1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
|
=encoding utf-8
=head1 NAME
Net::Proxy::Tutorial - Network proxies for fun and profit
=head1 SYNOPSIS
This document describes in detail how to use L<Net::Proxy> in several
real-life situations.
=head1 DEFINITIONS
=head2 What is a proxy?
You need a proxy every time you need to cross network boundaries to reach
a service that is not directly accessible.
The typical example is the corporate web proxy in a company. The corporate
firewall is a boundary, usually very tightly closed, between the corporate
network and the outside world (wild wild Internet).
To let the employees access all the nice web sites outside, the company
sets up a web proxy, which is authorised to cross the boundary (firewall)
on your behalf. The web browser asks the proxy for whatever it needs, and
the proxy goes and fetches the requested stuff on the web.
Since the proxy sees the client requests, it can check if they fit the
corporate browsing policy and decide if it will fetch the document for
the requestor. It can also request authentication, and log the username
with the request.
Transparent proxies mimic the actual service you asked for, and reply
as if they were the actual service provider. Except that the client doesn't
notice there is a proxy in between. Most transparent web proxies grab
outgoing traffic on port 80. Some ISP do this to cache responses and
spare their bandwidth.
=head2 Why do I need a proxy?
Sometimes, the traffic you want to send or receive doesn't quite fit
the model that the network designers had in mind.
For example, if you need to modify network traffic, almost transparently,
at a high level, you probably need L<Net::Proxy>.
=head1 DESCRIPTION
In this section, we will see actual examples of use of L<Net::Proxy>.
=head2 A basic L<Net::Proxy> script
Most L<Net::Proxy> based scripts look like the following:
=over 4
=item *
The usual boilerplate:
#!perl
use strict;
use warnings;
use Net::Proxy;
=item *
One or more proxies are created by calling C<new()> with the appropriate
parameters:
my $proxy = Net::Proxy->new( ... );
=item *
The individual proxies are registered with the L<Net::Proxy> framework:
$proxy->register();
=item *
Some framework options are defined:
Net::Proxy->set_verbosity(1);
Note: The C<set_verbosity()> method is available only since L<Net::Proxy>
version 0.04.
=item *
The framework is started, sets up the listening sockets, and waits for
connections to proxy around:
Net::Proxy->mainloop();
=back
=head2 The concepts behind L<Net::Proxy>
Any time a proxy handles a network connection, it actually manages two
connections: a connection from the client to the proxy, and a connection
from the proxy to the server. During normal processing, each chunk of
data received on one connection is copied to the other connection, and
vice-versa.
L<Net::Proxy> introduces the concept of "connectors". Connectors are
used to represent the ends of the two connections that the proxy handles
to create a single client-server connection.
+-------+
| proxy |
| |
"client" --->(xx)[in] [out]---> "server"
+-------+
In the above ASCII diagram, C<(xx)> represents the listening port number,
and C<[in]> (left) and C<[out]> (right) the L<Net::Proxy> connectors.
The C<in> connector accepts incoming connections on a listening port.
Once a connection with the client is established, the proxy uses the
C<out> connector to connect to the destination server.
The simplest connector is named L<Net::Proxy::Connector::tcp> (we'll
use C<tcp> for short). When placed on the C<in> side, it simply
C<listen()>s for incoming connections and them C<accept()>s them.
Then the C<out> connector C<connect()>s to the server.
Each connector accepts different parameters, which we'll see in the
following examples.
Since the proxy must handle every item of data going through, it can
look at it, and modify it. This is what other connectors do: they can
insert or transform data on the fly, which provides us with an incredible
amount of power on our network connections, which we will leverage
throughout this document.
=head1 REAL-LIFE EXAMPLES
=head2 Contacting a SSH server through the corporate web proxy
(This example requires at least L<Net::Proxy> version 0.02 to work.)
In many companies, the corporate firewall doesn't let you connect outside
with SSH. The only allowed access to the outside is via the web proxy.
