|
Hi Svetoslav,
As I understand it, there are two ways to bypass firewall:
1. The way suggested by you using SSL tunneling:
AppClient(ICQ)->UserProxy(SSH)->CompanyProxy(firewall)->AppServer(ICQ)
2. Using HTTP conversion:
AppClient(ICQ)->UserClientProxy(convert to port 80)->CompanyProxy(firewall)->UserServerProxy(convert to real port)->AppServer(ICQ)
The second way is a bit more complicated as it requires setting up a server on the Internet. However it has two major advantages over the SSL tunneling method:
1. It will always work.
2. It cannot be detected by sys admin as connection to blocked apps.
Now to my questions:
1. Does all of this seem right to you?
2. Can you think of any other way to bypass firewalls?
3.I want to write the UserClientProxy and UserServerProxy based on your code. Is that ok? Maybe you have this kind of software developed already?
Please review the description of the proxies:
-UserClientProxy: Listen on a specified port. For each arriving packet – change IP to a specified IP and change port to 80 – forward to the specified CompanyProxy(firewall).
The original IP and port should be also kept in the packet.
-UserServerProxy: Listen on port 80. For each arriving packet – retrieve IP and port from the packet data - change IP and port to the original ones – forward the packet.
Is that right?
What about packets returning from the AppServer? Will they find there way to the AppClient? Or should I add some treatment for those too?
Thanks in advance
-Rafi.
|
|
|
|
|
Hi,
For the first question:
Yes, the two options are right.
The first one uses HTTP command "CONNECT" which establishes a TCP connection (tunnel).
The second one uses regular HTTP "GET" request to establish connection to the User developed ServerProxy.
Unfortunately, some HTTP proxies are configured to drop the "GET" request after specified timeout. So if your connection is unexpectedly dropped, do not be surprised.
For second question:
No, I do not know other way to bypass the firewall.
For third question:
Yes, you can use my code to write your own system.
I do not implemented such kind of program. If someone wants to hire me, I will be glad to do that.
At last: custom Server Proxy can't work with TCP packets. It must work at application level - TCP connection:
1. User app connects to the the your custom proxy
2. custom proxy connects to the HTTP proxy and sends request "GET my.server.com/tunnel?ip=xx.xx.xx.xx&port=yyyy"
3. HTTP proxy connects to my.server.com and send your request to it
4. your server proxy connects to ip xx.xx.xx.xx on port yyyy
5. Now you have established a TCP connection to xx.xx.xx.xx on port yyyy
Best regards
Svetoslav Chekanov
|
|
|
|
|
hey,are you from vietnam (vn18672),i'm newbei,i don't understand use your code,thank you create this code,SSH proxy ? my computer not yet have SSh Proxy,where i get it and run it
|
|
|
|
|
Hii......
Im now work at my project "Proxy system firewall" and I suffer from many problem >> like how can I write code for proxy and other>> any one can help me>>
|
|
|
|
|
your socks proxy server work nicely, i want to devlop my proxy server, which will depend on yours, can you explain to me what this function does, and why you write it,
is this right that "It is IMPOSSIBLE to resolve normally the External" and why,
thank you for your intersting,
|
|
|
|
|
hi,
can you give me an advise about TCP-Map proxy, and how i can implment it, please i need your help,
|
|
|
|
|
Well,there is a problem,I get this message when i try to use SSHProxy:
----------------------------------------------
S S H P R O X Y
SOCKS Proxy Server -> HTTP SSL tunnel Master
----------------------------------------------
Copyright (c) 1999 D-Bross www.d-bross.com
Free for non-commercial use.
----------------------------------------------
Params : None
Config File : "config.txt"
"config.txt": EnableLog=<yes no="">
"config.txt": SOCKSPort=<portnumber>
"config.txt": UseSHttpProxy=<yes no="">
"config.txt": SHttpProxyHost=<hostname ip="">
"config.txt": SHttpProxyPort=<portnumber>
----------------------------------------------
USE of SHTTP Proxy Enabled.
