ããã¯ããªã«ãããããŠæžãããã®ïŒ
æè¿ãTCPãããã·ãµãŒããŒãç«ãŠãŠã¿ããããã¬ãŒã³ãªTCPéä¿¡ãSSLïŒTLSåããŠãã©ã¯ãŒããããã·è¶ãã«ãã³ããªã³ã°ãããããŠ
éãã§ããã®ã§ããã
socatでTCPプロキシサーバーを立てる - CLOVER🍀
stunnelを使って、バックエンドにSSL/TLS通信しつつ、フォワードプロキシ越しにアクセスする - CLOVER🍀
ããããã°ããµã€ãã«TCPéä¿¡ããããã·ããéã«ããã©ã¯ãŒããããã·è¶ãã«è»¢éãããã¿ãŒã³ããã£ãŠãªããªãšæãã
ãã£ãŠã¿ãŸããããšã
socatã³ãã³ããšncã³ãã³ãã®çµã¿åããããã©ã¯ãŒããããã·ã¯Apacheã§å®çŸããŠã¿ãŸããã
ç°å¢
ä»åã®ç°å¢ã¯ããã¡ãã§ããUbuntu Linux 18.04 LTSã§ãã
$ uname -srvmpio Linux 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.4 LTS Release: 18.04 Codename: bionic
å©çšãããã¹ãã¯ã以äžã®4ã€ã
- 192.168.33.1 ⊠ã¯ã©ã€ã¢ã³ãïŒcurlïŒtelnetïŒ
- 192.168.33.10 ⊠TCPãããã·
- 192.168.33.11 ⊠ãã©ã¯ãŒããããã·ïŒApacheïŒ
- 192.168.33.12 ⊠EchoãµãŒããŒ
1çªå¥¥ã«EchoãµãŒããŒãç«ãŠãã¯ã©ã€ã¢ã³ãããã¯TCPãããã·ãµãŒããŒã«ã¢ã¯ã»ã¹ãããšããã©ã¯ãŒããããã·ãHTTP CONNECTã§
äžç¶ããŠ1çªå¥¥ã®EchoãµãŒããŒã«è»¢éãããšããããšããã£ãŠã¿ãŸãã
EchoãµãŒããŒ
ãŸãã¯ã1çªå¥¥ã®EchoãµãŒããŒãç«ãŠãŸããããã¯ãsocatã§ç«ãŠãããšã«ããŸãããã
socatã®ã€ã³ã¹ããŒã«ã
$ sudo apt install socat
ããŒãžã§ã³ã
$ socat -V socat by Gerhard Rieger and contributors - see www.dest-unreach.org socat version 1.7.3.2 on Apr 4 2018 10:06:49 running on Linux version #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020, release 4.15.0-96-generic, machine x86_64 features: #define WITH_STDIO 1 #define WITH_FDNUM 1 #define WITH_FILE 1 #define WITH_CREAT 1 #define WITH_GOPEN 1 #define WITH_TERMIOS 1 #define WITH_PIPE 1 #define WITH_UNIX 1 #define WITH_ABSTRACT_UNIXSOCKET 1 #define WITH_IP4 1 #define WITH_IP6 1 #define WITH_RAWIP 1 #define WITH_GENERICSOCKET 1 #define WITH_INTERFACE 1 #define WITH_TCP 1 #define WITH_UDP 1 #define WITH_SCTP 1 #define WITH_LISTEN 1 #define WITH_SOCKS4 1 #define WITH_SOCKS4A 1 #define WITH_PROXY 1 #define WITH_SYSTEM 1 #define WITH_EXEC 1 #undef WITH_READLINE #define WITH_TUN 1 #define WITH_PTY 1 #define WITH_OPENSSL 1 #undef WITH_FIPS #define WITH_LIBWRAP 1 #define WITH_SYCLS 1 #define WITH_FILAN 1 #define WITH_RETRY 1 #define WITH_MSGLEVEL 0 /*debug*/
EchoãµãŒããŒã¯ãcatã³ãã³ãã䜿çšããŠå®çŸããŸããTCPããŒã5000ã§ãªãã¹ã³ããŠãåãåã£ãå 容ã¯catã§åŠçããã®ã§Echoã«ãªããŸããã
$ socat tcp-listen:5000,fork,reuseaddr exec:/bin/cat
ããŒã«ã«ã§ç¢ºèªã
$ curl telnet://localhost:5000 Hello World!! Hello World!! foo foo bar bar
ããã§ãEchoãµãŒããŒã®æºåã¯å®äºã§ãã
ãã©ã¯ãŒããããã·ãµãŒããŒïŒApacheïŒ
次ã¯ããã©ã¯ãŒããããã·ãµãŒããŒãç«ãŠãŸããApacheã§å®çŸããã®ã§ãApacheãã€ã³ã¹ããŒã«ã
$ sudo apt install apache2
mod_proxyããã³mod_proxy_connectãæå¹åããŸãã
$ sudo a2enmod proxy proxy_connect
ãã©ã¯ãŒããããã·ã®èšå®ã¯ããããªæãã§ã
/etc/apache2/sites-enabled/000-default.conf
Listen 8080 <VirtualHost *:8080> ProxyRequests On ProxyVia On AllowCONNECT 443 5000 <Proxy *> Require host localhost Require ip 192.168.33.0/24 </Proxy> ErrorLog ${APACHE_LOG_DIR}/proxy_error.log CustomLog ${APACHE_LOG_DIR}/proxy_access.log combined </VirtualHost>
EchoãµãŒããŒã¯ããŒã5000ã§ãªãã¹ã³ããŠããã®ã§ãAllowCONNECTãèšå®ããŠããŸãããŸããã¢ã¯ã»ã¹å
ã¯ããŒã«ã«ãšåããµããããã®
ãã¹ãã«éå®ããŠããŸãã
Apacheãåèµ·åããŠãæºåå®äº
$ sudo systemctl restart apache2
TCPãããã·ãµãŒããŒãç«ãŠã
æåŸã¯ãTCPãããã·ãµãŒããŒãç«ãŠãŸããã©ããã£ãŠå®çŸããŸããããããšã
ncã³ãã³ãã§ãã-Xããªãã·ã§ã³ã§ãããã·ã䜿ãæã®ãããã³ã«ãæå®ã§ããã®ã§ãconnectããæå®ããã-xããªãã·ã§ã³ã§
ãããã·ãµãŒããŒãæå®ã§ããã®ã§ãããã§Apacheãæå®ããŸããæåŸã«æžããŠããã®ã¯ãããã¯ãšã³ãã®EchoãµãŒããŒã®æ¥ç¶å
ã§ããã
ãã®ç¶æ
ã§ããŸãã¯ç¢ºèªã
$ echo 'Hello World!!' | nc -Xconnect -x192.168.33.11:8080 192.168.33.12 5000 Hello World!!
