Implement a HTTP tunnel on a Linux server

mai 15th, 2009 by Alexandre VIOT Leave a reply »

In this article, we will learn how to set up a HTTP tunnel between a PC and a Linux server with the SSH protocol to secure our transactions through a firewall or another.

Before to begin any technical part, I will try to explain the operation of Port Forwarding and why implement it.

To understand this concept, I refresh your memories on the communication of computer:

To exchange informations, computers need an IP address and a port number. The port number is important because it’s thanks to it that the communication exists. Client and server have to communicate on the same port number.

Now, we decrypt the Port Forwarding. The Port Forwarding consist of redirect informations sent on a port number of a computer to a different port number on another computer.

A picture to better understand this redirection:

translation2

In this example, the number port 6000 of client will be encapsulated on port 22. When the request arrives on the server on the port 22, it will be decapsulated et sent on 80.

To simplify, the Port Forwarding swap the port number of communication.

Why implement it

We can ask the question of why implement it. Port forwarding with SSH is used when you want secure an communication between two computers.

Maybe you have a firewall in your company which allows only the port number 22 and you want to access the internal FTP server. Or a filter on your HTTP requests (Websense, SurfControl) and you want bypass it. Bu avoid this control remains under your responsibility.

How informations communicate , with and without Port Forwarding?

schemahttptunneling1

Explication:

The Blue path (1) is the communication in a normal situation. When you request a web page, your request is filtered by the firewall and redirected to Internet. If the website is in the blacklist, then access will be denied.

The Red path (2) is the communication with Port Forwarding.Your internet request is encapsulated in a secure tunnel and sent to your remote server.

When you encrypt your transaction between your PC and the server, it means that the firewall can’t inspect your request.

Once the remote server has received your request, it will go for you on internet and download the web page. Everything in a secure connection.

Result: Secure exchange between two hosts, unable to inspect the content.

How implement it

I used for this article a Debian distribution, but this solution works also on Mandriva.

We need :

- A Linux server

- A client on Microsoft Windows

Putty

The server configuration is divided into 4 steps.

  1. OpenSSH Installation.
  2. Certificates for SSH.
  3. Configuration of file SSH.
  4. User creation.

And for client configuration into 2 steps.

  1. Configuration of Putty.
  2. Configuration of your browser.

Server Configuration

OpenSSH Installation

Port Forwarding is based on the SSH protocol. So the first step is to install OpenSSH.

apt-get install openssh-server

Note: Don’t forget to update your sources with:

apt-get update
Generating certificates for SSH

Once you have installed the service SSH, you must have certificates to validate the connection.

A certificate contains a private key and public key which allow you to encrypt your communications.

During the installation, it is possible that generation of certificates were done automatically. For more security, we are going to recreate them.

To create certificates:

ssh-keygen -t dsa -b 1024

ssh-keygen -t rsa -b 1024

The system asks you to specify the path et name for your certificates. I advise you to put them in /etc/ssh

Configuration of file SSH

The next step is the modification of  configuration file of SSH to accepts tunnels and modify certificate’s paths.

You linux server can also connect to another remote server in SSH. It will be client.

This is why there are two configurations for SSH files: a file named ssh_config for the client connection and a sshd_config file which allows us to configure our SSH server.

We modify the file sshd_config

vi /etc/ssh/sshd_config

In first time, we specify new certificate’s path.

To do this, modify lines which contain HostKey:

# HostKeys for protocol version 2
HostKey /etc/ssh/certifLaboIT
HostKey /etc/ssh/certifLaboITdsa

To allow SSH tunneling,  add this command at the end of the file:

#Permit Tunnel
PermitTunnel yes

It is possible to change the listening port of the server. In case of the port number 22 is blocked by your firewall.

This requires changing the line containing the word:
#What ports, IPs and protocols we listen
Port 22

Quit Vim editor and don’t forget to save your modifications.

SSH configuration is now complete.

We need to restart the service with command:

/etc/init.d/ssh restart
User creation

To avoid login with root account, we create a new user:

useradd LaboIT
passwd LaboIT

Server configuration is now complete.

Client Configuration

It is important to understand what we are going to do.

As a first step we will configure Putty to listen on an unused port (example 9999) then we will open an SSH connection to the server. This will create the port forwarding.
In a second step, we specify on our web browser to send all requests to this new port.

All client requests will be encapsulated in a tunnel by Putty dynamically to use the red path (2).

Configuration of Putty

You can download Putty at this address: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

The configuration of the PuTTY executable will be in 2 steps:

  1. Information of the server’s IP address and its listening port.
  2. Creation on the client of a new dynamic port.

For the first step, we will fill in the connection information:

putty1

Specify the IP address or FQDN of the server in the red box. And then in the yellow box specify the port is in your configuration sshd_config file

Second step, creation of new port:

putty2

To create a dynamic, port verify that the dynamic option is selected and then in the field source port enter 9999. Once this done, click Add to add to the ports forwarded.

To open the connection to the remote server, click Open.

Configuration of your browser.
This is the last step, which is the more easier.

You must specify your favorite browser where it should exit. Indeed, it should not use the blue path (1) but the Red (2).

We need change address of Host SOCKS. This information is generally in the connection settings.

For the connection host address specify 127.0.0.1, which is your PC. And in port, you must specify 9999, that was informed earlier.

proxyconfig

You just have to accept the changes and go to your favorite pages.

Remember that if your company has set up a filter is for a good reason. So do not overuse. You are solely responsible for your actions.

Posted in Linux

Tags:

You can follow any responses to this entry through the RSS 2.0 Feed. You can leave a response , or trackback from your own site.

Advertisement

2 comments

Add your comment
  1. KonstantinMiller dit :
    7 juillet 2009 à 1 h 06 min

    I have been looking around for this kind of information. Will you post some more in future? I’ll be grateful if you will.

  2. Jo dit :
    16 juillet 2009 à 2 h 15 min

    Great tutorial,
    This is working perfectly in my old job, but in the new job, not working.

    In new job, I CAN connect to SSH server, and CAN do port forwarding for other stuff (ie: VNC / webmin); but when it comes to http tunneling using Dynamic port (as explained above), this stuff not working, any idea?

    Thanks

Laisser un commentaire