SHTTP Proxy Host : 192.168.1.1
SHTTP Proxy Port : 8080
---------------------------------------
Logging : On
---------------------------------------
SOCKS Proxy Port : 1080
---------------------------------------
SOCKS Server Created.
SOCKS Server Started.
SOCKS Server Listen at Port : 1080
Connection from : <localhost 127.0.0.1:4343="">
Proxy Created.
Proxy Started.
Accepted SOCKS 5 Request.
SOCKS 5 - Accepts Auth. method 'NO_AUTH'
SOCKS 5 - Accepted SOCKS5 Command: "CONNECT"
Connecting...
Connected to <192.168.1.1/192.168.1.1:8080>
Connected to <192.168.1.1/192.168.1.1:8080>
SOCKS 5 - Reply to Client "SUCCESS"
Initiating SSL Tunneling...
SHTTP Proxy Reply : [HTTP/1.0 403 Forbidden
Server: Squid/2.4.STABLE6
Mime-Version: 1.0
Date: Sat, 10 Jan 2004 00:40:58 GMT
Content-Type: text/html
Content-Length: 699
Expires: Sat, 10 Jan 2004 00:40:58 GMT
X-Squid-Error: ERR_ACCESS_DENIED 0
X-Cache: MISS from Bambo
Proxy-Connection: close
<title>ERROR: The requested URL could not be retrieved
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL:
195.245.244.243:4661
The following error was encountered:
Your cache administrator is webmaster.
Generated Sat, 10 Jan 2004 00:40:58 GMT by Bambo (Squid/2.4.STABLE6)
]
ERROR : java.lang.Exception: Error Response from SHTTP Proxy !
java.lang.Exception: Error Response from SHTTP Proxy !
at socksshttp/CProxy.CreateSSLTunnel
at socksshttp/CProxy.ProcessRelay
at socksshttp/CProxy.run
at java/lang/Thread.run
Proxy Closed.
-------------------------------------------------------------------------
I think that my proxy does not support "CONNNECT" command. Is there any way to solve this problem? And if there is how to do this? (eg. in Http-Tunnel there is an option to disable support for proxy's "CONNECT" command)
many thanks for the help,
Slawek
|
|
|
|
|
Hello,
When SSH Proxy tries to connect using command "CONNECT", your HTTP proxy returns response:
HTTP/1.0 403 Forbidden
Server: Squid/2.4.STABLE6
"Forbidden" means that the usage of the command "CONNECT" is not allowed or HTTP proxy is configured to not allow access from your IP address.
If you have not direct access to the Internet, the SSH Proxy can't help you.
I do not know how this HTTP-Tunnel will make connection without using command "CONNECT"!
If you have direct access to the Internet - SSH Proxy can work as regular SOCKS proxy without relaying connection through HTTP proxy. For this case just set the property:
UseSHTTPProxy=no
in the config.txt file.
There on the Internet are systems that relays the connections through regular HTTP proxy, but in this case there are requirement that te destination (Server to which you want to connect) is a special program that works especially for this schema.
If you need that, I can develop such custom software for you.
Just contact D-Bross on www.d-bross.com
But there is a possibility that HTTP proxy can be set to relay traffic up-to specified timeout. This means that, if the software establishes the connection, the HTTP proxy will close this connection after specified timeout (e.g. 10 seconds).
Because that, before to make this software, we need to investigate your HTTP Proxy.
|
|
|
|
|
Hi,
I was very glad to find this nice program as it helped me to use file-sharing progs behind a corporate firewall. My only problem is that when i try to connect to larger DC++ hubs (more than about 1500 users), it can connect, but halts before downloading the share of the users. Perhaps it's just a timeout problem, because the program works fine with smaller hubs.
Any idea what should I do?
Thanks,
Laszlo
|
|
|
|
|
Hi,
Found out that your program would be usefull to me to bypass my corporate architecture :
My connection goes trough a tranparent PIX firewall to a proxy on port 80.
I use to HTTP-tunnel, wich work perfectly (and without the need to specify my proxy IP (!))
But I rely on an external server, which is obviously a not so good answer to my problem.
