rpms/connect-proxy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge #1 Add support for using HTTPS proxies, including client-side certificate authentication; clean up code to make it gcc 9 and valgrind clean; added long-form options

Browse source
This commit is contained in:
Mohd Izhar Firdaus Ismail 2020-05-24 09:59:18 +00:00
commit 6889ea95e5
4 changed files with 4117 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

39
INSTALL.md Normal file
View file

@ -0,0 +1,39 @@
# connect-proxy
Make socket connection using SOCKS4/5, telnet HTTP or HTTPS tunnel.
*************************************************************************
QUICK START:
Unix:
gcc -o connect connect.c -lssl -lcrypto
*************************************************************************
The development version can be found here:
https://github.com/jjkeijser/connect-proxy/
How To Compile
==============
On Linux/UNIX environment:
gcc -o connect connect.c -lssl -lcrypto
Or using a specific OpenSSL installation:
gcc -o connect connect.c -I../openssl-1.1.1g/include
-L../openssl-1.1.1g -lssl -lcrypto
The default CA certificate file is the RHEL/CentOS/Fedora default:
/etc/pki/tls/certs/ca-bundle.crt
You can specify an alternative location using
gcc -o connect connect.c -D__DEFAULT_CA_PATH__=\"/some/path\"
-lssl -lcrypto
(mind the quotes!)

