HTTP tunnel
Encyclopedia
HTTP Tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol, the network protocols in question usually belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a channel that the network protocol being tunneled uses to communicate.
The HTTP stream with its covert channel is termed an HTTP Tunnel.
HTTP Tunnel software consists of client-server HTTP Tunneling applications that integrate with existing application software, permitting them to be used in conditions of restricted network connectivity including firewalled networks, networks behind proxy servers, and NATs
.
s, firewalls
, or proxy server
s, and most often with applications that lack native support for communication in such conditions of restricted connectivity. Restricted connectivity in the form of blocked TCP/IP ports, blocking traffic initiated from outside the network, or blocking of all network protocols except a few is a commonly used method to lock down a network to secure it against internal and external threats.
The mediator server unwraps the actual data before forwarding it to the remote host in question. Symmetrically, when it receives data from the remote host, it wraps it in the HTTP protocol before sending it as part of an HTTP response to the application.
In this situation, the application plays the role of a Tunneling Client, while the remote host plays the role of the server being communicated with.
In this mechanism, the client asks an HTTP Proxy server to forward the TCP
connection to the desired destination using the "CONNECT" HTTP method. The server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the Proxy server continues to proxy the TCP stream to and from the client. Note that only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection.
This mechanism is how a client behind an HTTP proxy can access websites using SSL (i.e. HTTPS).
Not all HTTP Proxy Servers support this feature, and even those that do may limit the behaviour (for example only allowing connections to the default HTTPS port 443, or blocking traffic which doesn't appear to be SSL).
).
In this , a server runs outside the protected network and it acts as a normal HTTP server. A client program, from inside the protected network starts up and listen for incoming connection on some local port. When a new connection is received on this local port, the client program communicates with the HTTP server, over the HTTP PROXY or firewall, and requests the connection to a predefined destination. All traffic is encapsulated inside normal GET and PUT request.
The free or open-source HTTP Tunneling clients are usually packaged as a pair of applications, one of which performs the role of the mediator server, the other performing the role of the Tunneling client. This requires the user to have access to their own server that they can run the mediator server software on.
The commercial HTTP Tunneling client applications are provided by companies that run their own mediator server farms. They charge for the service provided, with various tiers of service that depend on the bandwidth provided.
This has the infamous use for students and employees to bypass any internet filters placed on school or work computers. Rather than using the place's internet connection to get website information, it only uses it to connect to another, unrestricted-access computer. That computer then uses its internet connection to gather web information and send it to the person tunneling it. Similar to the remote desktop concept, but only using that computers unrestricted internet connection.
The HTTP stream with its covert channel is termed an HTTP Tunnel.
HTTP Tunnel software consists of client-server HTTP Tunneling applications that integrate with existing application software, permitting them to be used in conditions of restricted network connectivity including firewalled networks, networks behind proxy servers, and NATs
Network address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
.
Usage
An HTTP Tunnel is used most often as a means for communication from network locations with restricted connectivity – most often behind NATNetwork address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
s, firewalls
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
, or proxy server
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
s, and most often with applications that lack native support for communication in such conditions of restricted connectivity. Restricted connectivity in the form of blocked TCP/IP ports, blocking traffic initiated from outside the network, or blocking of all network protocols except a few is a commonly used method to lock down a network to secure it against internal and external threats.
Mechanism
The application that wishes to communicate with a remote host opens an HTTP connection to a mediator server, which acts as a relay of communications to and from the remote host. The application then communicates with the mediator server using HTTP requests, encapsulating the actual communications within those requests. The mediator server is required to be in a network location with sufficiently unrestricted connectivity.The mediator server unwraps the actual data before forwarding it to the remote host in question. Symmetrically, when it receives data from the remote host, it wraps it in the HTTP protocol before sending it as part of an HTTP response to the application.
In this situation, the application plays the role of a Tunneling Client, while the remote host plays the role of the server being communicated with.
HTTP CONNECT Tunneling
A variation of HTTP tunneling when behind an HTTP Proxy Server is to use the "CONNECT" HTTP method.In this mechanism, the client asks an HTTP Proxy server to forward the TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
connection to the desired destination using the "CONNECT" HTTP method. The server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the Proxy server continues to proxy the TCP stream to and from the client. Note that only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection.
This mechanism is how a client behind an HTTP proxy can access websites using SSL (i.e. HTTPS).
Not all HTTP Proxy Servers support this feature, and even those that do may limit the behaviour (for example only allowing connections to the default HTTPS port 443, or blocking traffic which doesn't appear to be SSL).
HTTP Tunneling without using CONNECT
In some networks, the use of CONNECT method is restricted to some trusted sites. In this cases, a HTTP tunnel can be implemented using only usual HTTP methods as POST, GET, PUT and DELETE. This is similar to the approach used in Bidirectional-streams Over Synchronous HTTP (BOSHBOSH
Bidirectional-streams Over Synchronous HTTP is a transport protocol that emulates a bidirectional stream between two entities by using multiple synchronous HTTP request/response pairs without requiring the use of polling or asynchronous chunking.It is a draft standard of the XMPP Standards...
).
In this , a server runs outside the protected network and it acts as a normal HTTP server. A client program, from inside the protected network starts up and listen for incoming connection on some local port. When a new connection is received on this local port, the client program communicates with the HTTP server, over the HTTP PROXY or firewall, and requests the connection to a predefined destination. All traffic is encapsulated inside normal GET and PUT request.
HTTP Tunnel Clients
There are several free/open-source, and commercial HTTP Tunneling client applications that allow even applications that lack native tunneling support to communicate from locations with restricted connectivity.The free or open-source HTTP Tunneling clients are usually packaged as a pair of applications, one of which performs the role of the mediator server, the other performing the role of the Tunneling client. This requires the user to have access to their own server that they can run the mediator server software on.
The commercial HTTP Tunneling client applications are provided by companies that run their own mediator server farms. They charge for the service provided, with various tiers of service that depend on the bandwidth provided.
This has the infamous use for students and employees to bypass any internet filters placed on school or work computers. Rather than using the place's internet connection to get website information, it only uses it to connect to another, unrestricted-access computer. That computer then uses its internet connection to gather web information and send it to the person tunneling it. Similar to the remote desktop concept, but only using that computers unrestricted internet connection.
Uses of HTTP Tunnel Clients
- To use applications (games/IM clients/browsers) from behind restrictive firewalls or proxy servers
- To access blocked sites
- To share some confidential resource over HTTP securely