/ Zope / Apsis / Pound Mailing List / Archive / 2006 / 2006-08 / possible SSH proxy?

[ << ] [ >> ]

[ Keeping It In the Box / beno ... ] [ RewriteLocation issue, Pound 2.1 / KOZMAN Balint ... ]

possible SSH proxy?
Brandon Saxe <brandon20va(at)yahoo.com>
2006-08-22 23:51:10 [ FULL ]
Is it possible to use pound as an HTTP proxy for use with SSH? I want to be
able to use putty to a proxy on port 80. I know that it requires the CONNECT
command. I compiled pound with support for CONNECT --ms-dav, but now I'm stuck.
Pound wants to forward all requests, correct? I tried forwarding to a squid
server that supports SSH HTTP proxy connections, but that fails. I see the
connect on squid, but I think the replies back to the client get lost somehow.

Squid access.log file shows the following with direct SSH proxy connection
(putty connection is successful in this case):
1156272762.818  89526 64.144.35.150 TCP_MISS/200 5344 CONNECT 192.168.0.10:22 -
DIRECT/192.168.0.10 -

And here's the Squid access.log file when redirected from pound (this fails
with " Server unexpectedly closed network connection"):
1156272873.908  29180 127.0.0.1       TCP_MISS/200 80 CONNECT 192.168.0.10:22 -
DIRECT/192.168.0.10 -

The only difference is the 127.0.0.1 as far as I can tell.

Is there a way to avoid using squid and have pound work directly? what would
that config look like?
OR
Is there a way to properly configure pound to redirect to squid for use with
the SSH proxied client as well? what would that config look like?

Here's my config:
User "www-data"
Group "www-data"

LogLevel 2
Alive 30

ListenHTTP
        Address 192.168.0.10
        Port 80
        xHTTP 1
        WebDAV 1

        Client 30
        Service
                HeadRequire "Host:.*192.168.0.10:22*"
                BackEnd
                        Address 127.0.0.1
                        Port 3128
                        TimeOut 30
                End
        Service
        # Catch All
                BackEnd
                        Address 127.0.0.1
                        Port    8080
                End
                Session
                        Type BASIC
                        TTL 300
                End
        End
End



TIA
  brandon
Attachments:  
text.html text/html 3810 Bytes

Re: [Pound Mailing List] possible SSH proxy?
Adam Borowski <kilobyte(at)angband.pl>
2006-08-23 13:44:10 [ FULL ]
On Tue, Aug 22, 2006 at 02:51:10PM -0700, Brandon Saxe wrote:[...]

I'm afraid that CONNECT is not only not a correct WebDav method (but a
proprietary MS extension), but it also uses non-http requests after the http
handshake.  As far, Pound can do only http (plain or over SSL), and support
for CONNECT would have to be coded.
[...]

All correct http requests, yes.  CONNECT assumes that once this command is
issued, the protocol switches to something opaque, without Pound's meddling.
[...]

Pound expected a http reply, and didn't get it.  You'll need some changes,
I'm afraid -- they are pretty easy to do, though.  Just "pass everything
through without touching it" isn't that tricky.

This assumes that there is a second proxy which can handle CONNECT requests,
though.  If you want Pound to do CONNECTs itself, we would need an ACL list
specifying where clients are allowed to request connects to.
[...]

Re: [Pound Mailing List] possible SSH proxy?
Brandon Saxe <brandon20va(at)yahoo.com>
2006-08-23 14:37:28 [ FULL ]
>Pound expected a http reply, and didn't get it.  You'll need some
changes,[...]

Sounds good to me.
[...]

SQUID works for this.

What do the configuration directives look like for "pass everything through
without touching it" ? I'm pretty sure that if I can get the original CONNECT
request from putty to/from SQUID sitting behind pound, then this setup will
work. I've confirmed that I can indeed connect to my ssh server using SQUID as
a proxy.

This is what i would like to put into place:
putty <---- HTTP ----> pound <---- "pass it through" ---->
CONNECT:SQUID <--------->SSH server

I'm using 2.1 btw.

Also, you mentioned:[...]

Where are these ACL's? Is this something new past version 2.1?

Thanks!
  Brandon


Adam Borowski <kilobyte(at)angband.pl> wrote: On Tue, Aug 22, 2006 at
02:51:10PM -0700, Brandon Saxe wrote:[...]

I'm afraid that CONNECT is not only not a correct WebDav method (but a
proprietary MS extension), but it also uses non-http requests after the http
handshake.  As far, Pound can do only http (plain or over SSL), and support
for CONNECT would have to be coded.
[...]

All correct http requests, yes.  CONNECT assumes that once this command is
issued, the protocol switches to something opaque, without Pound's meddling.
[...]

Pound expected a http reply, and didn't get it.  You'll need some changes,
I'm afraid -- they are pretty easy to do, though.  Just "pass everything
through without touching it" isn't that tricky.

This assumes that there is a second proxy which can handle CONNECT requests,
though.  If you want Pound to do CONNECTs itself, we would need an ACL list
specifying where clients are allowed to request connects to.
[...]
Attachments:  
text.html text/html 3224 Bytes

Re: [Pound Mailing List] possible SSH proxy?
Brandon Saxe <brandon20va(at)yahoo.com>
2006-08-24 20:58:19 [ FULL ]
How would I pass everything through to a squid server behind pound that can
accept CONNECT requests and serve as an Http proxy for SSH connections?

Adam Borowski <kilobyte(at)angband.pl> wrote: On Tue, Aug 22, 2006 at
02:51:10PM -0700, Brandon Saxe wrote:[...]

I'm afraid that CONNECT is not only not a correct WebDav method (but a
proprietary MS extension), but it also uses non-http requests after the http
handshake.  As far, Pound can do only http (plain or over SSL), and support
for CONNECT would have to be coded.
[...]

All correct http requests, yes.  CONNECT assumes that once this command is
issued, the protocol switches to something opaque, without Pound's meddling.
[...]

Pound expected a http reply, and didn't get it.  You'll need some changes,
I'm afraid -- they are pretty easy to do, though.  Just "pass everything
through without touching it" isn't that tricky.

This assumes that there is a second proxy which can handle CONNECT requests,
though.  If you want Pound to do CONNECTs itself, we would need an ACL list
specifying where clients are allowed to request connects to.
[...]
Attachments:  
text.html text/html 2203 Bytes

Re: [Pound Mailing List] possible SSH proxy?
Malte Ahrens <malte.ahrens(at)web.de>
2006-08-25 09:52:40 [ FULL ]
Hello,[...]
the CONNECT method is not implemented in pound so forwarding to an other 
proxy is not possible except you bypass pound.[...]
The CONNECT method is defined for Webserver and Proxys, refer to 
http://tools.ietf.org/html/rfc2616#page-57

I don't support the idea to implement the CONNECT method in pound because

1. it's a security flaw. After the initial CONNECT the proxy has nothing 
to do with the further communication but this is what a proxy _should_ 
do for security sake!

2. it makes pound become more and more fat. To my mind pound is designed 
lightweight and secure. If someone needs such a feature his network 
design may be somewhat false ;-)

Malte

MailBoxer