been wanting to do this. I wanted a way to do a GET /XXXXX and then Apache does what inetd would do. Fork, exec the service assigned to that URL, and walk away. Problem is that your application has to do the GET /XXX part or you could simply write a proxy on that system to listen to localhost:port and pass it. Solutions exist for this using websockets, etc. The key is you must control the apache end. 

-- [ cut here ] ------------- 
httptunnel creates a bidirectional virtual data path tunnelled in HTTP 
requests. The requests can be sent via an HTTP proxy if so desired. 

This can be useful for users behind restrictive firewalls. If WWW 
access is allowed through an HTTP proxy, it's possible to use 
httptunnel and, say, telnet or PPP to connect to a computer outside 
the firewall. 

If you still don't understand what this is all about, maybe you 
can find some useful information in the FAQ file. 

This program is mostly intended for technically oriented users. 
They should know what to do. 

httptunnel is free software. See COPYING for terms and conditions. 
If you like it, I would appreciate if you sent a post card to: 
Lars Brinkhoff 
Kopmansgatan 2 
411 13 Goteborg 
Sweden 

Information and/or latest release should be available from these places: 
http://www.nocrew.org/software/httptunnel.html 
------- 
----- [ cut here ] ------------- 

If you have an extra public IP address you can alias it on the same apache server, use iptables redirect. 

/sbin/iptables -t nat -A PREROUTING -p tcp -s XXXXXXX/32 --dport 80 -j REDIRECT --to-ports 5000 

You may not be out of the woods. If the firewall does packet inspection it will block you. You can see this via strace on the server. Attach to the process and you'll see the accept() and the write(). Sendmail sends its header, first line, whatever you call it. The firewall will decide the fate of the client based on what ti sees. On the server you'll see 'connection reset by peer' if the firewall decided in favor of security over your client. LoL 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160825/2718b790/attachment.html>


More information about the Ale mailing list