153
README.md Normal file
View file

@ -0,0 +1,153 @@
# connect-proxy
Make socket connection using SOCKS4/5, telnet HTTP or HTTPS tunnel.
Based on connect.c from Shun-ichi GOTO <gotoh@taiyo.co.jp>
* Added HTTPS proxy support
* Made code gcc-9 and valgrind clean
How To Compile
==============
On Linux/UNIX environment:
$ gcc connect.c -o connect -lssl -lcrypto
How To Use
==========
* You can specify proxy method in an environment variable or in a command line option.
* usage:
/connect [-dnhstx45] [-p local-port][-R resolve] [-w timeout]
[-S [user@]socks-server[:port]]
[-H [user@]proxy-server[:port]]
[-T proxy-server[:port] [-c telnet-proxy-command]
[-X [user@]proxy-server[:port]]
[--help]
[--socks-server [user@]socks-server[:port]]
[--http-proxy [user@]proxy-server[:port]]
[--telnet-proxy proxy-server[:port]
[--https-proxy [user@]proxy-server[:port]]
[--https-proxy-ca PEM format file of CA's]
[--https-proxy-ca-path PEM format directory of CA's]
[--https-proxy-certname name]
[--https-user-cert certfile.pem]
[--https-user-key keyfile.pem]
[--no-check-certificate]
host port
* "host" and "port" is for the target hostname and port-number to connect to.
* The '-H' or '--http-proxy' option specifies a hostname and port number of the http proxy server to
relay. If port is omitted, 80 is used. You can specify this value in the environment variable
HTTP_PROXY and pass the '-h' option to use it.
* The '-X' or '--https-proxy' option specifies a hostname and port number of the https proxy server to
relay. If port is omitted, 443 is used. You can specify this value in the environment variable
HTTPS_PROXY and pass the '-x' option to use it.
* The '-S' or '--socks-proxy' option specifies the hostname and port number of the SOCKS server to
relay. Like '-H', port number can be omitted and the default is 1080. You can also specify this
value pair in the environment variable SOCKS5_SERVER and give the '-s' option to use it.
* The '-4' and the '-5' options are for specifying SOCKS relaying and indicates protocol version
to use. It is valid only when used with '-s' or '-S'. Default is '-5' (protocol version 5)
* The '-R' option is for specifying method to resolve the hostname. Three keywords ("local",
"remote", "both") or dot-notation IP address are acceptable. The keyword "both" means, "Try local
first, then remote". If a dot-notation IP address is specified, use this host as nameserver. The
default is "remote" for SOCKS5 or "local" for others. On SOCKS4 protocol, remote resolving method
("remote" and "both") requires protocol 4a supported server.
* The '-p' option will forward a local TCP port instead of using the standard input and output.
* The '-P' option is same to '-p' except keep remote session. The program repeats waiting the port
with holding remote session without
disconnecting. To disconnect the remote session, send EOF to stdin or kill the program.
* The '-w' option specifys timeout seconds for making connection with TARGET host.
* The '-d' option is used for debug. If you fail to connect, use this and check request to and
response from server.
You can omit the "port" argument when program name is special format containing port number
itself. For example,
$ ln -s connect connect-25
means this connect-25 command is spcifying port number 25 already so you need not 2nd argument
(and ignored if specified).
* To use proxy, this example is for SOCKS5 connection to connect to 'host' at port 25 via SOCKS5
server on 'firewall' host.
$ connect -S firewall host 25
or
$ SOCKS5_SERVER=firewall; export SOCKS5_SERVER
$ connect -s host 25
* For a HTTP-PROXY connection:
$ connect -H proxy-server:8080 host 25
or
$ HTTP_PROXY=proxy-server:8080; export HTTP_PROXY
$ connect -h host 25
* For a HTTPS-PROXY connection:
$ connect -H proxy-server:443 host 25
or
$ HTTPS_PROXY=proxy-server:443; export HTTPS_PROXY
$ connect -x host 25
TIPS
====
* Connect.c doesn't have any configuration to specify the SOCKS server.
If you are a mobile user, this limitation might bother you. However,
You can compile connect.c and link with other standard SOCKS library
like the NEC SOCKS5 library or Dante. This means connect.c is
socksified and uses a configration file like to other SOCKSified
network commands and you can switch configuration file any time
(ex. when ppp startup) that brings you switching of SOCKS server for
connect.c in same way with other commands. For this case, you can
write ~/.ssh/config like this:
ProxyCommand connect -n %h %p
SOCKS5 authentication
=====================
* Only USER/PASS authentication is supported.
HTTP Proxy authentication
=========================
* Only BASIC scheme is supported.
HTTPS proxy authentication
==========================
* BASIC scheme is supported.
* The server certificate can be verified against a CA certificate (or list of CA
certficates) by specifying either '--https-ca-file' or '--https-ca-path'.
(default file: /etc/pki/tls/certs/ca-bundle.crt).
* By default, the server certificate name (/CN=...) is checked against the hostname
of the https_proxy server. It is possible to specify an alternative name using
'--http-proxy-certname'.
* You can disable server certificate verification by specifying '--no-certificate-check'.
* Certificate based authentication is supported. Use the '--https-user-cert' and
'--https-user-key' parameters to specify the user certificate and key. If the private
key is protected using a passphrase, the $SSH_ASKPASS program will be used to query the user.
The following environment variables can be used to specify the above parameters:
* HTTPS proxy server: $HTTPS_PROXY
* proxy user: $HTTPS_PROXY_USER
* proxy password: $HTTPS_PROXY_PASSWORD
* server certificate name: $HTTPS_PROXY_CERTNAME
* CA certificate name: $HTTPS_PROXY_CA_FILE
* CA certificate path: $HTTPS_PROXY_CA_PATH
* client certificate file: $HTTPS_PROXY_USERCERT
* client privatekey file: $HTTPS_PROXY_USERKEY
Authentication information
==========================
The User name for authentication is specifed by an environment variable or system login name. And
password is specified from environment variable or external program (specified in $SSH_ASKPASS) or
tty.
The following environment variable is used for specifying user name.
- SOCKS: $SOCKS5_USER, $LOGNAME, $USER
- HTTP Proxy: $HTTP_PROXY_USER, $LOGNAME, $USER
- HTTPS Proxy: $HTTPS_PROXY_USER, $LOGNAME, $USER
ssh-askpass support
===================
You can use ssh-askpass (came from OpenSSH or else) to specify password on graphical environment
(X-Window or MS Windows). To use this, set program name to environment variable SSH_ASKPASS. On
UNIX, X-Window must be required, so $DISPLAY environment variable is also needed. On Win32
environment, $DISPLAY is not mentioned.

