HTTP tunneling

1. General

A thread on discusses which techniques can be used to proxy SSH traffic over HTTP.For example, we can use "AllowCONNECT" feature of the Apache proxy server and the "proxytunnel" program.

Another technique is HTTP tunneling which has a dedicated wikipedia article.There are several implementations of this.First, there is GNU HTTP tunnel (basic). It is very basic, does not support SSL encryption and is very poor against HTTP proxies.

Second, Perl/PHP HTTPTunnel from Sebastian Weber. These two are discussed in the "proxy hacks" article, where author strongly suggests the latter one.There is also implementation from "linux academy", but I failed to make it work.

2. HTTPTunnel

So we proceed with HTTPTunnel. There is a php port available so you can run on an existing Apache PHP server. But running it with Perl is recommended. You need perl 5.8.x+ (normally pre-installed). You might also need to upgrade your Thread module to 1.51+ (not shipped by default). Although HTTP Tunnel does not support HTTPS but GET/POST payload can be encrypted, traffic can be compressed and tunnel can authorize using LDAP or MySQL.

Install the modules from CPAN:

yum install perl-DBI perl-DBD-MySQL
$ cpan
install threads
install Compress::Zlib
install Mcrypt
install Crypt::OpenSSL::RSA

If rpmforge is already enabled on CentOS 5, use yum:

yum install perl-Crypt-OpenSSL-RSA [ perl-Compress-Zlib]

I failed to install Mcrypt on CentOS 5, but found perl-Mcrypt- on the web (original copy). If compilation fails, see this hint:

yum install libtool-ltdl-devel
rpmbuild --rebuild perl-Mcrypt-
rpm -i /usr/src/redhat/RPMS/i386/perl-Mcrypt-

The tunnel v.1.2 has base64 padding error, so patch using httptunnel_base64.diff (local mirror).
To install the HTTPTunnel standalone server, follow the steps below:

cd /var/www
tar xzf HTTPTunnel_*.tgz
mv HTTPTunnel_* htunnel
cd htunnel
patch -p1 -i httptunnel_base64.diff
ln -sf common perlserver
ln -sf common client

Stop and run server and client using the /etc/init.d/htunnel-perl-server and /etc/init.d/htunnel-perl-client scripts.
Now open your browser to http://localhost:port and set further configurations, namely Server access Control (Authentication and user source), access control to admin interface and Encryption.
At HTTP Tunnel client, run your HTTP client. Browse to http://localhost:1079 to setup further configurations:

  • Portmapping : Setting up TCP/IP connections to tunnel inside HTTP requests. Add as many TCP connections as you want here. The ports will be tunneled inside HTTP.
  • SOCKs server and port. You can use proxifiers for application not supporting SOCKS proxy like IE, Opera.
  • User based or IP based access control.
  • On second Tab configure tunnel server information and proxy server information.
  • On fourth tab setup advanced options like encryption, compression and access control to admin interface.

3. GNU HTTP Tunnel

The GNU HTTP tunnel is very basic, does not support SSL encryption and is very poor against HTTP proxies. This involves two executables, hts (httpTunnelServer) and htc (httpTunnelClient). A typical usage might be:

Server : hts -F localhost:443 8080
Client : htc -P : -A : -F 12345 hts_server:8080

Now use putty/ssh client to create an ssh tunnel inside this http tunnel. Connect to localhost:12345 to reach ssh server running at 443 on http tunnel server.