Jump to content

HTTP tunnel: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Tags: Mobile edit Mobile web edit
Reverting edit(s) by 2804:D55:5294:100:4025:C710:9BC0:5378 (talk) to rev. 1177721598 by Dicklyon: Vandalism (RW 16.1)
 
(26 intermediate revisions by 24 users not shown)
Line 1: Line 1:
{{Short description|Links two network-restricted computers}}
'''HTTP tunneling''' is used to create a network link between two computers in conditions of restricted network connectivity including [[Firewall (computing)|firewalls]], [[Network address translation|NAT]]s and [[Access control list#Networking_ACLs|ACL]]s, among other restrictions. The tunnel is created by an intermediary called a [[Proxy server|proxy server]] which is usually located in a [[DMZ (computing)|DMZ]].

'''HTTP tunneling''' is used to create a network link between two computers in conditions of restricted network connectivity including [[Firewall (computing)|firewalls]], [[Network address translation|NAT]]s and [[Access control list#Networking_ACLs|ACL]]s, among other restrictions. The tunnel is created by an intermediary called a [[proxy server]] which is usually located in a [[DMZ (computing)|DMZ]].


Tunneling can also allow communication using a [[Protocol (computing)|protocol]] that normally wouldn’t be supported on the restricted network.
Tunneling can also allow communication using a [[Protocol (computing)|protocol]] that normally wouldn’t be supported on the restricted network.


== HTTP CONNECT method ==
== HTTP CONNECT method ==
The most common form of HTTP tunneling is the standardized [[Hypertext_Transfer_Protocol#Request_methods|HTTP CONNECT]] method.<ref>{{cite IETF|title= Hypertext Transfer Protocol -- HTTP/1.1 |rfc= 2616 |sectionname= Method Definitions, CONNECT |section= 9.9 |page= 56 |last= Fielding |first= R. |date=June 1999 |publisher= [[Internet Engineering Task Force|IETF]] |accessdate= 2010-07-09 }}</ref><ref>{{cite web|title= Upgrading to TLS Within HTTP/1.1 (RFC 2817) |rfc= 2817 |accessdate= 3 July 2011 |url= https://tools.ietf.org/html/rfc2817 }}</ref> In this mechanism, the client asks an HTTP proxy server to forward the [[Transmission Control Protocol|TCP]] connection to the desired destination. The server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the proxy server continues to proxy the TCP stream to and from the client. Only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection.
The most common form of HTTP tunneling is the standardized [[Hypertext_Transfer_Protocol#Request_methods|HTTP CONNECT]] method.<ref>{{cite IETF|title= Hypertext Transfer Protocol -- HTTP/1.1 |rfc= 2616 |sectionname= Method Definitions, CONNECT |section= 9.9 |page= 56 |last= Fielding |first= R. |date=June 1999 |publisher= [[Internet Engineering Task Force|IETF]] |accessdate= 2010-07-09 }}</ref><ref>{{cite journal|title= Upgrading to TLS Within HTTP/1.1 (RFC 2817) |year= 2000 |doi= 10.17487/RFC2817 |rfc= 2817 |accessdate= 3 July 2011 |url= https://tools.ietf.org/html/rfc2817 |last1= Khare |first1= R. |last2= Lawrence |first2= S. |doi-access= free }}</ref> In this mechanism, the client asks an HTTP proxy server to forward the [[Transmission Control Protocol|TCP]] connection to the desired destination. The server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the proxy server continues to proxy the TCP stream to and from the client. Only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection.


This mechanism is how a client behind an HTTP proxy can access websites using [[Secure Sockets Layer|SSL]] or TLS (i.e. HTTPS). Proxy servers may also limit connections by only allowing connections to the default HTTPS port 443, [[Whitelist|whitelisting]] hosts, or blocking traffic which doesn't appear to be SSL.
This mechanism is how a client behind an HTTP proxy can access websites using [[Secure Sockets Layer|SSL]] or TLS (i.e. HTTPS). Proxy servers may also limit connections by only allowing connections to the default HTTPS port 443, [[Whitelist|whitelisting]] hosts, or blocking traffic which doesn't appear to be SSL.