çµæãè¿ã£ãŠããŸããã
Apacheã®ã¢ã¯ã»ã¹ãã°ãèŠããšãHTTP CONNECTã䜿ã£ãŠã¢ã¯ã»ã¹ã§ããããšã確èªã§ããŸãã
192.168.33.10 - - [12/Apr/2020:05:37:25 +0000] "CONNECT 192.168.33.12:5000 HTTP/1.0" 200 90 "-" "-"
ã§ããããããŒã¢ã³ã«ãããããã§ãããncã³ãã³ãã§ãªãã¹ã³ãè¡ãã-lããªãã·ã§ã³ãšãè€æ°æ¥ç¶ãåãä»ããã-kããªãã·ã§ã³ã
æå®ãããšãããããã·ãšäžç·ã«ã¯äœ¿ããªãããšèšãããŸãã
$ nc -l -k -Xconnect -x192.168.33.11:8080 192.168.33.12 5000 nc: no proxy support for listen
ããŠãã©ããããã®ã§ããããšæã£ããšããã§ãsocatã䜿ã£ãŠncã³ãã³ãã«æµãã°ããããããªãããªããšæããsocatã³ãã³ãã
ã€ã³ã¹ããŒã«ã
$ sudo apt install socat
ãã£ãããexecã§ncã³ãã³ããæå®ããŠå®è¡ããŠã¿ãŸãã
$ socat tcp-listen:8000,fork,reuseaddr exec:'/bin/nc -Xconnect -x192.168.33.11:8080 192.168.33.12 5000'
ã§ããããã®ç¶æ ã§ã¢ã¯ã»ã¹ãããšããexecãã«åŒæ°ãå€ããšæãããŸãã
2020/04/12 05:55:56 socat[2487] E "exec:/bin/nc -Xconnect -x192.168.33.11": wrong number of parameters (2 instead of 1)
åŒæ°ãå€ãã®ã§ããã°ãncã³ãã³ãã®éšåãã·ã§ã«ã¹ã¯ãªããã«ããŸããããšã
echo-proxy.sh
#!/bin/bash nc -Xconnect -x192.168.33.11:8080 192.168.33.12 5000
execã«äœæããã¹ã¯ãªãããæå®ããŠãèµ·åã
$ socat tcp-listen:8000,fork,reuseaddr exec:'./echo-proxy.sh'
ã¯ã©ã€ã¢ã³ãããã¢ã¯ã»ã¹ãä»åºŠã¯ããŸããããŸãã
$ curl telnet://192.168.33.10:8000 Hello World!! Hello World!! foo foo bar bar
Apacheã®ã¢ã¯ã»ã¹ãã°ãã確èªã
192.168.33.10 - - [12/Apr/2020:05:57:47 +0000] "CONNECT 192.168.33.12:5000 HTTP/1.0" 200 90 "-" "-"
ãšãããããããããããšã¯éæã§ããŸãããã
ãªãããã®socatã§ç«ã¡äžãããµãŒããŒã§ãããå
šãããã¯ãŒã¯ã€ã³ã¿ãŒãã§ãŒã¹ã«ãã€ã³ãããŠå
¬éãããŠããã®ã§ãã¢ã¯ã»ã¹å¶éãªã©ã«ã¯
firewalldãªã©ã§å¯ŸåŠããŸãããã
$ ss -tnl | grep 8000 LISTEN 0 5 0.0.0.0:8000 0.0.0.0:*
ãªãã±ïŒsystemdã«çµã¿èŸŒã
æåŸã«ãäœæããTCPãããã·ãµãŒããŒããsystemdã«çµã¿èŸŒãã§ã¿ãŸãããã
ã§ããéãæå°æ§æã§ããµãŒãã¹ãŠãããå®çŸ©ãã¡ã€ã«ãäœæã
/etc/systemd/system/echo-proxy.service
[Unit] Description=echo proxy Wants=network-online.target After=network-online.target [Service] Type=simple User=root Group=root ExecStart=/usr/bin/socat tcp-listen:8000,fork,reuseaddr exec:'/home/vagrant/echo-proxy.sh' [Install] WantedBy=multi-user.target
åæ ã
$ sudo systemctl enable echo-proxy
ããã§ãsystemdã«çµã¿èŸŒãã§èµ·åã§ããããã«ãªããŸããããšã
$ sudo systemctl start echo-proxy