reverseproxy using httptunnel

I'm trying to use GNU httptunnel
(http://www.nocrew.org/software/httptunnel.html)
behind apache using the reverseproxy feature. Apache version 2.0.48

I have reverseproxy working, as I have another machine behind apache
using this feature serving up html pages properly. Works great.

I have apache running on my firewall. I only have 1 single common port
between my firewall and my client. I only have port 443 to work with.
I'm using port 443 with basic http. I need apache to server web pages,
but I also need other non-web services. At first, I just want to get
a telnet client working, but hope to migrate to ssh later. I'm aware
of the security issues this imposes. My firewall is setup to only allow
a client connection on port 443 from the allowable location.

My httpd.conf has the following - among other things (-:

Listen 443

ServerName .com
ProxyPass / http://localhost:8888/
ProxyPassReverse / http://localhost:8888/


I run the httptunnel server on the firewall machine.
hts -F localhost:23

I run the httptunnel client on the client side.
htc -F localhost:8000 .com:443

On the client, I issue:
telnet localhost 8000.

On the server, I've used ethereal to watch the traffic.
I see the client open a connection with apache on 443.
I see apache open a connection with the hts server on port 8888.
I see the hts server open a connection on port 23.
I see the client send a POST and GET through apache to
the httptunnel server on port 8888.
The telnet port sends stuff to the httptunnel server port.

The httptunnel server responds to the GET command with
15 bytes using 3 separate TCP packets back to the apache server.

0 (0000 02 .) putline
0 (0000 00 0c ..) putline
0 (0000 ff fd 18 ff fd 20 ff fd 23 ff fd 27 ..... ..#..')
putline

I believe these 15 bytes are the beginning of the telnet negotiation.

I never see the 15 bytes comes out of the apache server
on the otherside of the firewall towards the client. The client
side is stopped waiting for a response.

I've turned on apache debugging and then used the printf debugging approach
and found I'm stuck inside proxy_http.

I get the debug message
"proxy: start body send" in logs/error_log

I'm stuck in proxy_http.c, line 928
while (ap_get_brigade(rp->input_filters,
bb,
AP_MODE_READBYTES,
APR_BLOCK_READ,
conf->io_buffer_size) == APR_SUCCESS)
{

The ap_get_brigade function never returns, and I'm stuck here.

I get through this loop three times, before the httptunnel stops
sending data, then I'm stuck. The client needs to receive these
bytes and transmit to the server again before the server will send
any more data.

Am what I'm attempting completely wacked?

Can anyone offer any pointers on what to look for next?

I will continue to debug further.

Thanks,

Jim

RE: reverseproxy using httptunnel

If you refer to BUG 19954:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19954
This looks like the issue I was trying to patch. In the current 2.x
codebase, the reverse proxy will effectively cache traffic until it has 8000
bytes to send. According to Jeff Trawick, the caching effect is not an
intended behavior, rather it is a network optimization that just happens to
break tunneling of non-http traffic.

I've been swamped at work for the last few months, and have not had time yet
to rework my proposed patch based on the feedback in the bugzilla report;
but I believe the patch as proposed will solve your immediate issue. Of
course, feel free to rework the patch if you feel up to it!


---------------------------------------------------------
Chris Conti
mailto://cmconti@mindspring.com
mailto://chris.conti@xcellenet.com


If at first you do succeed, try not to look astonished.


-----Original Message-----
From: Jim Duda [mailto:jim@duda.tzo.com]
Sent: Thursday, March 04, 2004 9:41 PM
To: modproxy-dev@apache.org
Subject: reverseproxy using httptunnel

I'm trying to use GNU httptunnel
(http://www.nocrew.org/software/httptunnel.html)
behind apache using the reverseproxy feature. Apache version 2.0.48

I have reverseproxy working, as I have another machine behind apache using
this feature serving up html pages properly. Works great.

I have apache running on my firewall. I only have 1 single common port
between my firewall and my client. I only have port 443 to work with.
I'm using port 443 with basic http. I need apache to server web pages, but
I also need other non-web services. At first, I just want to get a telnet
client working, but hope to migrate to ssh later. I'm aware of the security
issues this imposes. My firewall is setup to only allow a client connection
on port 443 from the allowable location.

My httpd.conf has the following - among other things (-:

Listen 443

ServerName .com
ProxyPass / http://localhost:8888/
ProxyPassReverse / http://localhost:8888/

I run the httptunnel server on the firewall machine.
hts -F localhost:23

I run the httptunnel client on the client side.
htc -F localhost:8000 .com:443

On the client, I issue:
telnet localhost 8000.

