[nanomsg] Re: off topic: traversing http firewalls
- From: Alex Elsayed <eternaleye@xxxxxxxxx>
- To: nanomsg@xxxxxxxxxxxxx
- Date: Thu, 26 Feb 2015 12:49:43 -0800
[Reverse] SSH tunneling does work, but it's not an ideal solution -
especially here, where the whole issue is getting past an HTTP proxy.
First, you're multiplexing streams over a single stream, and the head-of-
line blocking has nasty effects on latency.
Second, TCP over TCP specifically is nasty unless you use a delay-based
congestion control algorithm, as the lower TCP will never lose a packet from
the upper TCP - resulting in something that converges on approximating an
infinite-RTT zero-drop connection (as the lower TCP will throttle back, but
the upper TCP will never see a congestion signal, so it'll increase the
window - the upper TCP's expectation of bandwidth instead becomes a massive
latency penalty from the lower TCP)
Third, if you're doing SSH over an HTTP proxy via Corkscrew or another
method, that's yet another layer of such things, which only exacerbates the
problem.
George Lambert wrote:
> Reverse SSH Tunneling
>
> Have you ever wanted to ssh to your Linux box that sits behind NAT?
> Now you can with reverse SSH tunneling. This document will show you
> step by step how to set up reverse SSH tunneling. The reverse SSH
> tunneling should work fine with Unix like systems.
>
> Let's assume that Destination's IP is 192.168.20.55 (Linux box that
> you want to access).
>
> You want to access from Linux client with IP 138.47.99.99.
>
> Destination (192.168.20.55) <- |NAT| <- Source (138.47.99.99)
>
> 1. SSH from the destination to the source (with public ip) using command
> below:
>
> ssh -R 19999:localhost:22
> sourceuser@138.47.99.99
>
> * port 19999 can be any unused port.
>
> 2. Now you can SSH from source to destination through SSH tuneling:
>
> ssh localhost -p 19999
>
> 3. 3rd party servers can also access 192.168.20.55 through Destination
> (138.47.99.99).
>
> Destination (192.168.20.55) <- |NAT| <- Source (138.47.99.99) <- Bob's
> server
>
> 3.1 From Bob's server:
>
> ssh sourceuser@138.47.99.99
>
> 3.2 After the sucessful login to Source:
>
> ssh localhost -p 19999
>
> * the connection between destination and source must be alive at all time.
>
> Tip: you may run a command (e.g. watch, top) on Destination to keep
> the connection active.
>
>
> On Wed, Feb 25, 2015 at 6:28 PM, Alex Elsayed
> <eternaleye@xxxxxxxxx> wrote:
>> Jason E. Aten wrote:
>>
>>> Only tangentially related to nanomsg:
>>>
>>> What do you guys use to go through http-only (port 80) firewalls?
>>>
>>> I'd like to find a golang library capable of tunneling ssh through an
>>> http firewall. I'm not worried about https, but strictly http.
>>>
>>> There must be some library already available/recommended?
>>>
>>> Thanks!
>>>
>>> Jason
>>
>> Corkscrew is a general tool for getting arbitrary TCP across HTTP/HTTPS
>> proxies: https://en.wikipedia.org/wiki/Corkscrew_%28program%29
>>
>> The wiki page also lists two alternatives that function in a similar
>> manner.
>>
>>
>
>
>
Other related posts:
