Passing through a firewall with a "reverse" proxy

I have to do a workshop in a firewalled environment which is preventing me to show everything I would like and I'm looking for a workaround.

I'll be demoing a software which runs on Windows. During the workshop, participants are expected to connect to this software from their phones with a browser.

    Windows                        Phone           
+-------------------+          +------------------+
|                   |          |                  |
|  Demo software    |          |                  |
|                   |          |                  |
|                   |          |                  |
|             :8080 | <--------+  Browser         |
|                   |          |                  |
|                   |          |                  |
+-------------------+          +------------------+

The problem is that all workshop machines are firewalled and it is impossible (due to the rigidity of the organization where I'm doing the workshop) to open a hole in the firewall.

So I was thinking to run some kind of a proxy (luckily, that is allowed) on each workshop machine. This proxy would connect to some kind of a server on the outside, register itself with some autogenerated ID and start waiting for data.

A phone would then connect to http://server.xxx/proxyid and server would route its request to the apropriate proxy, based on the proxy ID (via already established connection, so the data would be able to pass through the firewall). Proxy would then contact the web server in the demoed software, get the response and pass it back to the server, which would forward the response to the phone.

                       Firewall                                       
                           +                                          
                           |                                          
   Windows                 |                                          
+---------------------+    |                                          
|                     |    |                                          
|   +-------------+   |    |        server.xxx                        
|   | Demo SW     |   |    |     +------------------------+           
|   |             |   |    |     |                        |           
|   |       :8080 |   |    |     |                        |           
|   +--------+----+   |    |     |                        |           
|            ^        |    |     |                        |           
|            |        |    |     |                        |           
|   +--------+----+   |    |     |                        |           
|   | Proxy       |   |    |     |                        |           
|   |             +------------> |:80                     |           
|   |         ID  |   |    |     |                        |           
|   +-------------+   |    |     +------------------------+           
|                     |    |                      ^                   
+---------------------+    |                      |                   
                           |                      |                   
                           |                      |                   
                           +                      |                   
                                    Phone         |                   
                                 +-----------------------------------+
                                 |    Browser     |                  |
                                 | +--------------+----------------+ |
                                 | | http:://server.xxx/ID         | |
                                 | |                               | |
                                 | +-------------------------------+ |
                                 +-----------------------------------+

Are there any building blocks that would allow me to put this workaround together so I don't have to program it? Preferably the server part should run on Windows too (some kind of Linux would also work).

gabr

Posted 2015-05-25T15:13:45.050

Reputation: 303

ssh -R .... ssh reverse tunnel – barlop – 2015-05-25T15:41:06.613

@barlop can you be more specific? – gabr – 2015-05-25T15:41:43.030

yes it'll take some time to write. – barlop – 2015-05-25T15:42:22.030

ok i've written it – barlop – 2015-05-25T15:54:24.427

Answers

This isn't exactly what you are after, and maybe i'll think of something else in addition, but this is something you should know.

SSH port forwarding

You need to get an SSH server working on Computer B. So you can do from comp A

SSH is like telnet but with more security and with TCP port forwarding features.You can ignore the telnet aspect of it

ssh is a tool that system administrators are familiar with, but general techies as well.

You can install ssh via cygwin in windows.

A$ssh user@compB

let's say you can do that.

A is behind a firewall. B is fine.

A-----------B

A though behind a firewall can make an outgoing connection

run this from A

A$ssh -R 1234:127.0.0.1:5678 -R 2345:127.0.0.1:5642 user@compB

that can be done as one command or broken down into two separate commands A$ssh -R 1234:127.0.0.1:5678 user@compB

and

A$ssh -R 2345:127.0.0.1:5642 user@compB

The -R 1234:127.0.0.1:5678

The -R means open port on the destination comp (compB) and a connection can be made to CompB at port 5678 and it will go to CompA and be forwarded to port 1234 (still on CompA)

So you may want to do

-R 80:127.0.0.1:8080

The thing is, you want something with an ID and i'm not sure about that

What I can say though is you can open multiple ports on CompB

so not just port 80

port 81, port 82

and so port 81 on CompB could forward to port 1234 on CompA

port 82 on CompB could forward to port 4252 on CompA

e.t.c.

And you may want to say -gR or -R *:80.... 'cos without the -g, the port that opens on CompB will only allow a connection from CompB i.e. it will only listen on 127.0.0.1 so use -g in your case 'cos you want a client from another computer[the 'phone' computer] to connect to CompB.. i.e. the -g is 'cos you want a client program from another computer to connect to CompB(and be forwarded to CompA), rather than a client program on CompB to connect to CompB(and be forwarded to CompA).

One point though.. You connect ssh.exe from a comp behind the firewall (CompA) to compB.

A port opens on CompB... for a new tcp connection to be smuggled through. Your http or whatever client connects to CompB, It then reaches a CompA that you ran ssh.exe from. You can then forward to whichever comp you want

When you write -R 1234:127.0.0.1:5678 That 127.0.0.1 could be change to be some other computer. So that the client's request will be forwarded to some other computer

-R is the opposite of -L though you don't need -L.

SSH -D

The thing is.. from the looks of things, your ultimate destination seems to be a web server.

Since you only are looking to forward to one particular site, you could use -R

But there is also a -D option you should know about, which makes a SOCKS proxy that can handle HTTP

The slight obstacle is -D is local.. i.e. it's a bit like -L in that sense.

But what you could do is make the SOCKS Proxy on CompA,

And from A do ssh -R to compB. So anybody connecting to B gets forwarded to the SOCKS proxy on A, and then can access whatever web server they want.

the answer at this link tries to SSH Reverse socks tunnel but (as of writing), puts the socks proxy on the wrong computer. This answer gets it right.
https://stackoverflow.com/questions/842021/ssh-d-port-usernameserver-com-but-in-reverse

But then you're not getting different web servers to different people.

For that, stick to -R

Combining -R with -D may be unnecessary in your case, unless you really want to access other websites, in which case you need the SOCKS proxy (-D) and the -R

And either way, none of this involves an ID.. but different ports with the port determining which IP:PORT to forward to once it reaches the comp behind the firewall [the comp] from which you ran ssh.exe

barlop

Posted 2015-05-25T15:13:45.050

Reputation: 18 677

very complete and clear answer – Francisco Tapia – 2015-05-25T16:43:01.750

Thanks! Using a ssh reverse tunnel will be good enough. I'll just use different remote port for each workstation. – gabr – 2015-05-25T17:29:14.780

For this type of problem we would always go for a Microsoft Remote Desktop way to do the demo. The demo environment runs on a pc in your office that is connected to the internet, with all required ports open. This means that people can use their webbrowser on whatever device to nagivate to the web-frontend of your server.

To show the demo, you could use an RDP client (every OS has at least one) to connect and login to your demo pc/server and view the windows back-end of your server.

Usually they do not even need to open a port on their firewall unless theirs is really strict (only a few open ports for outgoing traffic, such as port 80 and 443). But RDP (3389) is usually one of the few ports that is already open.

LPChip

Posted 2015-05-25T15:13:45.050

Reputation: 42 190