Proxies: Everything you wanted to know but were afraid to ask
by Craig Miller
|
Webster's Dictionary defines a proxy as:
1: the agency, function, or office of a deputy who acts as a substitute for another
2: authority or power to act for another
In networking the most common proxy is a web proxy, operating at Layer 7 (application layer of the OSI model). The proxy relays a request from a client (Alice) to a server (Bob).
Why use a proxy?
Control
There are many reasons to use a proxy. A common use is control. Enterprises and Educational institutions use proxies to control where their employees or students go on the internet. Since they own the network, and the employees, for example, should be doing work-related internet actions, the organization will typically run a black-list on the proxy, preventing the end user from accessing unapproved websites.
Privacy
When using a proxy, it will be the proxy's IP address that gets logged on the server rather than the originating client. This provides a layer of obfuscation, since the server will not have client's IP address in the log. Tor is a set of complex nodes which act as a proxy, giving the client some privacy.
Although some will say that NAT provides this level of privacy (by obscuring the client's IP address), the source can be followed back to the household from where the request originally came (lawful requests demand this of ISPs).
A proxy, however can be somewhere out on the internet, and can provide proxy services for both IPv4 and IPv6, this providing a level of privacy for both network layer protocols.
Translation of legacy equipment
Unfortunately, most of IoT equipment, is IPv4-only. Common items like smart TVs, Internet Radios, Smart Lighting, Smart fill-in-the-blank have two common problems
- Security is an after-thought (if at all)
- Support IPv4-only
But what if you want your IoT device to be accessible on your IPv6-only network?
A reverse-proxy typically sits in front of a server (or device), where a normal proxy sits in front of the client.
Load Balancing
Load Balancers are just fancy reverse-proxies. For large websites, a single webserver cannot serve all the requests. By sticking a load balancer in front of several webservers, the web traffic load can shared. There are several algorithms which can be used to spread the load across the webserver farm. Many networking vendors, such as Cisco, have been making hardware-accellerated load balancers for years.
Types of Proxies
Although Proxies usually operate at L7, depending on how much control is required, proxies can operate lower on the OSI layer stack.
L3/L4 proxy using socat
socat or Socket Cat is a cousin of the popular netcat or nc. While a common usage of nc is to act as a client at the edge of the network, socat typically is in the middle of the network, providing some kind of translation (IPv4->IPv4, IPv4->IPv6, IPv6->IPv4, IPv6->IPv6).
socat operates on the L3/L4 tuple. A typical usage:
socat TCP6-LISTEN:8080,fork,reuseaddr TCP4:drsol.com:80
test with
curl -6 -I http://localhost:8080
But socat has limitations, in that it only translates to one destination address.
1. Hands On - Run a socat proxy on your laptop
Install socat on your laptop
sudo apt-get install socat
or
sudo yum install socat
Open two (2) terminal windows:
- run
socatas a proxy
socat -d TCP6-LISTEN:8080,fork,reuseaddr TCP4:drsol.com:80
- run
curlin the second terminal to test the proxy
curl -I -6 http://localhost:8080/
Discuss the following:
- What is the
-6parameter oncurl? - What is the OS of the
drsol.comwebserver?
L4 Tunnel with ssh
ssh has the ability to tunnel multiple conversations inside the encrypted pipe that it sets up to a remote host. A common usage of this is ssh -X example.com which will forward X-Windows (a GUI system for unix/linux), allowing remote operation of GUI applications, like editors.
But ssh can carry other information inside the ssh-tunnel, such as web traffic via a socks proxy. First one needs a remote host to ssh to. Using the -D parameter, we can setup a socks proxy* from that remote host.
ssh -D 8080 user@example.com
We'll use api64.ipify.org to return the IP address we made the request from. Test with curl, and note the IP address returned
curl -x socks5://localhost:8080 http://api64.ipify.org
Now test without the socks proxy
curl http://api64.ipify.org
Note the different IP address returned
You can use your browser to use the ssh proxy as well by configuring the sock proxy. In firefox:
The limitation of using ssh socks proxy is that you need to have ssh access to a remote machine.
2. Hands On - Run a ssh proxy on your laptop
Open two (2) terminal windows:
sshto a remote host which will be the proxy
ssh -D 8080 vicpi@craig.vicpi.drsol.com
- test with
curl
curl -x socks5://localhost:8080 http://api64.ipify.org
Discuss the following:
- What is the IP address returned from
curl? - try with the
-4flag, what IPv4 address is returned?
Extra-Credit: configure your web browser for a SOCKS5 proxy, and surf the web. Enter the URL http://api64.ipify.org
- What shows up in the browser?
L7 Apache Proxy
Common Web Servers can also act as proxies. Since the webserver is operating at Layer 7 of the OSI model, it has access to the actual HTML text, and can modify it as it is proxied. Of course, if you are expecting to pass encrypted traffic (with TLS), then the proxy can decrypt the traffic, and see the traffic before re-encrypting it to the final destination. This is generally frowned upon, since the L7 proxy is in fact spoofing the TLS connection.
For non-encrypted traffic, there is a good how-to configure Apache
A Reverse Proxy
A reverse proxy is a proxy that typically sits in front of a server(s), rather than the client. They are typically used as load-balancers, or protocol converters.
Again there are two types of reverse proxies, the L3/L4, and the L7.
Using socat as a reverse proxy
Say I want to have IPv6 access for my IPv4-only IoT device. It could be any IPv4-only IoT device, but in this example, I'll use my Internet Radio.
socat reverse proxy is similar, but this time we give it the IPv4 address of our IoT device.
IOT_ADDR=192.168.99.36
socat TCP6-LISTEN:8080,fork,reuseaddr TCP4:$IOT_ADDR:80
test with
curl -I http://netsig.makiki.ca:8080
Using nginx as a reverse proxy
Reverse Proxy is quite easy in nginx. The following configuration, not only directs nginx to be a reverse-proxy, but also modifies the HTML text on the fly, replacing a hardcoded IPv4 address with the DNS hostname, 6wr26.hoomaha.net:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name localhost;
# Setup proxy
location / {
# sub module stuff
sub_filter_once off;
sub_filter 'http://192.168.99.36' 'http://6wr26.hoomaha.net';
# rev proxy config
proxy_pass http://wr26.hoomaha.net/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
nginx reverse proxy config with on the fly HTML modification (sub_filter).
3. Hands On - Run a reverse proxy with socat
Open two (2) terminal windows:
sshto a remote host which will be the proxy
ssh demo@netsig.makiki.ca
IOT_ADDR=192.168.99.36
socat TCP6-LISTEN:8080,fork,reuseaddr TCP4:$IOT_ADDR:80
- test with
curl
curl -6 netsig.makiki.ca:8080
Discuss the following:
- What is the HTML title of the webpage returned ?
- Why doesn't the webpage work in a browser?
Summary
Proxies are useful, even in the modern internet. Whether it acts a load balancer, providing additional privacy, or accessing legacy (read: IPv4-only) devices. The internet is about connecting disparate devices together. Using socat or nginx are excellent proxy tools to keep in your networking toolbox.
26 October 2020