I tried SSH and this is what I get :
********BEGUIN LOG************
----------------------------------------------
S S H P R O X Y
SOCKS Proxy Server -> HTTP SSL tunnel Master
----------------------------------------------
Copyright (c) 1999 D-Bross www.d-bross.com
Free for non-commercial use.
----------------------------------------------
Params : None
Config File : "config.txt"
"config.txt": EnableLog=<yes/no>
"config.txt": SOCKSPort=<PortNumber>
"config.txt": UseSHttpProxy=<yes/no>
"config.txt": SHttpProxyHost=<hostname/IP>
"config.txt": SHttpProxyPort=<PortNumber>
----------------------------------------------
USE of SHTTP Proxy Enabled.
SHTTP Proxy Host : xx.xx.xx.xx
SHTTP Proxy Port : 80
---------------------------------------
Logging : On
---------------------------------------
SOCKS Proxy Port : 1082
---------------------------------------
SOCKS Server Created.
SOCKS Server Started.
SOCKS Server Listen at Port : 1082
Connection from : <localhost/127.0.0.1:3904>
Proxy Created.
Proxy Started.
Accepted SOCKS 5 Request.
SOCKS 5 - Accepts Auth. method 'NO_AUTH'
SOCKS 5 - Accepted SOCKS5 Command: "CONNECT"
Connecting...
Connected to <PROXY/xx.xx.xx.xx:80>
Connected to <PROXY/xx.xx.xx.xx:80>
SOCKS 5 - Reply to Client "SUCCESS"
Initiating SSL Tunneling...
SHTTP Proxy Reply : [HTTP/1.1 502 Proxy Error (... here I get a HTML code stating that ISA server is not configured to allow SSL trough the specified port, and that I should use 443...)
ERROR : java.lang.Exception: Error Response from SHTTP Proxy !
java.lang.Exception: Error Response from SHTTP Proxy !
at socksshttp/CProxy.CreateSSLTunnel
at socksshttp/CProxy.ProcessRelay
at socksshttp/CProxy.run
at java/lang/Thread.run
Proxy Closed.
******END LOG****************
I use port 80, cause port 8080 gives me the <NA/NA ) error (I don't reach the proxy), and asumed that the proxy only listen to port 80 and choose then how to react between HTTP and HTTPS...
I hope I don't have to settle a server on the other side to listen to port 443 and relay to the internet...
Thanks for helping.
|
|
|
|
|
Hi,
I configue the CONFIG.TXT as follows:
# Copyright (c) 2000 Svetoslav Tchekanov (swetoslav@iname.com)
#-------------------------------
EnableLog=yes
#-------------------------------
SOCKSPort=2000
#-------------------------------
UseSHttpProxy=0
SHttpProxyHost=localhost
SHttpProxyPort=2000
And I set the proxy HTTP as "localhost" and its port to 2000 in my IE-Browser.
Now I start the program and I got:
"
D:\Temp\SocksProxyJava>java SSHProxy
----------------------------------------------
S S H P R O X Y
SOCKS Proxy Server -> HTTP SSL tunnel Master
----------------------------------------------
Copyright (c) 1999 by Svetoslav Tchekanov
ICQ #13435454 E-mail : swetoslav@iname.com
----------------------------------------------
Params : None
Config File : "config.txt"
"config.txt": EnableLog=<yes no="">
"config.txt": SOCKSPort=<portnumber>
"config.txt": UseSHttpProxy=<yes no="">
"config.txt": SHttpProxyHost=<hostname ip="">
"config.txt": SHttpProxyPort=<portnumber>
----------------------------------------------
Use of SHTTP Proxy Disabled.
---------------------------------------
Logging : On
---------------------------------------
SOCKS Proxy Port : 2000
---------------------------------------
SOCKS Server Created.
SOCKS Server Listen at Port : 2000
SOCKS Server Started.
"
But as I want to surf our company Web, I got:
"
Error : Invalid SOKCS version : 71
Proxy Closed.
"
What's wrong?
|
|
|
|
|
Now I have the problem, that i down't no Java realy well and how to start the SSHProxy!