198
connect-proxy.1 Normal file
View file

@ -0,0 +1,198 @@
.TH "CONNECT-PROXY" "1"
.SH "NAME"
connect-proxy \(em connect over SOCKS4/5, HTTP or HTTPS proxy
.SH "SYNOPSIS"
.PP
\fBconnect-proxy\fR [\fB-dnhsxt45\fP] [\fB-R \fIresolve\fR \fP] [\fB-p \fIlocal-port\fR \fP] [\fB-w \fIsecs\fR \fP] [\fB-H \fI[user@]proxy-server[:port]]\fR \fP] [\fB-S \fI[user@]socks-server[:port]]\fR \fP] [\fB-a \fIsocks-auth-method\fR \fP] [\fB-T \fIproxy-server[:port]\fR \fP] [\fB-c \fItelnet-proxy-command\fR \fP] [\fB-X \fI[user@]proxy-server:[port]]\fR \fP] [host] [port]
.SH "DESCRIPTION"
.PP
\fBconnect-proxy\fR opens a connection to a remote host over SOCKS4/5, HTTP or HTTPS proxies.
.PP
Please, note that any HTTP-Proxy tunnel won't work with content-inspection firewall (unless using SSL).
.SH "OPTIONS"
.TP
\fB\-\-help
Show options.
.\"*********************************************************
.TP
\fB\-H [user@]proxy-server[:port] \fRor\fB \-\-http-proxy-server [user@]proxy-server[:port]
specifies a hostname and port number of the HTTP proxy server to relay.
If the port is omitted, 80 is used. You can specify this value in the environment variable
HTTP_PROXY and pass the \-h option to use it.
If the user is omitted, the current userid is used. You can specify this value in the environment variable
HTTP_PROXY_USER. Simple HTTP Basic-Auth is supported.
.TP
.\"*********************************************************
\fB\-S [user@]proxy-server[:port] \fRor\fB \-\-socks-proxy-server [user@]proxy-server[:port]
specifies the hostname and port number of the SOCKS server to relay.
Like \-H, the port number can be omitted and the default is 1080.
You can also specify this value pair in the environment
variable SOCKS_SERVER or SOCKS5_SERVER and give the \-s option to use it.
If the user is omitted, the current userid is used. You can specify this value in the environment variable
SOCKS_USER or SOCKS5_USER.
.\"*********************************************************
.TP
\fB\-T proxy-server[:port] \fRor\fB \-\-telnet-server proxy-server[:port]
(EXPERIMENTAL) specifies a hostname and port number of the Telnet proxy server to relay.
If the port is omitted, 22 is used. You can specify this value in the environment variable
TELNET_PROXY and pass the \-t option to use it.
.\"*********************************************************
.TP
\fB\-X [user@]proxy-server[:port] \fRor\fB \-\-https-proxy-server [user@]proxy-server[:port]
specifies a hostname and port number of the HTTPS proxy server to relay.
If the port is omitted, 443 is used. You can specify this value in the environment variable
HTTPS_PROXY and pass the \-x option to use it.
If the user is omitted, the current userid is used. You can specify this value in the environment variable
HTTPS_PROXY_USER. Simple HTTPS Basic-Auth as well as client-side certificate authentication is supported.
If a password is required for remote authentiation, either a simple terminal prompt or the $SSH_ASKPASS
program will be used to query the user for the password.
.\"*********************************************************
.TP
\fB\-\-https-proxy-ca CA-cert-file.pem
specifies a PEM-formatted file containing the Certificate Authorities (CA\'s) to trust when connecting
to an HTTPS proxy server.
.\"*********************************************************
.TP
\fB\-\-https-proxy-ca-path CA-dir-path
specifies a directory containing hashed PEM-formatted public certificate files of the Certificate
Authorities (CA\'s) to trust when connecting to an HTTPS proxy server.
.\"*********************************************************
.TP
\fB \-\-https-proxy-certname name
specifies the name of the HTTPS proxy server certificate (/CN=...) if this name is different from
the remote hostname of the HTTPS proxy server itself.
.\"*********************************************************
.TP
\fB--no-check-certificate
disable the verification of the HTTPS proxy server certificate and hostname.
.\"*********************************************************
.TP
\fB\-\-https-user-cert certfile.pem
specifies a PEM-formatted file containing the user (client-side) certificate. Use this, together
with the \'--http-user-key\' option to perform client-side certificate authentication when
connecting to an HTTPS proxy server.
.\"*********************************************************
.TP
\fB\-\-https-user-key keyfile.pem
specifies a PEM-formatted file containing the user (client-side) private key. Use this, together
