I have two applications which I cannot change:
A: provides a URL protected by HTTP basic auth.
B: needs to access this URL but does not support basic auth.
Credentials are available.
How can I make my two applications work together?
I thought a local proxy might be great which injects the authentication. E.g. using socat:
socat TCP4-LISTEN:81,reuseaddr,fork TCP:UrlToA:80,<inject-basic-auth>=user:pass
However, socat does not provide an option like < inject-basic-auth >. Anybody knows any tool that might help? Any other way out?
You must set up a HTTP reverse proxy server that does the authentication for you. No need to hack any software.
Your reverse proxy listens on some socket (e.g. proxy:8080) and forwards requests to your actual application A, inserting the headers.
client_B ----> http://proxy:8080 -----> http://server_A:80
Nginx is lightweight, high performance and easy to set up. And it's easy to find docs online for what you want.
See for example http://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy
This problem seems to be very specific. So you probably won't find a ready-to-use tool.
If you want to do it yourself, your best approach is probably to extend socat:
http://www.dest-unreach.org/socat/download/socat-1.7.2.2.tar.gz
Good luck!
Related
I'm looking for a HTTP proxy on Windows, with which can easily apply some simple rules/filters onto.
For example, I can let the traffic of http://sitea.com/images.* all goes with http://localhost/images.*
I would suggest using Squid on Windows. I think this article explains a url_rewrite_program that can be called to do what you need:
Squid's URL modification/rewrite
Good luck!
This question already has answers here:
How to create Man in the Middle instrumentation
(3 answers)
Closed 8 years ago.
We seem to be going round in circles a bit at the moment. We are looking for simple light weight, preferably ruby based proxy that enables us to do the following.
Proxy HTTPS requests between a browser and a Web app. e.g. GMail
Intercept and modify the request/responses - Man in the Middle modification
Generate on the fly SSL certs (or maybe us pre-configured) for use between the proxy and the browser
Using Ruby, we've experimented with em-proxy and Goliath but I don't think these are quite the right fit.
Any suggestions would be very much appreciated.
Best Regards,
Carlskii.
There is also mitmproxy written in Python.
Fiddler can do this, although it's not Ruby-based.
There is also nice looking multiplatform http://www.charlesproxy.com/ with SSL support. It's in java/native code. It's closed-source paid app with free trail.
You can try https://github.com/odcinek/mallory it is more recent though not as fully mature as the previously mentioned other language proxies, this one however IS written in ruby.
Another alternative.
Burp Proxy, freemium, closed source written in java.
Burp Proxy is an interactive HTTP/S proxy server for attacking and
testing web applications. It operates as a man-in-the-middle between
the end browser and the target web server, and allows the user to
intercept, inspect and modify the raw traffic passing in both
directions.
Burp Proxy allows you to find and exploit application vulnerabilities
by monitoring and manipulating critical parameters and other data
transmitted by the application. By modifying browser requests in
various malicious ways, Burp Proxy can be used to perform attacks such
as SQL injection, cookie subversion, privilege escalation, session
hijacking, directory traversal and buffer overflows.
https://github.com/lightbody/browsermob-proxy open-source, well-known solution written in java, can be configured on-the-fly using REST API or Java API
I want to build or implement some sort of LDAP proxy that will intercept the LDAP response from our corporate server and tack on a jpegPhoto to each entry which will load the persons image from our intranet (i.e. http://intranet.biz/userPhoto.php?email=johnDoe#domain.com).
My first thought is to setup a Squid proxy with a rewrite filter. The OpenLDAP man pages also seems to mention that it can act as a proxy (perhaps using slapo-rwm to add jpegPhoto?). I'm not very familiar with OpenLDAP and I'm not sure how to implement this.
What's the best solution? Any examples?
You should probably look into openldap's overlays combined with the proxy backends they offer. The 'translucent' overlay might be an appropriate starting point.
Very difficult. You will have to write something that can completely parse an LDAP response and add the required attributes to it. There are various LDAP APIs available that can do that for you but it will be a slog. Have you considered bulk-moving the jpegs into the LDAP database?
I have a socket app that needs to have support for SOCKS 4 and 5 proxy connections, since my users may be behind firewalls. I am using WPF and C# 3.5 SP1. I see no options in the default Socket class for proxys, do I have to roll my own?
I'd prefer not to use 3rd party libs if possible - how difficult is it to enable proxy support with a standard C# Socket?
It is not terribly hard but you have to read through a couple of RFCs. You need to read the RFC spec on Socks v4, Socks v4a and Socks v5. I wrote a library that will do all the work for you but if you would rather write you own that is cool too. My library was mentioned in the previous post (Starksoft). You can implement the Socks protocol using a standard TcpClient object or a Socket connection. The TcpClient is easier. You simply need to send the commands immediately after connection to your proxy server. Those command will instruct the proxy server what final end point you are interested in connecting to. There is also specs for a UDP Socks connection but it sounds like you won't be needing that.
You can find all the RFCs and generation information on wikipedia. I can't post more because this crazy stackoverflow site limits the number of hyperlinks I am allowed to 1 since I am not a regular user. Very annoying.
http://en.wikipedia.org/wiki/SOCKS
Finally, you can rip off my code if you like since it is under the MIT license and I let you do that kind of thing. :) Take at look at my class Socks4ProxyClient.cs that implements the Socks v4 protocol. The method of most interest to you is named SendCommand() located on line 282. You can find my code at Google Code. Search for Starksoft. Or you can go to my web site directly and I have link to the source code in Google.
Socks5 implementation is a little trickier with more options to specify and a little more chatter to the server but basically very similar to Socks4.
Good luck and you should implement a solution yourself if you want to learn Socks. So, kudos to you!
Benton
You could ask google for some info. One of the first links will lead you to Mentalis.org and their free proxy implementation. They were once well known for their free network and security stuff but the projects seem to not being maintained for a while.
But it might be worth a look anyway.
I know you said that you did not want to use 3rd party librarys if possbile, but I would like to recommend this http://www.starksoft.com/prod_proxy.html.
I would like to setup a http proxy on my work machine (no admin rights, WinXP) to only allow access to a whitelist of URLs. What would be the easiest solution? I prefer open-source software if possible.
Squid seems to be the de facto proxy. This link describes how to set it up on a windows box: http://www.ausgamers.com/features/read/2638752
Why not use the Content Advisor in IE? You can provide a list of approved sites, anything else is blocked. Or do you want pass-through functionality like a true proxy?
Content advisor will ask for authorization every time a javascript function is called. At least that's my experience right now, and that's how I landed here, after hours of googling.
You are right, however, if the sites in the whitelist don't use javascript intensively and I would suggest that that option be tried first because (and I'm an IT person), it's FAAAAAAAAR easier to set up Content Advisor than a proxy server. Google "noaccess.rat" and you'll come accross articles that tell you how to set up IE using a white-list approach.
Having said this, however, you must be fully aware that Content Advisor can be easily disabled, even without knowing the password. One of my users did it in no time. You can find this in google as well.
Alex