Breaking out of a proxy jail: Desproxy

Desproxy allows you to create a standard TCP connection to a remote host via an HTTP proxy, by use of the CONNECT method.

The CONNECT method is normally used by proxy servers to allow HTTPS (SSL) communication between a client and server. Because this information is encrypted the proxy server does not try to read it, and just lets a full connection through. Generally, this type of connection will only be allowed on "safe" ports (443 is the main one, but there are others). So, provided the server application you are trying to connect to is listening on port 443, you should be able to make a full TCP connection.

The quickest way to check if your server supports CONNECT, is to try and connect to a HTTPS site, such as GMail. If that page loads, you should be OK.

Desproxy can be run on both Windows and most *nix (including OS X), so I will describe their use on both systems here.

Installing desproxy on Windows

First, you need to download the Windows binaries: desproxy-0.1.0-pre3-windows.zip (SourceForge).

Desproxy requires the cygwin1.dll to run, but it's bundled in the zip file so you don't need to worry about it. Just make sure it's in the same directory as the executables when you try to run it. Obivously you will need to extract the files to somewhere you have executable access in.

Installing desproxy on *nix (including OS X)

First, you need to download the source: desproxy-0.1.0-pre3.tar.gz (SourceForge).

The binaries are reported to build on pretty much any POSIX system with a C compiler and the `make` tool. If you're running on OS X, this means you need to have the Developer Tools installed.

Extract the files from the compressed tarball:

tar vxfz desproxy-0.1.0-pre3.tar.gz

Configure the Makefile:

./configure

Build the binaries:

make

Copy the binaries to your /usr/local/bin directory. You will probably need root access to do this, so use either su or sudo:

cp src/desproxy src/desproxy-dns src/desproxy-inetd src/desproxy-socksserver /usr/local/bin

Once the binaries are installed, they both take the same arguments, although they will obviously have to be run from different shells (cmd.exe for Windows, and what ever you want for *nix).

Desproxy has two modes: a simple tunnel or a socks server.

Tunnelling with desproxy

Tunnelling allows you to make a single connection to a specific host on a certain port. This is useful when you just want to do something simple like connect to a remote SSH server.

To create a new tunnel, desproxy takes the following syntax:

desproxy remote_host remote_port proxy_host proxy_port local_port

Example, I want to connect to an SSH server on port 22 at www.yourserver.com via a proxy on port 8000 at 192.168.1.92 and map it to local port 1122:

desproxy www.yourserver.com 22 192.168.1.92 8000 1122

If your proxy requires you to authenticate with a user and password, you need to set the PROXY_USER variable in your shell to "user:pass".

To do this in Windows:

env PROXY_USER="user:pass"

To do this in *nix will vary from shell to shell, so look at your man pages. In bash, it's:

export PROXY_USER="user:pass"

Desproxy does not support NTLM authentication. To connect to a Microsoft proxy server, you will need to use something like NTLM Authorization Proxy Server. I've not tried this myself yet, so I can't say much more on the subject.

Once the app is running, you can connect to the local port you specified (in the example 1122) just as if the server was running locally (so use 127.0.0.1 or localhost or your local IP). Desproxy will do the rest.

A normal session looks something like this:

miguel@Kosmos3000$ desproxy 127.0.0.1 21 127.0.0.1 4480 2222

-----------------------------------
desproxy                      0.0.8

HTTP/1.1
(c) Miguelanxo Otero Salgueiro 2001
-----------------------------------

Listening on port 2222
Connection request from 127.0.0.1, port 1227
Connecting to http proxy (127.0.0.1:4480)
Bidirectional connection stablished
(127.0.0.1:21) <-> (localhost)
End of connection.

Running a SOCKS server with desproxy

Setting desproxy to run as a SOCKS server allows you to make more advanced, dynamic connections. It's only really useful like this if your proxy allows you to connect on non-HTTPS ports, which isn't common.

To run the app as a SOCKS server, desproxy takes the following syntax:

desproxy-socksserver proxy_host proxy_port local_port

Example, I want to run the SOCKS server on port 1080 via a proxy running at 192.168.1.92 on port 8000

desproxy-socksserver 192.168.1.92 8000 1080

Again, if your proxy server requires authentication you will need to set the PROXY_USER variable as described previously.

Once the SOCKS server is running, you will need to specify the use of a proxy server in the application you want to use. The server is running locally, so connect to your local address (127.0.0.1 or localhost). Although it's author says the SOCKS server should do both SOCKS v4 and v5, I've not managed to get it to work with v5. The server requires no authentication.

For more information on desproxy, including explaination of error messages, check out the homepage.

Specific examples using desproxy

Desproxy can be used for simple connections like SSH, or complex things like BitTorrent. I've written a description of setting up the latter: Azureus on OS X with desproxy. I've also noted in the relevant pages if the use of desproxy could be applicable.