/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2006
/
2006-08
/
possible SSH proxy?
[
Keeping It In the Box / beno ... ]
[
RewriteLocation issue, Pound 2.1 / KOZMAN Balint ... ]
possible SSH proxy?
Brandon Saxe <brandon20va(at)yahoo.com> |
2006-08-22 23:51:10 |
[ FULL ]
|
Is it possible to use pound as an HTTP proxy for use with SSH? I want to be
able to use putty to a proxy on port 80. I know that it requires the CONNECT
command. I compiled pound with support for CONNECT --ms-dav, but now I'm stuck.
Pound wants to forward all requests, correct? I tried forwarding to a squid
server that supports SSH HTTP proxy connections, but that fails. I see the
connect on squid, but I think the replies back to the client get lost somehow.
Squid access.log file shows the following with direct SSH proxy connection
(putty connection is successful in this case):
1156272762.818 89526 64.144.35.150 TCP_MISS/200 5344 CONNECT 192.168.0.10:22 -
DIRECT/192.168.0.10 -
And here's the Squid access.log file when redirected from pound (this fails
with " Server unexpectedly closed network connection"):
1156272873.908 29180 127.0.0.1 TCP_MISS/200 80 CONNECT 192.168.0.10:22 -
DIRECT/192.168.0.10 -
The only difference is the 127.0.0.1 as far as I can tell.
Is there a way to avoid using squid and have pound work directly? what would
that config look like?
OR
Is there a way to properly configure pound to redirect to squid for use with
the SSH proxied client as well? what would that config look like?
Here's my config:
User "www-data"
Group "www-data"
LogLevel 2
Alive 30
ListenHTTP
Address 192.168.0.10
Port 80
xHTTP 1
WebDAV 1
Client 30
Service
HeadRequire "Host:.*192.168.0.10:22*"
BackEnd
Address 127.0.0.1
Port 3128
TimeOut 30
End
Service
# Catch All
BackEnd
Address 127.0.0.1
Port 8080
End
Session
Type BASIC
TTL 300
End
End
End
TIA
brandon
|
|
|
Re: [Pound Mailing List] possible SSH proxy?
Adam Borowski <kilobyte(at)angband.pl> |
2006-08-23 13:44:10 |
[ FULL ]
|
On Tue, Aug 22, 2006 at 02:51:10PM -0700, Brandon Saxe wrote:[...]
I'm afraid that CONNECT is not only not a correct WebDav method (but a
proprietary MS extension), but it also uses non-http requests after the http
handshake. As far, Pound can do only http (plain or over SSL), and support
for CONNECT would have to be coded.
[...]
All correct http requests, yes. CONNECT assumes that once this command is
issued, the protocol switches to something opaque, without Pound's meddling.
[...]
Pound expected a http reply, and didn't get it. You'll need some changes,
I'm afraid -- they are pretty easy to do, though. Just "pass everything
through without touching it" isn't that tricky.
This assumes that there is a second proxy which can handle CONNECT requests,
though. If you want Pound to do CONNECTs itself, we would need an ACL list
specifying where clients are allowed to request connects to.
[...]
|
|
Re: [Pound Mailing List] possible SSH proxy?
Brandon Saxe <brandon20va(at)yahoo.com> |
2006-08-23 14:37:28 |
[ FULL ]
|
>Pound expected a http reply, and didn't get it. You'll need some
changes,[...]
Sounds good to me.
[...]
SQUID works for this.
What do the configuration directives look like for "pass everything through
without touching it" ? I'm pretty sure that if I can get the original CONNECT
request from putty to/from SQUID sitting behind pound, then this setup will
work. I've confirmed that I can indeed connect to my ssh server using SQUID as
a proxy.
This is what i would like to put into place:
putty <---- HTTP ----> pound <---- "pass it through" ---->
CONNECT:SQUID <--------->SSH server
I'm using 2.1 btw.
Also, you mentioned:[...]
Where are these ACL's? Is this something new past version 2.1?
Thanks!
Brandon
Adam Borowski <kilobyte(at)angband.pl> wrote: On Tue, Aug 22, 2006 at
02:51:10PM -0700, Brandon Saxe wrote:[...]
I'm afraid that CONNECT is not only not a correct WebDav method (but a
proprietary MS extension), but it also uses non-http requests after the http
handshake. As far, Pound can do only http (plain or over SSL), and support
for CONNECT would have to be coded.
[...]
All correct http requests, yes. CONNECT assumes that once this command is
issued, the protocol switches to something opaque, without Pound's meddling.
[...]
Pound expected a http reply, and didn't get it. You'll need some changes,
I'm afraid -- they are pretty easy to do, though. Just "pass everything
through without touching it" isn't that tricky.
This assumes that there is a second proxy which can handle CONNECT requests,
though. If you want Pound to do CONNECTs itself, we would need an ACL list
specifying where clients are allowed to request connects to.
[...]
|
|
|
Re: [Pound Mailing List] possible SSH proxy?
Brandon Saxe <brandon20va(at)yahoo.com> |
2006-08-24 20:58:19 |
[ FULL ]
|
How would I pass everything through to a squid server behind pound that can
accept CONNECT requests and serve as an Http proxy for SSH connections?
Adam Borowski <kilobyte(at)angband.pl> wrote: On Tue, Aug 22, 2006 at
02:51:10PM -0700, Brandon Saxe wrote:[...]
I'm afraid that CONNECT is not only not a correct WebDav method (but a
proprietary MS extension), but it also uses non-http requests after the http
handshake. As far, Pound can do only http (plain or over SSL), and support
for CONNECT would have to be coded.
[...]
All correct http requests, yes. CONNECT assumes that once this command is
issued, the protocol switches to something opaque, without Pound's meddling.
[...]
Pound expected a http reply, and didn't get it. You'll need some changes,
I'm afraid -- they are pretty easy to do, though. Just "pass everything
through without touching it" isn't that tricky.
This assumes that there is a second proxy which can handle CONNECT requests,
though. If you want Pound to do CONNECTs itself, we would need an ACL list
specifying where clients are allowed to request connects to.
[...]
|
|
|
Re: [Pound Mailing List] possible SSH proxy?
Malte Ahrens <malte.ahrens(at)web.de> |
2006-08-25 09:52:40 |
[ FULL ]
|
Hello,[...]
the CONNECT method is not implemented in pound so forwarding to an other
proxy is not possible except you bypass pound.[...]
The CONNECT method is defined for Webserver and Proxys, refer to
http://tools.ietf.org/html/rfc2616#page-57
I don't support the idea to implement the CONNECT method in pound because
1. it's a security flaw. After the initial CONNECT the proxy has nothing
to do with the further communication but this is what a proxy _should_
do for security sake!
2. it makes pound become more and more fat. To my mind pound is designed
lightweight and secure. If someone needs such a feature his network
design may be somewhat false ;-)
Malte
|
|
|