1. I unzip the file including sub folders !
2. compile the file SSHProxy.java with javac.exe to SSHProxy.class (also al fils in the subfolder becoming compiled)
3. editing the config.txt
4. ??? starting SSHProxy.class with the command javaw.exe SSHProxy.class ???? This is not working.
Perhaps somebody can explain me point to point what I have to do,
or send me an complete instruction to nils.vandemolen@gmx.net
|
|
|
|
|
Here is another problem. I hope you can help me. Thanks.
Logging : On
---------------------------------------
SOCKS Proxy Port : 1080
---------------------------------------
SOCKS Server Created.
SOCKS Server Started.
SOCKS Server Listen at Port : 1080
Connection from : <127.0.0.1/127.0.0.1:2386>
Proxy Created.
Proxy Started.
Accepted SOCKS 4 Request.
Accepted SOCKS 4 Command: "CONNECT"
Connecting...
Socks 4 - Refuse Command: "Request REJECTED or FAILED"
Socks 4 reply: "Request REJECTED or FAILED"
ERROR : java.lang.Exception: Socks 4 - Can't connect to <na na ="">
java.lang.Exception: Socks 4 - Can't connect to <na na ="">
at socksshttp.CSocks4.Connect(CSocks4.java:285)
at socksshttp.CProxy.ProcessRelay(CProxy.java:315)
at socksshttp.CProxy.run(CProxy.java:147)
at java.lang.Thread.run(Thread.java:484)
Proxy Closed.
Connection from : <127.0.0.1/127.0.0.1:2390>
Proxy Created.
Proxy Started.
Error : Invalid SOKCS version : 80
Proxy Closed.
|
|
|
|
|
Hi
The problem is probably in that the SSH Proxy can not connect to your HTTP proxy.
This problem can occur when you are not connected to the Internet, or the HTTP proxy
is unreacheable.
Best regards
Svetoslav Chekanov
D-Bross
www.d-bross.com
|
|
|
|
|
Hi!
Could you help me? Here is the log I'm getting:
Logging : On
---------------------------------------
SOCKS Proxy Port : 1080
---------------------------------------
SOCKS Server Created.
SOCKS Server Started.
SOCKS Server Listen at Port : 1080
Connection from : <127.0.0.1/127.0.0.1:2112>
Proxy Created.
Proxy Started.
Accepted SOCKS 4 Request.
Accepted SOCKS 4 Command: "CONNECT"
Connecting...
Connected to <isaserver 10.26.2.101:1080="">
Connected to <isaserver 10.26.2.101:1080="">
Socks 4 reply: "Request GRANTED"
Initiating SSL Tunneling...
SHTTP Proxy Reply : [[NNECT]
ERROR : java.lang.Exception: Error Response from SHTTP Proxy !
java.lang.Exception: Error Response from SHTTP Proxy !
at socksshttp.CProxy.CreateSSLTunnel(CProxy.java:390)
at socksshttp.CProxy.ProcessRelay(CProxy.java:317)
at socksshttp.CProxy.run(CProxy.java:147)
at java.lang.Thread.run(Thread.java:484)
Proxy Closed.
|
|
|
|
|
Hi,
The problem is in your HTTP proxy.
SSH Proxy connects successfully to your HTTP proxy and sends command "CONNECT".
But your HTTP proxy returns response code different than "200" which means "OK".
So, SSH Proxy displays:
SHTTP Proxy Reply : [[NNECT]
ERROR : java.lang.Exception: Error Response from SHTTP Proxy !
Probably your HTTP proxy does not support command CONNECT (SSL tunneling), or
you does not have properly rights to use it.
Note that SSH Proxy displays java stack trace just to help me to resolve your problems.
SSH Proxy handles all possible errors.
|
|
|
|
|
I tried this utility with Kazaa, but it seems to be some problem. The log is long, so you can see it there
http://www.sweb.cz/jirinej/log.txt
|
|
|
|
|
... how do I launch sshproxy.class??
when I type in: jview sshproxy.class
I got this error message:
java.lang.NoClassDefFoundError: socksshttp/Log
please help... cheers
|
|
|
|
|
Hi,
You are using unzipping tool that does not unzip subfolders.