Luckily, web proxies are designed to let certain types of TCP connection
go through them without modifications: encrypted SSL connections, used in
HTTPS. These connections are handled in the following way: the client
sends a C<CONNECT> connect to the proxy which (according to a policy
based on the hostname, port and the user's credentials) actually connects
to the remote host and transfers the data between the client and server,
without looking at the encrypted data. The proxy doesn't even check that
the traffic is actual SSL traffic.
So your SSH client could connect to a local proxy, which would send the
C<CONNECT> request to the web proxy, asking for a connection to your
home SSH server. Thereafter, the local proxy would behave like a standard
TCP proxy and simply pass the data around.
Here is a network diagram showing the network configuration in
ASCII-art:
'
(internal network) ' (Internet)
'
+-------+ +-------+ ' +-------+
| local | | web | ' | ssh |
ssh | proxy | | proxy | ' | server|
client --->(22)[tcp] | | | ' | |
|[connect]-->(8080) |----'--->(22) |
+-------+ +-------+ ' +-------+
'
'
Here's how to set up the local L<Net::Proxy> instance:
Net::Proxy->new(
{ in => {
type => 'tcp',
host => 'localhost',
port => 22,
},
out => {
type => 'connect',
host => 'home.example.com',
port => 22,
# proxy details
proxy_host => 'proxy.mycompany.com',
proxy_port => 8080,
# proxy credentials
proxy_user => 'me',
proxy_pass => 's3kr3t',
},
}
)->register();
Most of the time, corporate web proxies do not allow connections on other
ports than 443, the standard HTTPS port. You just need to reconfigure
your SSH server so that it also listens on port 443:
# sshd configuration file
Port 22
Port 443
In the exemple above, you need to change the C<out>/C<port> from C<22>
to C<443>.
Many SSH clients (like PuTTY) already include configuration options
to get through web proxies, so L<Net::Proxy> probably isn't necessary
any longer to handle this kind of traffic.
=head2 Running two services on the same TCP port
(This example requires at least L<Net::Proxy> version 0.03 to work.)
So you managed to get out of your corporate prison^Wnetwork by setting
up your SSH server to listen on port 443. The problem is that you also
run a HTTPS server; and if you want it to be accessible to anyone, it must
run on port 443 (otherwise the corporate proxy won't let you pass through,
and noone will find it anyway).
Therefore, the only option is to run both the SSL web server and the SSH
server on I<the same port>. How is that even possible? TCP clearly doesn't
allow this (or we wouldn't need those long F<services> files in our F</etc>
directories).
What you need is a proxy that can guess what the client wants, but without
contacting the server. If it manages to find out which server the client
wants to connect to, it can then contact the expected server and do its
usual proxy job.
Luckily, there is a fundamental difference of behaviour between a http/s
client and a SSH client:
=over 4
=item *
during a HTTP(S) connection, the client "speaks" first
=item *
during a SSH connection, the server sends a banner first
=back
'
(Internet) ' (internal network)
'
' +-------+
' |reverse|
' | proxy |
SSL client ---'--->( | [tcp]---> SSL server
' ((443)[dual] |
SSH client ---'--->( | [tcp]---> SSH server
' +-------+
'
L<Net::Proxy>'s C<dual> connector is able to detect between two such clients
with the help of a timeout.
Net::Proxy->new(
{ in => {
type => 'dual',
host => '0.0.0.0',
port => 443,
client_first => {
type => 'tcp',
port => 444, # move the https server to another port
},
server_first => {
type => 'tcp',
port => 22, # good old SSH
},
# wait during a 2 second timeout
timeout => 2,
},
out => { type => 'dummy' },
}
)->register();
=head2 Hiding SSH connections going through the corporate proxy from IDS
(This example requires at least L<Net::Proxy> version 0.06 to work.)
The first technique we presented (using a CONNECT request to get out
of the corporate network) is so well-known that many Intrusion
Detection Systems (IDS) check the first packets of a connection to
try and find hidden SSH connections crossing the corporate boundaries
outwards.
