Add syntax highlighting to notes
[disinclined.org.git] / _posts / 2012-04-05-proxy-demonstration.html
1 ---
2 layout: note
3 ---
4
5 <p>Proxies are servers that act as intermediaries between clients and other servers. Requests made to the proxy server are made to the content or service provider by the proxy server on behalf of the client.</p>
6
7 <p>Before permitting a request on behalf of a client, a proxy server can apply arbitrary rules to filter or authorize traffic. Validated requests can also be altered, as well as content returned to the client.</p>
8
9 <p>Proxies can be used for anonymity, bypassing geographical filters, logging, authorization, filtering and caching.</p>
10
11 <p>Reverse proxies work on behalf on content or service providers to cache dynamically generated content and load balance applications. Reverse proxies can also change content served, but generally do not except sometimes compression.</p>
12
13 <p>The Tor (The Onion Router) is a layered proxy system intended for anonymity and bypassing harmful filtering. One example of its use is to bypass the Great Firewall of China, a politically purposed firewall administrated by the People's Republic of China, censoring politically sensitive material. The Tor proxy randomly bounces traffic through a network of global volunteer relays. Tor traffic is routed through two nodes before reaching the destination server. The first Tor relay knows the clients IP, but is not privy to the encrypted data. The intermediary servers are unaware of the origin or data. Exit relays know transmitted data, but not the origin.</p>
14
15 <p>This presentation requires a preconfigured Squid server.</p>
16
17 <p>(ports are arbitrary everywhere, but standardized by the
18 Internet Assigned Numbers Authority (IANA), see /etc/services)</p>
19
20 <pre class="brush: bash">
21 # Session/Application layer SOCKet Secure (SOCKS) 5 proxy
22 #
23
24 # Establish a TCP stream to dylansserver.com on port 22
25 # Start a SOCKS5 proxy server on port 8080
26 #
27 # ssh # secure shell
28 # -f # background command
29 # -N # don't execute a remote command
30 #
31 ssh -fND 8080 dylan@dylansserver.com
32
33 # Make an HTTP GET request using local port 8080
34 #
35 curl --socks5 localhost:8080 whatismyip.org
36
37 # Use root privileges to watch TCP packets
38 #
39 # sudo # execute as root user
40 # iptables # dump traffic on a network
41 # -vvv # very very verbose
42 # -A # print each packet in ASCII
43 # -i lo # only print packets using the local network interface
44 # -s 0 # don't truncate packets
45 # port 8080 # only print packets using port 8080
46 #
47 sudo tcpdump -vvvA -ilo -s0 port 8080
48
49 # Watch HTTP GET requests sent over proxy
50 #
51 sudo tcpdump -vvvA -ilo -s0 port 8080 | grep -A 10 GET
52
53 # Make an HTTP request over proxy
54 #
55 curl --socks5 localhost:8080 whatismyip.org
56 curl --socks5 127.0.0.1:8080 whatismyip.org
57 curl --socks5-hostname localhost:8080 whatismyip.org # DNS on proxy
58
59 # Use proxy with browser
60 #
61 v ~/.config/luakit/globals.lua
62
63
64 # Network layer tranparent Squid proxy
65 #
66 # (connections are whitelisted in /etc/squid/squid.conf,
67 # `acl client &lt;IP&gt;
68 # http_access allow client`)
69 #
70
71 # Set kernel ip_forward parameter
72 sudo sysctl net/ipv4/ip_forward=1
73
74 # Route traffic through remote proxy on local machine
75 #
76 # iptables # administration tool for IPv4 packet filtering and NAT
77 # -t nat # refer to "nat" packet matching table
78 # -A OUTPUT # add to "OUTPUT" table
79 # -p tcp # match only TCP packets
80 # --dport 80 # match only packets destined for port 80
81 # -jDNAT # jump to "DNAT" target
82 # --to 50.16.219.8:3128 # destination network address
83 #
84 sudo iptables -tnat -AOUTPUT -ptcp --dport 80 -jDNAT --to 50.16.219.8:3128
85
86 # -jDNAT # jump to "REDIRECT" target
87 # --to-port 3128 # new destination port
88 #
89 sudo iptables -tnat -AOUTPUT -ptcp --dport 80 -jREDIRECT --to-port 3128
90
91 # Make an HTTP request over proxy
92 #
93 curl whatismyip.org
94
95 # What's an error message look like now?
96 #
97 curl 'thisisnotawebsite!@#$%^&*()_'
98
99 # Use proxy with browser
100 #
101
102 # Watch it happen
103 #
104 ssh dl -t "sudo tail -f /var/log/squid/access.log"
105 </pre>