===Example negotiation===
===Example negotiation===
The client connects to the proxy server and requests tunneling by specifying the port and the host computer it would like to connect to. The port is used to indicate the protocol being requested.<ref name="rfc7231.4.3.6">{{cite IETF |title=HTTP/1.1 Semantics and Content |rfc=7231 |sectionname=CONNECT |section=4.3.6 |page=30 |date=June 2014 |publisher=[[Internet Engineering Task Force|IETF]] |accessdate=4 November 2017 }}</ref>
The client connects to the proxy server and requests tunneling by specifying the port and the host computer to which it would like to connect. The port is used to indicate the protocol being requested.<ref name="rfc7231.4.3.6">{{cite IETF |title=HTTP/1.1 Semantics and Content |rfc=7231 |sectionname=CONNECT |section=4.3.6 |page=30 |date=June 2014 |publisher=[[Internet Engineering Task Force|IETF]] |accessdate=4 November 2017 }}</ref>


<source lang="http">
<syntaxhighlight lang="http">
CONNECT streamline.t-mobile.com:22 HTTP/1.1
CONNECT streamline.t-mobile.com:22 HTTP/1.1
Proxy-Authorization: Basic encoded-credentials
Proxy-Authorization: Basic encoded-credentials
</syntaxhighlight>
</source>


If the connection was allowed and the proxy has connected to the specified host then the proxy will return a 2XX success response.<ref name="rfc7231.4.3.6">{{cite IETF |title=HTTP/1.1 Semantics and Content |rfc=7231 |sectionname=CONNECT |section=4.3.6 |page=30 |date=June 2014 |publisher=[[Internet Engineering Task Force|IETF]] |accessdate=4 November 2017 }}</ref>
If the connection was allowed and the proxy has connected to the specified host then the proxy will return a 2XX success response.<ref name="rfc7231.4.3.6">{{cite IETF |title=HTTP/1.1 Semantics and Content |rfc=7231 |sectionname=CONNECT |section=4.3.6 |page=30 |date=June 2014 |publisher=[[Internet Engineering Task Force|IETF]] |accessdate=4 November 2017 }}</ref>


<source lang="http">
<syntaxhighlight lang="http">
HTTP/1.1 200 OK
HTTP/1.1 200 OK
</syntaxhighlight>
</source>
The client is now being proxied to the remote host. Any data sent to the proxy server is now forwarded, unmodified, to the remote host<ref name="rfc7231.4.3.6">{{cite IETF |title=HTTP/1.1 Semantics and Content |rfc=7231 |sectionname=CONNECT |section=4.3.6 |page=30 |date=June 2014 |publisher=[[Internet Engineering Task Force|IETF]] |accessdate=4 November 2017 }}</ref> and the client can communicate using any protocol accepted by the remote host.
The client is now being proxied to the remote host. Any data sent to the proxy server is now forwarded, unmodified, to the remote host<ref name="rfc7231.4.3.6">{{cite IETF |title=HTTP/1.1 Semantics and Content |rfc=7231 |sectionname=CONNECT |section=4.3.6 |page=30 |date=June 2014 |publisher=[[Internet Engineering Task Force|IETF]] |accessdate=4 November 2017 }}</ref> and the client can communicate using any protocol accepted by the remote host.
In the example below, the client is starting SSH communications as hinted to, by the port number, in the initial CONNECT request.
In the example below, the client is starting SSH communications, as hinted at by the port number in the initial CONNECT request.


SSH-2.0-OpenSSH_4.3\r\n
SSH-2.0-OpenSSH_4.3\r\n
...ggg
...


== HTTP tunneling without using CONNECT ==
== HTTP tunneling without using CONNECT ==
A HTTP tunnel can also be implemented using only the usual HTTP methods as POST, GET, PUT and DELETE. This is similar to the approach used in Bidirectional-streams Over Synchronous HTTP ([[BOSH (protocol)|BOSH]]).
A HTTP tunnel can also be implemented using only the usual HTTP methods as POST, GET, PUT and DELETE. This is similar to the approach used in Bidirectional-streams Over Synchronous HTTP ([[BOSH (protocol)|BOSH]]).