On the server, I've used ethereal to watch the traffic.
I see the client open a connection with apache on 443.
I see apache open a connection with the hts server on port 8888.
I see the hts server open a connection on port 23.
I see the client send a POST and GET through apache to the httptunnel server
on port 8888.
The telnet port sends stuff to the httptunnel server port.

The httptunnel server responds to the GET command with
15 bytes using 3 separate TCP packets back to the apache server.

0 (0000 02 .) putline
0 (0000 00 0c ..) putline
0 (0000 ff fd 18 ff fd 20 ff fd 23 ff fd 27 ..... ..#..')
putline

I believe these 15 bytes are the beginning of the telnet negotiation.

I never see the 15 bytes comes out of the apache server on the otherside of
the firewall towards the client. The client side is stopped waiting for a
response.

I've turned on apache debugging and then used the printf debugging approach
and found I'm stuck inside proxy_http.

I get the debug message
"proxy: start body send" in logs/error_log

I'm stuck in proxy_http.c, line 928
while (ap_get_brigade(rp->input_filters,
bb,
AP_MODE_READBYTES,
APR_BLOCK_READ,
conf->io_buffer_size) == APR_SUCCESS)
{

The ap_get_brigade function never returns, and I'm stuck here.

I get through this loop three times, before the httptunnel stops sending
data, then I'm stuck. The client needs to receive these bytes and transmit
to the server again before the server will send any more data.

Am what I'm attempting completely wacked?

Can anyone offer any pointers on what to look for next?

I will continue to debug further.

Thanks,

Jim

Re: reverseproxy using httptunnel

Chris,

Thanks. I installed the patch which you suggested. The
tunnel nows works. The performance is sluggish though.
I'm sure it's caused by all the overhead of the GET and POST
operations.

Do you suspect the alternate suggestion might help the performance?

Jim


"Conti, Chris" wrote in message
news:1568F46A5B1B814DA6E8A8C3EC7A14FE0A7FBB@IPSXCHG2003.xcel lenet.com...
> If you refer to BUG 19954:
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19954
> This looks like the issue I was trying to patch. In the current 2.x
> codebase, the reverse proxy will effectively cache traffic until it has
8000
> bytes to send. According to Jeff Trawick, the caching effect is not an
> intended behavior, rather it is a network optimization that just happens
to
> break tunneling of non-http traffic.
>
> I've been swamped at work for the last few months, and have not had time
yet
> to rework my proposed patch based on the feedback in the bugzilla report;
> but I believe the patch as proposed will solve your immediate issue. Of
> course, feel free to rework the patch if you feel up to it!
>
>
> ---------------------------------------------------------
> Chris Conti
> mailto://cmconti@mindspring.com
> mailto://chris.conti@xcellenet.com
>
>
> If at first you do succeed, try not to look astonished.
>
>
> -----Original Message-----
> From: Jim Duda [mailto:jim@duda.tzo.com]
> Sent: Thursday, March 04, 2004 9:41 PM
> To: modproxy-dev@apache.org
> Subject: reverseproxy using httptunnel
>
> I'm trying to use GNU httptunnel
> (http://www.nocrew.org/software/httptunnel.html)
> behind apache using the reverseproxy feature. Apache version 2.0.48
>
> I have reverseproxy working, as I have another machine behind apache using
> this feature serving up html pages properly. Works great.
>
> I have apache running on my firewall. I only have 1 single common port
> between my firewall and my client. I only have port 443 to work with.
> I'm using port 443 with basic http. I need apache to server web pages,
but
> I also need other non-web services. At first, I just want to get a telnet
> client working, but hope to migrate to ssh later. I'm aware of the
security
> issues this imposes. My firewall is setup to only allow a client
connection
> on port 443 from the allowable location.
>
> My httpd.conf has the following - among other things (-:
>
> Listen 443
>
> ServerName .com
> ProxyPass / http://localhost:8888/
> ProxyPassReverse / http://localhost:8888/
>
> I run the httptunnel server on the firewall machine.
> hts -F localhost:23
>
> I run the httptunnel client on the client side.
> htc -F localhost:8000 .com:443
>
> On the client, I issue:
> telnet localhost 8000.
>
> On the server, I've used ethereal to watch the traffic.
> I see the client open a connection with apache on 443.
> I see apache open a connection with the hts server on port 8888.
> I see the hts server open a connection on port 23.
> I see the client send a POST and GET through apache to the httptunnel
server
> on port 8888.
> The telnet port sends stuff to the httptunnel server port.
>
> The httptunnel server responds to the GET command with
> 15 bytes using 3 separate TCP packets back to the apache server.
>
> 0 (0000 02 .) putline
> 0 (0000 00 0c ..) putline
> 0 (0000 ff fd 18 ff fd 20 ff fd 23 ff fd 27 ..... ..#..')
> putline
>
> I believe these 15 bytes are the beginning of the telnet negotiation.
>
> I never see the 15 bytes comes out of the apache server on the otherside
of
> the firewall towards the client. The client side is stopped waiting for a
> response.
>
> I've turned on apache debugging and then used the printf debugging
approach
> and found I'm stuck inside proxy_http.
>
> I get the debug message
> "proxy: start body send" in logs/error_log
>
> I'm stuck in proxy_http.c, line 928
> while (ap_get_brigade(rp->input_filters,
> bb,
> AP_MODE_READBYTES,
> APR_BLOCK_READ,
> conf->io_buffer_size) ==
APR_SUCCESS)
> {
>
> The ap_get_brigade function never returns, and I'm stuck here.
>
> I get through this loop three times, before the httptunnel stops sending
> data, then I'm stuck. The client needs to receive these bytes and
transmit
> to the server again before the server will send any more data.
>
> Am what I'm attempting completely wacked?
>
> Can anyone offer any pointers on what to look for next?
>
> I will continue to debug further.
>
> Thanks,
>
> Jim
>
>
>
>
>