You must unzip all files and subdirectories from SSHProxy.zip
you must have subdir "sockshttp" which contains some java classes
Best regards
Svetoslav Chekanov
|
|
|
|
|
I'm trying to use this SSH proxy with TCP via SHTTP mode but i cant get it working.
I can access the internet at my company only via http proxy port 80 (Netscape-Proxy/3.51 with is supposed to allow TCP connections via HTTP-SSL tunnels). My goal is to acces a terminal server at home. I tried to launch a 'socksified' TSE client via sockscap but im getting this :
<br />
SOCKS Server Created.<br />
SOCKS Server Started.<br />
SOCKS Server Listen at Port : 1080<br />
Connection from : <127.0.0.1/127.0.0.1:4816><br />
Proxy Created.<br />
Proxy Started.<br />
Accepted SOCKS 5 Request.<br />
SOCKS 5 - Accepts Auth. method 'NO_AUTH'<br />
SOCKS 5 - Accepted SOCKS5 Command: "CONNECT"<br />
Connecting...<br />
Connected to <prox:80><br />
Connected to <prox:80><br />
SOCKS 5 - Reply to Client "SUCCESS"<br />
Initiating SSL Tunneling...<br />
SHTTP Proxy Reply : [HTTP/1.0 403 Proxy denies fulfilling the request<br />
Proxy-agent: Netscape-Proxy/3.51<br />
Date: Fri, 30 May 2003 19:36:34 GMT<br />
Content-type: text/html<br />
Content-length: 234]<br />
ERROR : java.lang.Exception: Error Response from SHTTP Proxy !<br />
java.lang.Exception: Error Response from SHTTP Proxy !<br />
at socksshttp.CProxy.CreateSSLTunnel(CProxy.java:390)<br />
at socksshttp.CProxy.ProcessRelay(CProxy.java:317)<br />
at socksshttp.CProxy.run(CProxy.java:147)<br />
at java.lang.Thread.run(Unknown Source)<br />
Proxy Closed.
any ideas ?
|
|
|
|
|
Hi,
All is clear. The schema you are trying is right.
Unfortunaltely your proxy *denies* access.
Look at the log file:
1. You are connected to the SOCKS 5 proxy (SSH Proxy)
2. Authentication of SOCKS Proxy is OK
3. You are sending the CONNECT comand
4. SSH Proxy tries to connect to the server
5. HTTP Proxy returns error code 403 with message "Proxy denies fulfilling the request."
So, the problem is that the proxy denies access through HTTP-Tunneling.
(command "CONNECT" is denied)
You say that proxy allows SSL connections. It is possible that the proxy have a
some kind of "smart behavior" - enabling some requests for command "CONNECT" and disable other requests.
It's possible to disable tunneling when the target is on port 23 (telnet service)
Try to use such schema to access services that are on port 6667, 25, 110 (IRC, SMTP, POP3) etc.
So if schema works for one of these ports - you will be able to set up somewhere in
the Internet a TCP-Map proxy that will point to your server at port 23.
So your connection will looks like this:
Client -> socksCAP -> SSHProxy -> HTTP-Proxy tunnel -> TCP-Map -> Your Server
If you have experiencing problems with setting up a TCP-Map proxy - please call me.
Best regards
Svetoslav Chekanov
D-Bross
http://www.d-bross.com/
|
|
|
|
|
Hai,
I just went through your Socks proxy and it is very much interesting. I would like to know whether your have actually implemented HTTP-SSl Tunnel in the proxy.
Thanking you in advance
Sony
|
|
|
|
|
My proxy requires authentication. Help!!
|
|
|
|
|
Is the program allowing authentication?
|
|
|
|
|
How obvious is it to a network administrator that I'm using a p2p program through their precious proxy? I have a slight concern that they might not be 100% pleased. Is there anything i can do about this?
By the way excellent program works like a treat with Kazaa lite.
|
|
|
|