In this {{Citation/make link|https://github.com/luizluca/bridge|proof-of-concept program }}, a special HTTP server runs outside the protected network and a client program is run on a computer inside the protected network. Whenever any network traffic is passed from the client, the client repackages the traffic data as a HTTP request and relays the data to the outside server, which extracts and executes the original network request for the client. The response to the request, sent to the server, is then repackaged as an HTTP response and relayed back to the client. Since all traffic is encapsulated inside normal GET and POST requests and responses, this approach works through most proxies and firewalls.
A special HTTP server runs outside the protected network and a client program is run on a computer inside the protected network. Whenever any network traffic is passed from the client, the client repackages the traffic data as a HTTP request and relays the data to the outside server, which extracts and executes the original network request for the client. The response to the request, sent to the server, is then repackaged as an HTTP response and relayed back to the client. Since all traffic is encapsulated inside normal GET and POST requests and responses, this approach works through most proxies and firewalls.{{efn|{{cite web|title=Bridge: A dynamic port forwarder over HTTP (with HTTP PROXY support) |url=https://github.com/luizluca/bridge |website=[[GitHub]]}}}}


== See also ==
== See also ==
Line 40: Line 42:
* [[Virtual Extensible LAN|Virtual extensible LAN]]
* [[Virtual Extensible LAN|Virtual extensible LAN]]
* [[Network Virtualization using Generic Routing Encapsulation|Network virtualization using generic routing encapsulation]]
* [[Network Virtualization using Generic Routing Encapsulation|Network virtualization using generic routing encapsulation]]

==Notes==
{{notelist}}


==References==
==References==

Latest revision as of 15:06, 12 November 2023

HTTP tunneling is used to create a network link between two computers in conditions of restricted network connectivity including firewalls, NATs and ACLs, among other restrictions. The tunnel is created by an intermediary called a proxy server which is usually located in a DMZ.

Tunneling can also allow communication using a protocol that normally wouldn’t be supported on the restricted network.

HTTP CONNECT method

[edit]

The most common form of HTTP tunneling is the standardized HTTP CONNECT method.[1][2] In this mechanism, the client asks an HTTP proxy server to forward the TCP connection to the desired destination. The server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the proxy server continues to proxy the TCP stream to and from the client. Only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection.

This mechanism is how a client behind an HTTP proxy can access websites using SSL or TLS (i.e. HTTPS). Proxy servers may also limit connections by only allowing connections to the default HTTPS port 443, whitelisting hosts, or blocking traffic which doesn't appear to be SSL.

Example negotiation

[edit]

The client connects to the proxy server and requests tunneling by specifying the port and the host computer to which it would like to connect. The port is used to indicate the protocol being requested.[3]

CONNECT streamline.t-mobile.com:22 HTTP/1.1
Proxy-Authorization: Basic encoded-credentials

If the connection was allowed and the proxy has connected to the specified host then the proxy will return a 2XX success response.[3]

HTTP/1.1 200 OK

The client is now being proxied to the remote host. Any data sent to the proxy server is now forwarded, unmodified, to the remote host[3] and the client can communicate using any protocol accepted by the remote host. In the example below, the client is starting SSH communications, as hinted at by the port number in the initial CONNECT request.

SSH-2.0-OpenSSH_4.3\r\n
...

HTTP tunneling without using CONNECT

[edit]

A HTTP tunnel can also be implemented using only the usual HTTP methods as POST, GET, PUT and DELETE. This is similar to the approach used in Bidirectional-streams Over Synchronous HTTP (BOSH).

A special HTTP server runs outside the protected network and a client program is run on a computer inside the protected network. Whenever any network traffic is passed from the client, the client repackages the traffic data as a HTTP request and relays the data to the outside server, which extracts and executes the original network request for the client. The response to the request, sent to the server, is then repackaged as an HTTP response and relayed back to the client. Since all traffic is encapsulated inside normal GET and POST requests and responses, this approach works through most proxies and firewalls.[a]

See also

[edit]

Notes

[edit]
  1. ^ "Bridge: A dynamic port forwarder over HTTP (with HTTP PROXY support)". GitHub.

References

[edit]
  1. ^ Fielding, R. (June 1999). "Method Definitions, CONNECT". Hypertext Transfer Protocol -- HTTP/1.1. IETF. p. 56. sec. 9.9. doi:10.17487/RFC2616. RFC 2616. Retrieved 2010-07-09.
  2. ^ Khare, R.; Lawrence, S. (2000). "Upgrading to TLS Within HTTP/1.1 (RFC 2817)". doi:10.17487/RFC2817. RFC 2817. Retrieved 3 July 2011. {{cite journal}}: Cite journal requires |journal= (help)
  3. ^ a b c "CONNECT". HTTP/1.1 Semantics and Content. IETF. June 2014. p. 30. sec. 4.3.6. doi:10.17487/RFC7231. RFC 7231. Retrieved 4 November 2017.