Re: reverseproxy using httptunnel

have you thought of just opening a dedicated SSH port?
or using a program like tcprelay on your firewall?

I'm sure you've got your system admin's blessing on doing this, so =20
these two options shouldn't be too much of a drama
(seeing how he's willing for you to tunnel over http anyway)

if you haven't just install a reverse telnet/ssh session on your =20
destination.

On 06/03/2004, at 9:38 AM, Jim Duda wrote:

> Chris,
>
> Thanks.=A0 I installed the patch which you suggested.=A0 The
> tunnel nows works.=A0 The performance is sluggish though.
> I'm sure it's caused by all the overhead of the GET and POST
> operations.
>
> Do you suspect the alternate suggestion might help the performance?
>
> Jim
>
>
>
> "Conti, Chris" wrote in message
> =20
> news:=20
> 1568F46A5B1B814DA6E8A8C3EC7A14FE0A7FBB@IPSXCHG2003.xcellenet .com...
> > If you refer to BUG 19954:
> > http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3D19954
> > This looks like the issue I was trying to patch.=A0 In the current =
2.x
> > codebase, the reverse proxy will effectively cache traffic until it =
=20
> has
> 8000
> > bytes to send.=A0 According to Jeff Trawick, the caching effect is =20=

> not an
> > intended behavior, rather it is a network optimization that just =20
> happens
> to
> > break tunneling of non-http traffic.
> >
> > I've been swamped at work for the last few months, and have not had =
=20
> time
> yet
> > to rework my proposed patch based on the feedback in the bugzilla =20=

> report;
> > but I believe the patch as proposed will solve your immediate =20
> issue. Of
> > course, feel free to rework the patch if you feel up to it!
> >
> >
> > ---------------------------------------------------------
> > Chris Conti
> > mailto://cmconti@mindspring.com
> > mailto://chris.conti@xcellenet.com
> >
> >
> > If at first you do succeed, try not to look astonished.
> >
> >
> > -----Original Message-----
> > From: Jim Duda [mailto:jim@duda.tzo.com]
> > Sent: Thursday, March 04, 2004 9:41 PM
> > To: modproxy-dev@apache.org
> > Subject: reverseproxy using httptunnel
> >
> > I'm trying to use GNU httptunnel
> > (http://www.nocrew.org/software/httptunnel.html)
> > behind apache using the reverseproxy feature.=A0 Apache version =
2.0.48
> >
> > I have reverseproxy working, as I have another machine behind =20
> apache using
> > this feature serving up html pages properly.=A0 Works great.
> >
> > I have apache running on my firewall.=A0 I only have 1 single =
common =20
> port
> > between my firewall and my client.=A0 I only have port 443 to work =20=

> with.
> > I'm using port 443 with basic http.=A0 I need apache to server web =20=

