Ruby TCPSocket through Proxy - ruby

I have a Socket client (Socket.tcp) that I'd like to proxy through another machine. I've blooked in to SOCKS libraries (https://github.com/samuelkadolph/ruby-proxifier), but it seems to require having an active proxy on the machine the code is running, which would proxy ALL network traffic on the machine?
Ideally, this will be a Sidekiq background job where just the worker's code is proxied, not the other code on the server (it will be within a Rails application).
I see the Net::SSH library (https://net-ssh.github.io/ssh/v2/api/classes/Net/SSH/Proxy/SOCKS5.html) has some stuff around SOCKS, but I'm unsure if this is the best approach (does this lib establish the SOCKS proxy?).
Any pointers to proxying an individual socket client would be really helpful. Thanks!

Ended up going with a ssh -D tunnel on the application server and keeping a reference to the proxy in application and patching the network library to use https://github.com/samuelkadolph/ruby-proxifier.

Related

Ruby Sockets via proxy

Is is possible to use Socks5 proxy when communicating over Ruby Socket?
I need to communicate with a Modbus device from a fixed IP. As my Rails app is hosted on Heroku, I'm thinking about using IPBurger addon to get the fixed IP. The addon gives me a Socks5/HTTP and HTTPS proxies. The Modbus library I want to use (RModbus) is build using Sockets:
https://github.com/rmodbus/rmodbus/blob/master/lib/rmodbus/tcp.rb
I'm considering forking the library and making the necessary changes to be able to pass the proxy details to it. How can I define a proxy in the Ruby Socket? What are my other options?

How can I make my Windows C++/OpenSSL application proxy-aware?

I'm working on a desktop C++ application which uses OpenSSL sockets (a raw TLS socket, not HTTPS) to communicate with our server.
One of our clients are required to route their traffic through a proxy. The client is using ZScaler in Tunnel with Local Proxy mode.
In theory, it's possible to reconfigure ZScaler to force our traffic through a proxy chosen by ZScaler. However, I want to investigate solutions where our application uses the Windows OS-level proxy settings rather than relying on ZScaler configuration.
I've read this post:
openssl s_client using a proxy
But I'm uncertain whether those answers apply to my situation, because that user didn't mention whether they're using Windows or Linux, and they appear to be talking about an HTTP/HTTPS proxy. Also, that question appears to be asking about the s_client function, rather than simply creating a TLS socket to my server through a "Tunnel with Local Proxy" on Windows.
So, my questions are:
Can OpenSSL be used to open an SSL socket to a server through Tunnel with Local Proxy?
Can we make an OS call to determine the IP/socket for the Tunnel with Local Proxy configuration?
If this is possible, then I have another question: suppose we have a single proxy at 10.100.10.0:5000.
If one user in our client's office opens a socket to our server via their proxy, will a 2nd user be unable to connect from their office because they're bottlenecked at single proxy socket?
Put another way: what is the standard way of implementing proxy-awareness for a Windows application using OpenSSL?
Note: This question was originally posted to Network Engineering stack exchange, but it was closed because it refers to an issue above OSI layer 4.
Note: I'm looking for a solution that does not require administrator permissions on the user PC. I would prefer for our application to discover and use OS-level proxy settings without making any administrative changes to the machine, i.e. by calling netsh.
Can OpenSSL be used to open an SSL socket to a server through Tunnel with Local Proxy?
OpenSSL doesn't do it for you but OpenSSL does not prevent it either. The tunnel has to be established before you do the TLS handshake to the endpoint. Depending on what kind of proxy this is you might need to use a HTTP CONNECT method for this or might need to use the SOCKS protocol or whatever your proxy requires. In case of ZScaler this is likely the HTTP CONNECT method but you need to make sure that the connection to the target IP and port is actually allowed by the security policy.
Once you've established the tunnel to the endpoint using the proxy you can just build the SSL socket on top of the TCP socket for the tunnel. Just do the usual SSL setup (i.e. SSL_new etc) and then associate the SSL object with the existing socket using SSL_set_fd. Then proceed as usual with the handshake, i.e. SSL_connect or similar.
Can we make an OS call to determine the IP/socket for the Tunnel with Local Proxy configuration?
I don't know but Winsock use system proxy settings might answer this part.
If one user in our client's office opens a socket to our server via their proxy, will a 2nd user be unable to connect from their office because they're bottlenecked at single proxy socket?
This should not be a problem. It is perfectly normal to have multiple connections through the proxy.

