Bypassing a Restrictive Internet Proxy

by Anonymous

Background

I work at a Top 200 company where the Internet connection is filtered by a program called SmartFilter and a restrictive firewall.

Sadly, we live in an age where censorship is happening more often, and getting to raw information is getting more difficult.

SmartFilter is a piece of software created by a company called Secure Computing which plugs into the company's existing web proxy.  The filter acts like any other filter, cutting off access to restricted websites, which are detected with a blacklist or word filter.  Even Iran appears to be using this software.¹

Because there is usually only one way out of the internal Intranet to the Internet, we must use the available proxy.  This article will explain how the proxy works, how to tunnel past it, and how to configure your applications.

My workplace uses Microsoft's Proxy Server with authentication enabled.

Some proxies allow a command called CONNECT which will allow a user to specify a host and port to fetch a request from.

This particular proxy is configured to not support CONNECT; instead, it only allows proxying to ports 80 and 443 (HTTP and HTTPS).

The proxy only allows Fully Qualified Domain Names (FQDNs) and will deny any connection requests to a numerical IP address.

Here is how the connection is set up:

Client -> Intranet -> Proxy Filter -> Internet

Server Side

On the Internet I have a co-located machine which I use for mail and almost everything.

I set up OpenSSH to listen on port 443 of one of my available IPs by putting the following line in sshd.conf:

ListenAddress 192.168.0.1:443 # replace with an available IP

By listening on port 443, we get around the limitation of the proxy not being able to connect to port 22.

If your proxy does allow connections to different ports, then you will be able to skip a few steps.  If the proxy you're trying to avoid is configured differently, you may need to make some modifications.

Regardless, set up a domain name to point to your IP address.

For this example, I'll use: pop.myip.com

  Remember the FQDN limitation mentioned earlier?

Optionally, starting Apache HTTP Server with proxy support turned on may be beneficial.  This will be explained below.

Client Side

I'll begin by setting up PuTTY.

PuTTY now has the ability to create proxy connections, so connecting to a SSH server is not a problem anymore through the corporate proxy.  The logic is to have PuTTY create a dynamic port which is simply a SOCKS proxy.

Instead of configuring the applications on my laptop to use the corporate proxy, I configure them to use my own:

Client -> Dynamic Port -> Internet

Here's the configuration settings for PuTTY:

Session Hostname: pop.myip.com Port: 443 Connection Type: SSH Connection -> Proxy Proxy Type: HTTP Proxy Hostname: proxy Port: 80 Username: username Password: password SSH -> Tunnels: Destination: 8080 Type: Dynamic Click "Add"

It is a good idea to save these settings into a PuTTY session.

To configure Firefox to use this setup, go to the networking tab in the options screen and fill in the SOCKS (v5) host and port fields.

The host is 127.0.0.1 and the port 8080.

Pidgin IM and other instant messaging clients can be set up the same way.

I find that Apache's proxy support is faster than the dynamic port proxy method.

So, in PuTTY, I created a "Local" tunnel on the client from port 9090 to the Apache instance running on the server.

Then, I enabled proxy support in the httpd.conf file.

It is very important to restrict the proxy to your server unless you really want to give everyone a free proxy.

The Apache HTTP Server Documentation?²  It is a great guide on getting this set up.

Then, in Firefox, I set up the proxy to be an HTTP proxy and configured it with hostname 127.0.0.1 and port 9090.

SwitchProxy³ is a handy Firefox plugin to quickly change proxies.

A common problem is leaking DNS information.

Even though the transport to pop.myip.com is encrypted, the DNS information is still queried from the corporate DNS servers.

Firefox supports fetching DNS information from the proxy by browsing to about:config and changing the option network.proxy.socks_remote_dns to true.

Sadly, I haven't figured out a great way to forward DNS queries from other programs.

If you're not using Windows and PuTTY, you can use OpenSSH on UNIX instead.

OpenSSH does not support authenticating proxies by default; however, there is a helper program called Corkscrew which can be used in the ProxyCommand option.⁴

Add the following lines to your ~/.ssh/config file:

Host pop.myip.com ProxyCommand corkscrew proxy 80 pop.myip.com 443 /home/user/.authfile TCPKeepAlive yes

This configuration tells Corkscrew to connect to the hostname proxy on port 80, then have the proxy connect to pop.myip.com on port 443 with the authentication tokens found in /home/user/.authfile.

Turning on keep-alive will attempt to prevent the tunnel from timing out.

The authfile is a file that contains your username:password for the authenticating proxy.

Make sure to chmod 600 that file!

To start the tunnel simply run:

$ ssh -D 8080 pop.myip.com

Conclusion

Perhaps IT people will learn that restricting what people read or where they browse is not terribly hard to work around.

(Alright, alright, it fails the grandmother test).

As long as you trust your endpoint server (and perhaps your client to a limited extent), using this method adds more protection than simply going through the corporate proxy, and, obviously, it bypasses the silly content filters.

Just don't get your IP banned by corporate.

Resources

1. Internet Filtering in Iran 2004-2005
2. Apache HTTP Server Documentation
3. SwitchProxy Tool 1.4.1
4. Corkscrew  Corkscrew is a tool for tunneling SSH through HTTP proxies.