> pages,
> but
> > I also need other non-web services.=A0 At first, I just want to get =
a =20
> telnet
> > client working, but hope to migrate to ssh later.=A0 I'm aware of =
the
> security
> > issues this imposes.=A0 My firewall is setup to only allow a client
> connection
> > on port 443 from the allowable location.
> >
> > My httpd.conf has the following - among other things (-:
> >
> > Listen 443
> >
> >   ServerName .com
> >   ProxyPass / http://localhost:8888/
> >   ProxyPassReverse / http://localhost:8888/
> >
> > I run the httptunnel server on the firewall machine.
> > hts -F localhost:23
> >
> > I run the httptunnel client on the client side.
> > htc -F localhost:8000 .com:443
> >
> > On the client, I issue:
> > telnet localhost 8000.
> >
> > On the server, I've used ethereal to watch the traffic.
> > I see the client open a connection with apache on 443.
> > I see apache open a connection with the hts server on port 8888.
> > I see the hts server open a connection on port 23.
> > I see the client send a POST and GET through apache to the =20
> httptunnel
> server
> > on port 8888.
> > The telnet port sends stuff to the httptunnel server port.
> >
> > The httptunnel server responds to the GET command with
> > 15 bytes using 3 separate TCP packets back to the apache server.
> >
> > 0 (0000=A0 02                  =A0=
                         =A0=
  =A0 .) =20
> putline
> > 0 (0000=A0 00 0c                  =
                         =A0=
=A0 ..) =20
> putline
> > 0 (0000=A0 ff fd 18 ff fd 20 ff fd 23 ff fd 27        =
       ..... =20
> ..#..')
> > putline
> >
> > I believe these 15 bytes are the beginning of the telnet =20
> negotiation.
> >
> > I never see the 15 bytes comes out of the apache server on the =20
> otherside
> of
> > the firewall towards the client.=A0 The client side is stopped =20
> waiting for a
> > response.
> >
> > I've turned on apache debugging and then used the printf debugging
> approach
> > and found I'm stuck inside proxy_http.
> >
> > I get the debug message
> > "proxy: start body send" in logs/error_log
> >
> > I'm stuck in proxy_http.c, line 928
> >                 while =
(ap_get_brigade(rp->input_filters,
> >                  =A0=A 0    =
               bb,
> >                  =A0=A 0    =
               AP_MODE_READBYTES,
> >                  =A0=A 0    =
               APR_BLOCK_READ,
> >                  =A0=A 0    =
               conf->io_buffer_size) ==
> APR_SUCCESS)
> > {
> >
> > The ap_get_brigade function never returns, and I'm stuck here.
> >
> > I get through this loop three times, before the httptunnel stops =20=

> sending
> > data, then I'm stuck.=A0 The client needs to receive these bytes =
and
> transmit
> > to the server again before the server will send any more data.
> >
> > Am what I'm attempting completely wacked?
> >
> > Can anyone offer any pointers on what to look for next?
> >
> > I will continue to debug further.
> >
> > Thanks,
> >
> > Jim
> >
> >
> >
> >
> >
>
>
--
Ian Holsman
Director
Network Management Systems
CNET Networks
PH: (61) 3-9857-3742 (Australia)/ 415-344-2608 (USA)

Re: reverseproxy using httptunnel

I'm running my client from a location where only ports 80 and 443 are open
and can only carry http traffic. My server cannot listen on port 80, my ISP
blocks port 80. So, the only common denominator I have between my
client (job) and server (home) is port 443. I need to run both web and
telnet-ish (vnc)
services. Hence, I need the tunnel through the httpd server.

I'll look into tcprelay.
Thanks,

Jim


"Ian Holsman" wrote in message
news:40FC236E-6EF7-11D8-B044-000A959E89AA@cnet.com...
have you thought of just opening a dedicated SSH port?
or using a program like tcprelay on your firewall?

I'm sure you've got your system admin's blessing on doing this, so
these two options shouldn't be too much of a drama
(seeing how he's willing for you to tunnel over http anyway)

if you haven't just install a reverse telnet/ssh session on your
destination.