Send the request to Proxy server from Web server

I made a proxy server in python 3. It listens on the port 4444. It basically receives the request from clients and sends it to the server. I want to use it as a firewall to my Dvwa server. So added another functionality to the proxy. What it does is, before sending the request to the DVWA server, it validates the input.
But the problem is, the clients have to configure their proxy settings in the browser to use my proxy server. Is there any way to access the proxy without configuring the browser settings. Basically I want to host the proxy server instead of the original web server. So that all the traffic goes through the proxy before going to the webserver.
Thanks in advance...
You don't say whether your Python3 proxy is hosted on the same machine as the DVWA.
Assuming it is, the solution is simple: a reverse-proxy configuration. Your proxy transparently accepts and forwards requests to your server who then processes them and sends them back via the proxy to the client.
Have your proxy listen on port 80
Have the DVWA listen on a port other than 80 so it's not clashing (e.g. 8080)
Your proxy, which is now receiving requests for the IP/hostname which would otherwise go to the DVWA, then forwards them as usual.
The client/web browser is none the wiser that anything has changed. No settings need changing.
That's the best case scenario, given the information provided in your question. Unfortunately, I can't give any alternative solutions without knowing the network layout, where the machines reside, and the intent of the project. Some things to consider:
do you have a proper separation of concerns for this middleware you're building?
what is the purpose of the proxy?
is it for debugging/observing traffic?
are you actually trying to build a Web Application Firewall?

How do you use Thrift protocol via corporate Proxy?

I've had a search over the internet but can't seem to find any straightforward instructions on how to use the Thrift protocol from behind a proxy.
To give you a bit of background - we have a Zipkin instance setup (https://github.com/twitter/zipkin) that uses a Cassandra instance (http://cassandra.apache.org/) to store Zipkin traces. Our intention is to negotiate over the thrift protocol to a collector that is then responsible for writing traces to Cassandra.
What conditions have to be in place for us to negotiate successfully via our corporate proxy? Do we just have to set certain proxy properties when trying to negotiate or do we have to set something else up that allows this negotiation to happen?
Any help people can give in this direction with regards to resources and/or an answer would be greatly appreciated.
The Apache Thrift TSocketTransport (almost certainly what you are using) uses TCP on a configurable port. Cassandra usually uses port 9160 for thrift. When using Thrift/TCP no HTTP setup is necessary. Just open 9160 (and any other ports your custom thrift servers may be listening on).
Though you can use Thrift over HTTP, Thrift is RPC, not REST, so proxy caching will cause problems, the client needs a direct comm channel with the server.
If you do need to access a thrift service via a proxy, something like this would work:
https://github.com/totally/thrift_goodies/blob/master/transport.py
You can kill the kerberos stuff if you don't need that.

VNC connection brokering (RFB protocol server)

Please consider the following scenario:
VNC Client try to connect with a VNC Server which is behind a NAT.
I have written a port forwarder in java which help me achieving above task, and it works fine.
Now I need to, somehow, add a connection brokering functionality within this forwarder so that I can also intercept the communication between VNC Client – Server, and authenticate the VNC Client within the forwarding utility as well.
You may have guessed that actually I am using the password received from VNC Client for some authentication in my app. As the RFB Server can be implemented at application layer, I guess this interception is possible... VNCAuthentication (DES encryption/decryption) is used in all above communication. Upon successful authentication within the forwarding utility I shall just let the forwarding continue for that respective client, else I can close it (stop forwarding).
I have tried some implementation, also tried customizing a java implementation of rfb server... but still not able to get there. It will take some time, I know, but need to confirm if I am thinking straight.
Please let me know if the implementation of above scenario is ambiguous, not possible, or illegitimate and if this is possible, let me have some guild lines...
This seems like a good implementation. Think of it like a VNC proxy, just like an HTTP(S) proxy. There are also HTTP authenticating proxies. You're implementing part of the VNC protocol to create an authenticating VNC proxy.
Maybe you can get some inspiration from VNCProxy, an existing Java VNC proxy.

Resources