Breaking out of a HTTP proxy enviroment

Andrew Rankin — Tue, 09 Feb 2010 18:24:47 +0000

Being in a large corporate environment has positives and negatives, one of those negatives is that many companies use HTTP proxies to control and track internet usage from your work machines. While in most cases this is very important from the HR and workplace productivity side, it can become a headache if you actually need something outside your companies firewalls that is blocked. In my case I wanted to backup some configurations and code to my home machine. To do this I’d generally just rsync over ssh or scp the files over to an off site machine. Sadly with a full firewall up and all traffic required to go through HTTP proxies, I had to find a different solution. In my case, I decided to use ‘corkscrew’.

Corkscrew tunnels SSH connections through HTTP proxies, you can find it at agroman.net/corkscrew/. It was quite easy to setup, and with some tweaks to your ssh config you can seamlessly use it.

My next trick is useful for getting around having your HTTP usage tracked and filtered, this is just taking advantage of the “-D” option within the ‘ssh’ program. When you invoke the -D option, followed with a port number you not only connect to the remote machine via SSH, but you also create a SOCKS proxy server on the port specified. Setting up your browser’s proxy settings to point at that port on your local machine will securely forward any requests over to the remote machine, where they will then go out to their final destination.

When you combine corkscrew with ssh -D, you end up with a single, secure connection through the HTTP proxy to your remote machine with a SOCKS proxy through it. This effectively gives you an easy unfiltered hole through to the outside.

You can also use this trick for getting rsync through a http firewall that might otherwise block it. To accomplish this you just have setup your RSYNC_CONNECT_PROG environment variable to “/path/to/corkscrew %H 873 ”.

Disclaimer: Check with your IT policies before attempting any of the above to make sure its allowed!

Converting to lighttpd and dealing with .htaccess

Andrew Rankin — Fri, 08 May 2009 18:26:23 +0000

I recently switched this server to Lighttpd (using PHP through FastCGI) from Apache. It was easy enough and I ended up with much faster serving websites, unfortunately I hit a snag on one of my sites that extensively uses .htaccess file for rewrites – which Lighttpd does not support. I didn’t want to bail on the whole switch because of a single site, so looked and came up with a simple solution – proxy to Apache through Lighttpd for items on that site (www.350z.ws). In lighttpds config, this was very easy to accomplish:

# Proxy 350z.ws back to apache
$HTTP["host"] =~ "www.3(5|7)0z.ws" {
        $HTTP["url"] !~ "(wp-content|wp-includes|css|js|php$|^/blog/$)" {
                proxy.server = ( "/" =>
                        ( "localhost" =>
                                ( "host" => "127.0.0.1", "port" => 81 )
                        )
                )
        }
}

Note one (obvious) draw back is that you have to run Apache as well, but since I’m stopping most hits at Lighttpd by serving everything in wp-content, wp-includes, anything with css, js or php in the name, I can greatly reduce the number of Apaches I start and maintain. In my case my Apache prefork config looks like this:


    StartServers          3
    MinSpareServers       2
    MaxSpareServers       5
    MaxClients          15
    MaxRequestsPerChild   10

You’ll also notice I’m not proxying the folder where WordPress lives back either, this is because it contains no rewrites for it specifically and will get the majority of the hits.

Ball Dawg! » proxy

Breaking out of a HTTP proxy enviroment

Converting to lighttpd and dealing with .htaccess