Introduction: What is desproxy for?

Desproxy is a TCP tunnel for HTTP proxies.

HTTP proxies are network servers that are used to give HTTP (web) access to computers that are not connected to the Internet. This is a typical scenario in corporate networks and recently in home networks too. HTTP proxies connect to the Internet either directly or via a parent proxy (which in fact connects to the Internet directly or via another parent proxy, and so on...)

HTTP clients (web browsers) use HTTP proxies to request web pages; the HTTP server just forwards those request to the destination server. All the negotiation is done via the HTTP protocol, which is designed just to carry HTTP requests and no generic (TCP/IP) traffic. That is why you can't (normally) use Internet applications beside your web server if you are behind a HTTP proxy.

That is what desproxy is good for. Desproxy is a TCP tunnel, which means desproxy can forward TCP/IP traffic via a HTTP proxy. Desproxy uses a HTTP/1.1 method (CONNECT) to establish TCP/IP connections on demand. CONNECT is used for SSL connections when accessing to secure sites, so if you can access sites that support SSL (www.hotmail.com for example) you can use desproxy.

Note I recall TCP/IP traffic.

Not all IP (Internet) traffic is just TCP/IP. In fact there are two more protocols widely used in the Internet not supported by desproxy: UDP and ICMP:

• ICMP is used to manage large IP networks. The only application using ICMP you may miss is ping.

• UDP is an unreliable connection-less fast transport protocol, mostly used in network games and other applications that need low latency network traffic. Notably DNS uses UDP packets for fast delivery.

Will desproxy work with my HTTP proxy?

Short answer: just give it a try

Long answer: desproxy should work with every HTTP proxy, with the following exceptions:

• MS Proxies with NTLM authentication. NTLM is a proprietary authentication method from Microsoft, not a standard authentication method. Maybe in the future desproxy will support NTLM authentication, but currently it doesn't.

• HTTP/1.0 Proxies. Desproxy needs the CONNECT method, which is only available from HTTP/1.1 protocol version. It's very unlikely your proxy doesn't accept HTTP/1.1 requests.

• HTTP/1.1 Proxies without the CONNECT method. Maybe your network administrator deactivated CONNECT support in the proxy, or maybe CONNECT is restricted to the HTTPS port (443).

Assumptions

Let's assume the following:

• your HTTP proxy host name is "proxy" and its address is "192.0.0.1"

• your HTTP proxy port is "8080"

• your HTTP proxy doesn't need authentication. It case you need HTTP authentication, please read this.

• your system console will be:

  • MS/DOS box if you are running Windows 95, Windows 98, or Windows ME

  • Windows NT command shell if you are running Windows NT, Windows 2000 or Windows XP

  • A terminal (xterm, the console or a virtual terminal) if you are running Linux, *BSD or other UN*X

About connections

Imagine you need a network application that uses only one TCP/IP connection with just one server. That's the case of IRC in which you connect to an IRC server or ssh where you tipically connect just to one UNIX computer at a time. That's what I called a "static connection".

Of course that's not the case of a web browser or a file sharing program, both of them doing several connections at a time to different computers. That's what I call "dynamic connections".

Static connections examples

How to use desproxy to...

...connect to IRC

Suppose you want to connect to IRC using irc.undernet.org port 6667 as your IRC server. First you have to start a system console (see Assumptions above for details) and type

desproxy irc.undernet.org 6667 proxy 8080 1080

That should start desproxy, giving you the copyright notice along with some information. The following is a screen capture from desproxy 0.0.23

-----------------------------------
desproxy                     0.0.23

(c) Miguelanxo Otero Salgueiro 2001

This release brought to you patched
by Rutger Nijlunsig.

See RutgerWork.txt in documentation
for details about new features.

Great work guy!
-----------------------------------

TCP port 1080 Binded & Listening
Press ENTER to Quit

Desproxy reports it is listening in local port 1080 ready for a connection.

Open your favourite IRC client (install it first ;D) and connect to 127.0.0.1 port 1080 as your irc server (127.0.0.1 is a virtual IP, always referencing to your local machine). Then, your IRC client should connect to desproxy. It looks like

Connection request from 127.0.0.1, port 1220
Connecting to http proxy (proxy:8080)
Bidirectional connection established

Then you should be able to use your IRC client as if you were directly connected to irc.undernet.org.

Some Screenshots:

• mirc & desproxy in Windows 98. 800x600 png file (150K).

• Xchat & desproxy in Linux. 800x600 png file (93K).

...log in a computer using ssh

Suppose you have a shell account in a computer that supports secure connections via ssh. Let's assume it's called shell.corporate.com. SSH uses port number 22 by default. So start a new system console and type:

desproxy shell.corporate.com 22 proxy 8080 1080

Then, tell your ssh client to connect to localhost (127.0.0.1) port 1080 and you should get a ssh password prompt!

