HTTP Tunneling

Introduction

The application discussed in this article provides the ability to make TCP connections through a proxy server. Often computers are behind firewalls that deny many connections. But HTTP connection is usually allowed and is made through a proxy server. This article will show how arbitrary TCP connections can be made using HTTP protocol and the proxy server.

Approach

When an HTTP connection is made through a proxy server the client (usually the browser) sends the request to the proxy. The proxy opens the connection to the destination, sends the request, receives the response and sends it back to the client. The HTTP protocol specifies a request method called CONNECT. The CONNECT method can be used by the client to inform the proxy server that a connection to some host on some port is required. The proxy server, if allows such connections, tries to connect to the destination address specified in the request header. If it the operation fails it sends back to the client a negative HTTP response and close the connection. If the operation succeeded then send back an HTTP positive response and the connection is consider established. After that, the proxy does not care what data is transferred between client requesting the connection and the destination. It just forwards data in both ways acting as a tunnel.

About the protocol

We are interested in CONNECT method from the HTTP protocol. After the applications opens a connection with the proxy server it must send the connect request in the form of an HTTP request:

CONNECT <destination_address>:<destination_port> <http_version><CR><LF>
<header_line><CR><LF>
<header_line><CR><LF>
...
<header_line><CR><LF>
<CR><LF>

The proxy server process the request and try to make a connection to <destionation_address>:<destination_port>.

The proxy server sends back an HTTP response in the form:

<http_version> <code> <message><CR><LF>
<header_line><CR><LF>
<header_line><CR><LF>
...
<header_line><CR><LF>
<CR><LF>

If it is a positive response (code=200) then after the empty line the proxy begins to acts as a tunnel and forwards data. If it is a negative response (code!=200) then connection is closed after the empty line.

The HTTPTunneling application

The application act as specified in a configuration file. An entry in the configuration file locks like this:

<Source port> <Destination address> <Destination port> <Proxy address> <Proxy port>

If the application is running and an entry in the configuration files changes, the application automatically updates itself.

For every entry in the configuration file the application creates a port listener. This is a thread that opens a socket on <Source port> and waits for connection. When a request arrives on that port it tries to open a tunnel to the <Destination address>:< port>. If the <Proxy address> and <Proxy port> are missing, a direct connection is made. If the field are present it opens a connection to the proxy and sends a CONNECT request using the method specified above. The tunnel construction is made in a separate thread to let the port listener to accept immediatelly new connections. After the connection is established a tunnel object is constructed based on the opened sockets, sockets are marked as non-blocking and the object is passed to manager object. The thread that has created the tunnel is destroyed. Data transfer is made on a single thread. When one of the ends closes the connection the tunnel closes the other and the tunnel is marked as inactive. The manager finds the tunnel inactive and removes it from the list of active tunnels.

By default the application generates log information in HTTPTunneling.log file. This file can be consulted to find wrong application behaviour.

Known problems

• If no data transfer is made the proxy could close the connection, event neither the initiator neither the destination has closed the connection.
• Proxy authorization may be required. This can be easily solved including in the HTTP request the Proxy-Authorization field.

History

June 15, 2000

• Posted.