On 06/03/2004, at 9:38 AM, Jim Duda wrote:

> Chris,
>
> Thanks. I installed the patch which you suggested. The
> tunnel nows works. The performance is sluggish though.
> I'm sure it's caused by all the overhead of the GET and POST
> operations.
>
> Do you suspect the alternate suggestion might help the performance?
>
> Jim
>
>
>
> "Conti, Chris" wrote in message
>
> news:
> 1568F46A5B1B814DA6E8A8C3EC7A14FE0A7FBB@IPSXCHG2003.xcellenet .com...
> > If you refer to BUG 19954:
> > http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19954
> > This looks like the issue I was trying to patch. In the current 2.x
> > codebase, the reverse proxy will effectively cache traffic until it
> has
> 8000
> > bytes to send. According to Jeff Trawick, the caching effect is
> not an
> > intended behavior, rather it is a network optimization that just
> happens
> to
> > break tunneling of non-http traffic.
> >
> > I've been swamped at work for the last few months, and have not had
> time
> yet
> > to rework my proposed patch based on the feedback in the bugzilla
> report;
> > but I believe the patch as proposed will solve your immediate
> issue. Of
> > course, feel free to rework the patch if you feel up to it!
> >
> >
> > ---------------------------------------------------------
> > Chris Conti
> > mailto://cmconti@mindspring.com
> > mailto://chris.conti@xcellenet.com
> >
> >
> > If at first you do succeed, try not to look astonished.
> >
> >
> > -----Original Message-----
> > From: Jim Duda [mailto:jim@duda.tzo.com]
> > Sent: Thursday, March 04, 2004 9:41 PM
> > To: modproxy-dev@apache.org
> > Subject: reverseproxy using httptunnel
> >
> > I'm trying to use GNU httptunnel
> > (http://www.nocrew.org/software/httptunnel.html)
> > behind apache using the reverseproxy feature. Apache version 2.0.48
> >
> > I have reverseproxy working, as I have another machine behind
> apache using
> > this feature serving up html pages properly. Works great.
> >
> > I have apache running on my firewall. I only have 1 single common
> port
> > between my firewall and my client. I only have port 443 to work
> with.
> > I'm using port 443 with basic http. I need apache to server web
> pages,
> but
> > I also need other non-web services. At first, I just want to get a
> telnet
> > client working, but hope to migrate to ssh later. I'm aware of the
> security
> > issues this imposes. My firewall is setup to only allow a client
> connection
> > on port 443 from the allowable location.
> >
> > My httpd.conf has the following - among other things (-:
> >
> > Listen 443
> >
> > ServerName .com
> > ProxyPass / http://localhost:8888/
> > ProxyPassReverse / http://localhost:8888/
> >
> > I run the httptunnel server on the firewall machine.
> > hts -F localhost:23
> >
> > I run the httptunnel client on the client side.
> > htc -F localhost:8000 .com:443
> >
> > On the client, I issue:
> > telnet localhost 8000.
> >
> > On the server, I've used ethereal to watch the traffic.
> > I see the client open a connection with apache on 443.
> > I see apache open a connection with the hts server on port 8888.
> > I see the hts server open a connection on port 23.
> > I see the client send a POST and GET through apache to the
> httptunnel
> server
> > on port 8888.
> > The telnet port sends stuff to the httptunnel server port.
> >
> > The httptunnel server responds to the GET command with
> > 15 bytes using 3 separate TCP packets back to the apache server.
> >
> > 0 (0000 02 .)
> putline
> > 0 (0000 00 0c ..)
> putline
> > 0 (0000 ff fd 18 ff fd 20 ff fd 23 ff fd 27 .....
> ..#..')
> > putline
> >
> > I believe these 15 bytes are the beginning of the telnet
> negotiation.
> >
> > I never see the 15 bytes comes out of the apache server on the
> otherside
> of
> > the firewall towards the client. The client side is stopped
> waiting for a
> > response.
> >
> > I've turned on apache debugging and then used the printf debugging
> approach
> > and found I'm stuck inside proxy_http.
> >
> > I get the debug message
> > "proxy: start body send" in logs/error_log
> >
> > I'm stuck in proxy_http.c, line 928
> > while (ap_get_brigade(rp->input_filters,
> > bb,
> > AP_MODE_READBYTES,
> > APR_BLOCK_READ,
> > conf->io_buffer_size) ==
> APR_SUCCESS)
> > {
> >
> > The ap_get_brigade function never returns, and I'm stuck here.
> >
> > I get through this loop three times, before the httptunnel stops
> sending
> > data, then I'm stuck. The client needs to receive these bytes and
> transmit
> > to the server again before the server will send any more data.
> >
> > Am what I'm attempting completely wacked?
> >
> > Can anyone offer any pointers on what to look for next?
> >
> > I will continue to debug further.
> >
> > Thanks,
> >
> > Jim
> >
> >
> >
> >
> >
>
>
--
Ian Holsman
Director
Network Management Systems
CNET Networks
PH: (61) 3-9857-3742 (Australia)/ 415-344-2608 (USA)