.\" -*- mode: troff; coding: utf-8 -*- .\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. .ie n \{\ . ds C` "" . ds C' "" 'br\} .el\{\ . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "CONNECT-TUNNEL 1p" .TH CONNECT-TUNNEL 1p 2024-05-15 "perl v5.38.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME connect\-tunnel \- Create CONNECT tunnels through HTTP proxies .SH SYNOPSIS .IX Header "SYNOPSIS" \&\fBconnect-tunnel\fR [\ \fB\-Lv\fR\ ] [\ \fB\-A\fR\ \fIuser:pass\fR\ ] [\ \fB\-P\fR\ \fIproxy:port\fR\ ] [\ \fB\-C\fR\ \fIcontrolport\fR\ ] [\ \fB\-T\fR\ \fIport:host:hostport\fR\ ] .SH DESCRIPTION .IX Header "DESCRIPTION" \&\fBconnect-tunnel\fR sets up tunneled connections to external hosts by redirecting connections to local ports towards thoses hosts/ports through a HTTP proxy. .PP \&\fBconnect-tunnel\fR makes use of the HTTP \f(CW\*(C`CONNECT\*(C'\fR method to ask the proxy to create a tunnel to an outside server. Be aware that some proxies are set up to deny outside tunnels (either to ports other than 443 or outside a specified set of outside hosts). .SH OPTIONS .IX Header "OPTIONS" The program follows the usual GNU command line syntax, with long options starting with two dashes. .IP "\fB\-A\fR, \fB\-\-proxy\-authentication\fR \fIuser:password\fR" 4 .IX Item "-A, --proxy-authentication user:password" Proxy authentication information. .Sp Please note that all the authentication schemes supported by \&\f(CW\*(C`LWP::UserAgent\*(C'\fR are supported (we use an \f(CW\*(C`LWP::UserAgent\*(C'\fR internally to contact the proxy). .IP "\fB\-C\fR, \fB\-\-control\-port\fR \fIcontrolport\fR" 4 .IX Item "-C, --control-port controlport" The port to which one can connect to issue control commands to \&\fBconnect-tunnel\fR. .Sp See "CONTROL CONNECTIONS" for more details about the available commands. .IP "\fB\-L\fR, \fB\-\-local\-only\fR" 4 .IX Item "-L, --local-only" Create the tunnels so that they will only listen on \f(CW\*(C`localhost\*(C'\fR. Thus, only connections originating from the machine that runs \&\fBconnect-tunnel\fR will be accepted. .Sp That was the default behaviour in \fBconnect-tunnel\fR version 0.02. .IP "\fB\-P\fR, \fB\-\-proxy\fR \fIproxy\fR[\fI:port\fR]" 4 .IX Item "-P, --proxy proxy[:port]" The proxy is required to connect the tunnels. If no port is given, 8080 is used by default. .Sp See also "ENVIRONMENT VARIABLES". .IP "\fB\-T\fR, \fB\-\-tunnel\fR \fIport:host:hostport\fR" 4 .IX Item "-T, --tunnel port:host:hostport" Specifies that the given \fIport\fR on the local host is to be forwarded to the given \fIhost\fR and \fIhostport\fR on the remote side. This works by allocating a socket to listen to \fIport\fR on the local side, and whenever a connection is made to this \fIport\fR, \fBconnect-tunnel\fR forwards it to the proxy (with the credentials, if required), which in turn forwards it to the final destination. .Sp Note that this does not imply the use of any cryptographic system (SSL or any other). This is a simple TCP redirection. The security if any, is the one provided by the protocol used to connect to the destination through \fBconnect-tunnel\fR. .Sp On Unix systems, only root can forward privileged ports. .Sp Note that you can setup tunnels to multiple destinations, by using the \fB\-\-tunnel\fR option several times. .IP "\fB\-U\fR, \fB\-\-user\-agent\fR \fIstring\fR" 4 .IX Item "-U, --user-agent string" Specify