|
Webster's Dictionary defines a proxy as:
1: the agency, function, or office of a deputy who acts as a substitute for another
2: authority or power to act for another
In networking the most common proxy is a web proxy, operating at Layer 7 (application layer of the OSI model). The proxy relays a request from a client (Alice) to a server (Bob).
There are many reasons to use a proxy. A common use is control. Enterprises and Educational institutions use proxies to control where their employees or students go on the internet. Since they own the network, and the employees, for example, should be doing work-related internet actions, the organization will typically run a black-list on the proxy, preventing the end user from accessing unapproved websites.
When using a proxy, it will be the proxy's IP address that gets logged on the server rather than the originating client. This provides a layer of obfuscation, since the server will not have client's IP address in the log. Tor is a set of complex nodes which act as a proxy, giving the client some privacy.
Although some will say that NAT provides this level of privacy (by obscuring the client's IP address), the source can be followed back to the household from where the request originally came (lawful requests demand this of ISPs).
A proxy, however can be somewhere out on the internet, and can provide proxy services for both IPv4 and IPv6, this providing a level of privacy for both network layer protocols.
Unfortunately, most of IoT equipment, is IPv4-only. Common items like smart TVs, Internet Radios, Smart Lighting, Smart fill-in-the-blank have two common problems
But what if you want your IoT device to be accessible on your IPv6-only network?
A reverse-proxy typically sits in front of a server (or device), where a normal proxy sits in front of the client.
Load Balancers are just fancy reverse-proxies. For large websites, a single webserver cannot serve all the requests. By sticking a load balancer in front of several webservers, the web traffic load can shared. There are several algorithms which can be used to spread the load across the webserver farm. Many networking vendors, such as Cisco, have been making hardware-accellerated load balancers for years.
Although Proxies usually operate at L7, depending on how much control is required, proxies can operate lower on the OSI layer stack.
socat
socat
or Socket Cat is a cousin of the popular netcat or nc
. While a common usage of nc
is to act as a client at the edge of the network, socat
typically is in the middle of the network, providing some kind of translation (IPv4->IPv4, IPv4->IPv6, IPv6->IPv4, IPv6->IPv6).
socat
operates on the L3/L4 tuple. A typical usage:
socat TCP6-LISTEN:8080,fork,reuseaddr TCP4:drsol.com:80
test with
curl -6 -I http://localhost:8080
But socat
has limitations, in that it only translates to one destination address.
socat
proxy on your laptopInstall socat
on your laptop
sudo apt-get install socat
or
sudo yum install socat
Open two (2) terminal windows:
socat
as a proxysocat -d TCP6-LISTEN:8080,fork,reuseaddr TCP4:drsol.com:80
curl
in the second terminal to test the proxycurl -I -6 http://localhost:8080/
Discuss the following:
-6
parameter on curl
?drsol.com
webserver?
ssh
ssh
has the ability to tunnel multiple conversations inside the encrypted pipe that it sets up to a remote host. A common usage of this is ssh -X example.com
which will forward X-Windows (a GUI system for unix/linux), allowing remote operation of GUI applications, like editors.
But ssh
can carry other information inside the ssh-tunnel, such as web traffic via a socks proxy. First one needs a remote host to ssh
to. Using the -D parameter, we can setup a socks proxy* from that remote host.
ssh -D 8080 user@example.com
We'll use api64.ipify.org to return the IP address we made the request from. Test with curl, and note the IP address returned
curl -x socks5://localhost:8080 http://api64.ipify.org
Now test without the socks proxy
curl http://api64.ipify.org
Note the different IP address returned
You can use your browser to use the ssh proxy as well by configuring the sock proxy. In firefox:
The limitation of using ssh socks proxy is that you need to have ssh
access to a remote machine.
ssh
proxy on your laptopOpen two (2) terminal windows:
ssh
to a remote host which will be the proxyssh -D 8080 vicpi@craig.vicpi.drsol.com
curl
curl -x socks5://localhost:8080 http://api64.ipify.org
Discuss the following:
curl
?-4
flag, what IPv4 address is returned?Extra-Credit: configure your web browser for a SOCKS5 proxy, and surf the web. Enter the URL http://api64.ipify.org
Common Web Servers can also act as proxies. Since the webserver is operating at Layer 7 of the OSI model, it has access to the actual HTML text, and can modify it as it is proxied. Of course, if you are expecting to pass encrypted traffic (with TLS), then the proxy can decrypt the traffic, and see the traffic before re-encrypting it to the final destination. This is generally frowned upon, since the L7 proxy is in fact spoofing the TLS connection.
For non-encrypted traffic, there is a good how-to configure Apache
A reverse proxy is a proxy that typically sits in front of a server(s), rather than the client. They are typically used as load-balancers, or protocol converters.
Again there are two types of reverse proxies, the L3/L4, and the L7.
socat
as a reverse proxySay I want to have IPv6 access for my IPv4-only IoT device. It could be any IPv4-only IoT device, but in this example, I'll use my Internet Radio.
socat
reverse proxy is similar, but this time we give it the IPv4 address of our IoT device.
IOT_ADDR=192.168.99.36
socat TCP6-LISTEN:8080,fork,reuseaddr TCP4:$IOT_ADDR:80
test with
curl -I http://netsig.makiki.ca:8080
nginx
as a reverse proxyReverse Proxy is quite easy in nginx
. The following configuration, not only directs nginx to be a reverse-proxy, but also modifies the HTML text on the fly, replacing a hardcoded IPv4 address with the DNS hostname, 6wr26.hoomaha.net:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name localhost;
# Setup proxy
location / {
# sub module stuff
sub_filter_once off;
sub_filter 'http://192.168.99.36' 'http://6wr26.hoomaha.net';
# rev proxy config
proxy_pass http://wr26.hoomaha.net/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
nginx
reverse proxy config with on the fly HTML modification (sub_filter).
socat
Open two (2) terminal windows:
ssh
to a remote host which will be the proxyssh demo@netsig.makiki.ca
IOT_ADDR=192.168.99.36
socat TCP6-LISTEN:8080,fork,reuseaddr TCP4:$IOT_ADDR:80
curl
curl -6 netsig.makiki.ca:8080
Discuss the following:
Proxies are useful, even in the modern internet. Whether it acts a load balancer, providing additional privacy, or accessing legacy (read: IPv4-only) devices. The internet is about connecting disparate devices together. Using socat
or nginx
are excellent proxy tools to keep in your networking toolbox.
26 October 2020