Some Screenshots:

• putty (ssh) & desproxy in Windows 98. 800x600 png file (127K). Note the configuration window: ssh is selected, port is set to 1080.

• ssh & desproxy in Linux. 800x600 png file (226K). Note the command option "-p 1080" telling ssh to use port 1080 (where desproxy is listening) instead of the default port 22.

...use other static clients

Let's assume you want to use network application X, which doesn't support HTTP proxies but use one TCP/IP connection (like IRC and SSH). To make X work with desproxy, you just have to do the following:

• Search for the default port of that application:

  • ftp: 21

  • ssh: 22

  • telnet: 23

  • smtp: 25

  • ...

• Search for the default server of that application (if there is one)

  • AIM: toc.oscar.aol.com (port 21)

  • ICQ: icq.mirabilis.com (port 4000)

  • Yahoo messenger: cs.yahoo.com (port 5050)

  • MSN Messenger: messenger.hotmail.com (port 1863)

  • ...

• Start desproxy, passing that info as command line parameters. The format is

  desproxy remote_host remote_port proxy_host proxy_port local_port

  Just give a local_port of your desire, but always over 1023, cause lower ports may need administrator privileges.

Using desproxy with dynamic connections

You can see that for every application that needs to be un-proxyzed you have to start a desproxy program. That is OK if you are using irc, ssh or other application that always connects to the same server. But if you need to dynamically establish TCP connections it's impossible to follow that path.

That's why I wrote desproxy-socks5server. Desproxy-socks5server is just a desproxy implementation of a Socks 5 Server. A Socks 5 Server is like a "TCP proxy": you just request a TCP connection and the Socks 5 Server does the work for you.

Of course, client applications need to have support for Socks 5 Server. If your application lacks Socks 5 support, you can use desproxy-socks4server instead, given it has Socks 4 support.

If the application lacks any Socks support, and needs dynamic connections, you can't do anything: it won't work behind the HTTP proxy.

Using desproxy-socksXserver (X being 4 or 5) is very easy: you only have to start a system console and type:

desproxy-socks4server proxy 8080 1080

or

desproxy-socks5server proxy 8080 1080

Here I'm assuming "proxy" and "8080" to be your proxy name and port.

That should start the Socks server. Then you have to tell your application to use Socks server "127.0.0.1" port "1080". Just see in the proxy configuration and look for "Socks Server" adjustments.

That is not all, unfortunately. Beside having your Socks server up you need DNS access. Of course if you don't have DNS access, you just have to use desproxy-dns. So let's see the two scenarios

DNS for dynamic connections

Direct DNS access

If you have direct DNS access then you don't need to do anything else. You know you have direct DNS access if you can resolve host names to IP addresses. To test DNS just start a system console and type

ping www.hotmail.com

Of course, you can't ping anything outside the proxy, but ping should display the IP address of hotmail, if it can resolve it. Ping should display something like

Pinging www.hotmail.com [64.4.43.7] with 32 bytes of data

if you are using MS Windows, or

PING www.hotmail.com (64.4.43.7): 56 data bytes

if you are running Linux, *BSD or UN*X.

Ping should also complain about losing all the packets. OK, that's as it should be. If ping displays "unknown host www.hotmail.com" try a different one, like "www.yahoo.com" or "www.sun.com". It that three displayed "unknown host" then you don't have DNS access.

No DNS access

If you don't have DNS access you have to do two things:

• Search for a public accessible DNS server IP address

  Let's assume you find one (195.196.180.14).

• Start desproxy-dns

  Open another system console and type

  desproxy-dns 195.196.180.14 proxy 8080

After that you will have a DNS server running in your computer.

NOTE: as desproxy-dns listens in port 53 (which is less than 1024) you may need administrator privileges to exec desproxy-dns (in fact if you are running UN*X, you actually have to run desproxy-dns as root).

OK, so you have a dns server accessible now. But your computer doesn't know anything about that. You must configure your network accordingly (again, need to be root in UN*X).

In Windows just go to Control Panel-> Network-> TCP/IP -> Network Adapter-> Properties-> DNS Configuration. Select "Activate DNS" and add "127.0.0.1" as a DNS server. Then restart. Test the ping again. Works? OK!

• Here is a screenshot (800x600 png file) of my Windows 98 DNS configuration for desproxy-dns. Note the server "127.0.0.1" added to the list.

In UN*X just edit /etc/resolv.conf and add the line "nameserver 127.0.0.1". You don't have to restart anything. Just test ping and see if it works.