User-Agent value to send in HTTP requests. The default is to send \f(CW\*(C`connect\-tunnel/\fR\f(CIversion\fR\f(CW\*(C'\fR. .IP "\fB\-v\fR, \fB\-\-verbose\fR" 4 .IX Item "-v, --verbose" Verbose output. .Sp This option can be used several times for more verbose output. .SH EXAMPLES .IX Header "EXAMPLES" To connect to a SSH server running on \f(CW\*(C`ssh.example.com\*(C'\fR, on port 443, through the proxy \f(CW\*(C`proxy.company.com\*(C'\fR, running on port 8080, use the following command: .PP .Vb 1 \& connect\-tunnel \-P proxy.company.com:8080 \-T 22:ssh.example.com:443 .Ve .PP And now point your favorite ssh client to the machine running \&\fBconnect-tunnel\fR. .PP You can also emulate a "standard" user-agent: .PP .Vb 2 \& connect\-tunnel \-U "Mozilla/4.03 [en] (X11; I; Linux 2.1.89 i586)" \& \-P proxy.company.com:8080 \-T 22:ssh.example.com:443 .Ve .PP \&\fBconnect-tunnel\fR can easily use your proxy credentials to connect outside: .PP .Vb 3 \& connect\-tunnel \-U "Mozilla/4.03 [en] (X11; I; Linux 2.1.89 i586)" \& \-P proxy.company.com:8080 \-T 22:ssh.example.com:443 \& \-A book:s3kr3t .Ve .PP But if you don't want anybody else to connect to your tunnels and through the proxy with \fIyour\fR credentials, use the \&\fB\-\-local\-only\fR option: .PP .Vb 3 \& connect\-tunnel \-U "Mozilla/4.03 [en] (X11; I; Linux 2.1.89 i586)" \& \-P proxy.company.com:8080 \-T 22:ssh.example.com:443 \& \-A book:s3kr3t \-L .Ve .PP If you have several destinations, there is no need to run several instances of \fBconnect-tunnel\fR: .PP .Vb 4 \& connect\-tunnel \-U "Mozilla/4.03 [en] (X11; I; Linux 2.1.89 i586)" \& \-P proxy.company.com:8080 \-A book:s3kr3t \-L \& \-T 22:ssh.example.com:443 \& \-T 222:ssh2.example.com:443 .Ve .PP But naturally, you will need to correctly set up the ports in your clients. .PP Mmm, such a long command line would perfectly fit in an alias or a \fI.BAT\fR file. \f(CW\*(C`;\-)\*(C'\fR .SH "ENVIRONMENT VARIABLES" .IX Header "ENVIRONMENT VARIABLES" The environment variable \f(CW\*(C`HTTP_PROXY\*(C'\fR can be used to provide a proxy definition. .PP The environment variable is overriden by the \fB\-\-proxy\fR option, if passed to \fBconnect-tunnel\fR. .SH AUTHOR .IX Header "AUTHOR" Philippe "BooK" Bruhat, \f(CW\*(C`\*(C'\fR. .PP I seem to have re-invented a well-known wheel with that script, but at least, I hope I have added a few interesting options to it. .SH "SCRIPT HISTORY" .IX Header "SCRIPT HISTORY" The first version of the script was a quick hack that let me go through a corporate proxy. .PP Version 0.02 and version 0.03 were released on CPAN in 2003. .PP Version 0.04 sits half-finished in a CVS repository at home: I couldn't decypher the spaghetti of my data structures any more. \f(CW\*(C`:\-(\*(C'\fR .PP Version 0.05 (and higher) are based on \f(CW\*(C`Net::Proxy\*(C'\fR, and included with the \f(CW\*(C`Net::Proxy\*(C'\fR distribution. .SH "" .IX Header "" Even though it's not rocket science, \fBconnect-tunnel\fR has been cited in at least one academic works: .IP \(bu 4 \&\fIHTTP Tunnels Through Proxies\fR, Daniel Alman .Sp Available at SANS InfoSec Reading Room: Covert Channels .Sp Direct link: .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2003\-2007, Philippe Bruhat. All rights reserved. .SH LICENSE .IX Header "LICENSE" This module is free software; you can redistribute it or modify it under the same terms as Perl itself.