When outbound HTTP and HTTPS is denied you have to get creative with 3proxy and SSH

Written by James McDonald

June 11, 2017

https://www.digitalocean.com/community/tutorials/how-to-route-web-traffic-securely-without-a-vpn-using-a-socks-tunnel

The above link has a how-to on running a socks5 proxy just by using ssh. PS I have used Digital Ocean for 3+ years and except for one instance of resource starvation due to another instance on the same host chewing the resources they have been great!

The magic is just running ssh with the following command

ssh -D 8123 -f -C -q -N [email protected]

Once you have the tunnel from you local computer to the remote host ([email protected]) you can use curl or wget to use the socks5 tunnel

wget:

export SOCKS_SERVER=127.0.0.1:8123
wget http://server-C/whatever

curl:

curl socks5://localhost:8123 https://jmits.com.au

But the problem starts when you have socks unaware programs that only support standard HTTP or HTTPS proxies

So how can you have a HTTP/S proxy that then uses the SSH socks5 tunnel?

3proxy can do it.

Install 3proxy

On CentOS that was done by installing the epel-release which contains  Extra Packages for Enterprise Linux

So


yum install epel-release

yum install 3proxy

vim /etc/3proxy.cfg
# I pretty much commented everything in 3proxy.cfg until I had the following

nscache 65536
timeouts 1 5 30 60 180 1800 15 60
daemon
log /var/log/3proxy/3proxy.log
logformat "- +_L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"
archiver gz /bin/gzip %F
rotate 30
internal 127.0.0.1
auth strong
# create the password using openssl 
# openssl passwd -1 yourpasswordhere
# if there is a dollar symbol you need double quotes around it
users "proxyusername:CR:$1$POyLAate$hlRz2aqWeWDMiQloQRYOO."
allow proxyusername

# this command says for the HTTP proxy 
# to connect to the socks5 proxy running
# on localhost on port 8123
parent 1000 socks5 127.0.0.1 8123
# the default http/s proxy port is 3128
# but you can change it with -p option
proxy -n -p3128

So once you have edited before trying launch it as a daemon first check for typos
if the following exits with an error then you have a problem. With mine it was because I forgot to put double quotes around the MD5-crypted password user line.


3proxy /etc/3proxy.cfg

Once you have it right, you will know because it will actually start running (check it is by running ps -ef | grep 3proxy). You will need to kill off the self launched 3proxy process and then launch it using systemd

# when it's correct run it
service 3proxy start
or
systemctl start 3proxy

Once you have 3proxy configured as above you can then configure your local application to connect to it. Here is an example using wget

wget:

[root@jmits-srv-01 etc]# unset SOCKS_SERVER
[root@jmits-srv-01 etc]# export https_proxy=localhost:3128
[root@jmits-srv-01 etc]# export http_proxy=localhost:3128

# An example of not using authentication
[root@jmits-srv-01 etc]# wget https://jmits.com.au
--2017-06-10 15:30:27--  https://jmits.com.au/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:3128... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:3128... connected.
Proxy tunneling failed: Proxy Authentication RequiredUnable to establish SSL connection.

# now with proper auth it works
[root@jmits-srv-01 etc]# wget --proxy-user proxyusername --proxy-password mysecurepw https://jmits.com.au
--2017-06-10 15:32:57--  https://jmits.com.au/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:3128... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.1’

    [ <=>                                                                               ] 20,003      --.-K/s   in 0s      

2017-06-10 15:32:58 (124 MB/s) - ‘index.html.1’ saved [20003]

curl:

# curl example through 3proxy
curl -x localhost:3128 -U proxyusername:proxypassword https://jmits.com.au

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

You May Also Like…

Squarespace Image Export

To gain continued access to your Squarespace website images after cancelling your subscription you have several...

MySQL 8.x GRANT ALL STATEMENT

-- CREATE CREATE USER 'tgnrestoreuser'@'localhost' IDENTIFIED BY 'AppleSauceLoveBird2024'; GRANT ALL PRIVILEGES ON...

Exetel Opt-Out of CGNAT

If your port forwards and inbound and/or outbound site-to-site VPN's have failed when switching to Exetel due to their...