• Here is a screenshot (800x600 png file) of my Linux desktop with an open desproxy-dns and a ping test. Notice the test ping: the first one failed cause desproxy-dns still was not running. Notice also the word HIDDEN that was added to the picture to hide my personal settings for dns servers. Just surf the web to find some!

Dynamic connections examples

How to use desproxy to...

...instant message anyone

Just remember to get a DNS server (directly or using desproxy-dns) see above. Then, start a socks4server

desproxy-socks4server proxy 8080 1080

You could start desproxy-socks5server, but some applications refuse to work with Socks 5 (MS Internet Explorer for example) and the Socks 4 Version is faster.

Remember to leave blank the username and password fields in the client Socks configuration: desproxy does all the work, in case your HTTP proxy needs authentication.

Get your favourite Instant Messaging program and configure it to use Socks 5 Server "127.0.0.1" port "1080". Then, log in and have fun!

Some screenshots showing configuration:

• desproxy & MSN Messenger

• desproxy & America Online AIM

• desproxy & everybuddy.

Everybuddy is an Instant Messaging program supporting AIM, MSN Messenger, Jabber and other protocols, for Linux. This is a screenshot showing dns & socks4-server windows along with everybuddy.

...share files

Again, the same applies for DNS. Remember to start a desproxy-socks4server, configure your program and go!

Screenshots:

• desproxy, Audiogalaxy & WinMX. You can see WinMX showing Ready Status and Audiogalaxy showing three transfers (incoming, outgoing & connection setting). As you can see, everything works as if you were directly connected to the Internet!.

• desproxy & gtk-gnutella. Gtk-gnutella is a Linux client for the gnutella network protocol.

About HTTP Authentication

Some HTTP proxies need for security reasons a method of checking client's identity. That's called HTTP authentication (or HTTP authorization).

Despoxy now supports Basic HTTP authentication. If your proxy needs other kind of authentication (either Digest or NTLM) desproxy won't work.

For desproxy to work with a HTTP proxy that needs authentication, you have to tell desproxy which username and password to use. Desproxy reads the environment variable PROXY_USER to get that info.

Suppose your proxy username is "mayka" and your proxy password is "007sgotLTK". Then, before using any of the desproxy programs you should type:

set PROXY_USER=mayka:007sgotLTK

in your system console.

Beware passwords can include some characters that should be escaped from the system console. For example, if your password is "moon!=sun", and you are running Linux, you should type

export PROXY_USER=yourusername:moon\!\=sun

Note characters "!" and "=" are escaped using the backslash "\". If you are running MS Windows, as long as I know, you don't have to escape any valid password character.

Troubleshooting

A normal desproxy session looks like this:

miguel@Kosmos3000$ desproxy 127.0.0.1 21 127.0.0.1 4480 2222

-----------------------------------
desproxy                      0.0.8

HTTP/1.1
(c) Miguelanxo Otero Salgueiro 2001
-----------------------------------

Listening on port 2222
Connection request from 127.0.0.1, port 1227
Connecting to http proxy (127.0.0.1:4480)
Bidirectional connection stablished
(127.0.0.1:21) <-> (localhost)
End of connection.

Here, I connected to my local ftp server (127.0.0.1:21) using my local proxy (127.0.0.1:4480). You can see how, after the connection is accepted, desproxy connected to the proxy, interchanged some bytes (a FTP session) and terminates the connection.

Desproxy is quite self explanatory about errors. Desproxy-inetd is far more obscure, because the way inetd uses it (can't print error messages) to the console.

Basically there are two kind of errors:

• Errors reported when connecting to the proxy: the http page showing the error is displayed.

• Every other error: a short error message is displayed.

Errors reported by proxy may be the worse...

Some common HTTP errors (as reported by the proxy)

• HTTP 400 Bad Request - Some versions of desproxy (0.0.21) cause this error (FATAL)

• HTTP 403 Forbidden - Forbidden to do that (FATAL)

• HTTP 404 Not Found - Page not found, or resource not found (MINOR)

• HTTP 405 Method not Allowed - Can't do CONNECT method (FATAL)

• HTTP 500 Internal Server Error - Maybe you're trying to connect to a remote closed port (remote site reported connection refused) (MINOR)

• HTTP 503 Service Unavailable -> The proxy can't reach the site (MINOR)

• HTTP 505 HTTP Version Not Supported - CONNECT method not available (FATAL)

• HTTP 502 Bad Gateway - Stands for "DNS lookup error" (MINOR)

(FATAL) - Forget about using "desproxy", you can't surpass the proxy.
(TODO) - To do, not yet implemented.
(MINOR) - Temporary fault or maybe YOUR fault!.