The server banner looks like this:
SSH-2.0-OpenSSH_3.9p1
while the client banner may look like this:
SSH-2.0-OpenSSH_4.2p1 Debian-5
You want to deceive Intrusion Detection Systems (IDS) by modifying the
cleartext part of your SSH connection. Since the detection code simply
looks for the "C<SSH->" string, an "encryption" scheme as simple as
ROT-13 is enough.
'
(internal network) ' (Internet)
'
+-------+ +-------+ ' +-------+
| local | | web | ' |reverse|
ssh | proxy | | proxy | ' | proxy |
client --->(22)[tcp] | | | ' | |
|[connect]===>(8080) |===='===>(443)[tcp][tcp]---> ssh
+-------+ +-------+ ' +-------+ server
'
Traffic \________ ________/'
---> ssh v '
===> ssh + rot13 Traffic scanned '
by the IDS '
'
The C<hook> connector option accepts a callback that will be called for
each chunk of data received, before sending it out. The callback must have
the following signature:
# Net::Proxy versions 0.06 and 0.07
sub {
my ( $dataref, $connector ) = @_;
...
}
# As from Net::Proxy version 0.08
sub {
my ( $dataref, $socket, $connector ) = @_;
...
}
The ROT-13 routine is straightforward (and must be defined in both scripts):
my $rot13 = sub { ${ $_[0] } =~ y/A-Za-z/N-ZA-Mn-za-m/ };
Client-side proxy:
Net::Proxy->new(
{ in => {
type => 'tcp',
host => '0.0.0.0',
port => 22,
hook => $rot13
},
out => {
type => 'connect',
host => 'home.example.com',
port => 22,
hook => $rot13,
# proxy configuration
proxy_host => 'proxy.mycompany.com',
proxy_port => 8080,
# proxy credentials
proxy_user => 'me',
proxy_pass => 's3kr3t',
},
}
)->register();
Server-side proxy:
Net::Proxy->new(
{ in => {
type => 'tcp',
host => '0.0.0.0',
port => 443,
hook => $rot13
},
out => {
type => 'tcp',
port => 22,
hook => $rot13
}
}
)->register();
=head2 Hiding a SSH connection under SSL through a corporate proxy
(This example requires at least L<Net::Proxy> version 0.08 to work.)
Another option to hide what you are doing in your connection through
the corporate proxy, is to actually use SSL to connect to your SSH
server (I<à la> B<stunnel>). This is what the proxy expects, after all.
'
(internal network) ' (Internet)
'
+-----------+ +-------+ ' +-------+
| local | | web | ' |reverse|
ssh | proxy | | proxy | ' | proxy |
client -->(22)[tcp] | | | ' | |
|[connect_ssl]===>(8080) |==='==>(443)[ssl][tcp]---> ssh
+-----------+ +-------+ ' +-------+ server
'
Traffic \_______ _______/'
---> ssh v '
===> ssh over SSL Traffic scanned '
by the IDS '
'
Client-side proxy:
Net::Proxy->new(
{ in => {
type => 'tcp',
host => '0.0.0.0',
port => 22,
},
out => {
type => 'connect_ssl',
host => 'home.example.com',
port => 443,
# proxy configuration
proxy_host => 'proxy.mycompany.com',
proxy_port => 8080,
# proxy credentials
proxy_user => 'me',
proxy_pass => 's3kr3t',
},
}
)->register();
Server-side proxy:
Net::Proxy->new(
{ in => {
type => 'ssl',
host => '0.0.0.0',
port => 443,
},
out => {
type => 'tcp',
port => 22,
}
}
)->register();
=head1 AUTHOR
Philippe "BooK" Bruhat, C<< <book@cpan.org> >>.
=head1 COPYRIGHT
Copyright 2006-2014 Philippe 'BooK' Bruhat, All Rights Reserved.
=head1 LICENSE
This tutorial is distributed under a Creative Commons
Attribution-Noncommercial-No Derivative Works 3.0 License.
=cut
|