with the \'--http-user-cert\' option to perform client-side certificate authentication when
connecting to an HTTPS proxy server.
If the private key is protected using a passphrase, either a simple terminal prompt or the $SSH_ASKPASS
program will be used to query the user for the passphrase.
.\"*********************************************************
.TP
\fB-4
specifies SOCKS relaying and indicates protocol version to use.
It is valid only when used with '\-s' or '\-S'.
Default is '\-5' (protocol version 5).
.\"*********************************************************
.TP
\fB-a socks5-auth-method
(EXPERIMENTAL) specifies the authentication method when connecting to a SOCKS5 server.
The keywords "none", "gssapi", "userpass" and "chap" are acceptable.
You can specify this value in the environment variable SOCKS5_AUTH.
.\"*********************************************************
.TP
\fB-c telnet-command
(EXPERIMENTAL) specifies the \'telnet\' command to use when connecting to a Telnet proxy server.
.\"*********************************************************
.TP
\fB-R
specifies the method to resolve the hostname when connecting to a SOCKS server.
Three keywords ("local", "remote", "both") or dot-notation IP address are acceptable.
The keyword "both" means, "Try local first, then remote".
If a dot-notation IP address is specified, use this host as nameserver. The default is "remote" for SOCKS5 or
"local" for SOCKS4.
On SOCKS4 protocol, remote resolving method ("remote" and "both") requires protocol 4a supported server.
You can specify this value in the environment variable SOCKS_RESOLVE or SOCKS5_RESOLVE.
.\"*********************************************************
.TP
\fB-p local-port
will forward a local TCP port instead of using the standard input and output.
.\"*********************************************************
.TP
\fB-P local-port
same to '\-p' except keep remote session. The program repeats waiting the port with holding
remote session without disconnecting. To connect the remote session, send EOF to stdin or
kill the program.
.\"*********************************************************
.TP
\fB-w secs
timeout in seconds for making connection with TARGET host.
.\"*********************************************************
.TP
\fB-d
used for debug. If you fail to connect, use this and check request to and response from server.
.SH "USAGE"
.PP
To use proxy, this example is for SOCKS5 connection to connect to
\host\' at port 25 via SOCKS5 server on \'firewall\' host.
\fBconnect-proxy \-S firewall host 25\fR
\fBSOCKS5_SERVER=firewall; export SOCKS5_SERVER;
connect-proxy \-s host 25\fR
.PP
For a HTTP-PROXY connection:
\fBconnect-proxy \-H proxy-server:8080 host 25\fR
\fBHTTP_PROXY=proxy-server:8080; export HTTP_PROXY;
connect-proxy \-h host 25\fR
.PP
To forward a local port, for example to use ssh:
\fBconnect-proxy \-H proxy-server:8080 host 22 \fR
\fBssh \-l user \-p 5550 localhost\fR
.PP
For an HTTPS PROXY connection:
\fBconnect-proxy \-X proxy-server:443 host 25\fR
\fBHTTPS_PROXY=proxy-server:443; export HTTPS_PROXY;
connect-proxy \-x host 25\fR
.PP
For an HTTPS PROXY connection with client-side certificate authentication:
\fBconnect-proxy \-X proxy-server:8443 --https-user-cert ~/.config/usercert.pem
--https-user-key ~/.config/userkey.pem host 25\fR
.PP
To use it along ssh transparently:
\fB # file://~/.ssh/config
Host *
ProxyCommand connect-proxy \-H proxy-server:8080 %h %p\fR
.SH "ENVIRONMENT"
.PP
LOGNAME, USER, SSH_ASKPASS,
.TP
SOCKS_PROXY, SOCKS_USER, SOCKS_RESOLVE,
.TP
SOCKS5_PROXY, SOCKS5_USER, SOCKS5_RESOLVE, SOCKS5_AUTH,
.TP
HTTP_PROXY, HTTP_PROXY_USER, HTTPS_PROXY, HTTPS_PROXY_USER,
.TP
HTTPS_PROXY_CERTNAME, HTTPS_PROXY_CA_FILE, HTTPS_PROXY_CA_PATH,
HTTPS_PROXY_USERCERT, HTTPS_PROXY_USERKEY
.SH "SEE ALSO"
.PP
ssh (1).
.SH "WWW"
.PP
https://github.com/jjkeijser/connect-proxy
.PP
http://www.taiyo.co.jp/~gotoh/ssh/connect.html
.SH "COPYRIGHT"
.PP
Permission is granted to copy, distribute and/or modify this document under
the terms of the GNU General Public License, Version 2 any
later version published by the Free Software Foundation.
.SH "AUTHOR"
.PP
This manual page was adapted by Jan Just Keijser jan.just.keijser@gmail.com
from the \fBDebian\fP manual page, written by Philippe COVAL Philippe.COVAL@laposte.net.
.PP
HTTPS support and the \'long\' format options were added by Jan Just Keijser
jan.just.keijser@gmail.com.

3727
connect.c Normal file
View file

File diff suppressed because it is too large Load diff