Error Sending Data Through Https Tunnel
Contents |
information on configuration for firewall HTTP proxys. Added description of weak and strong authentication for HTTP_Logon to eliminate some kinds of denial of service attack. [98/09/18 Bill] Eliminate http tunneling the unauthenticated logon messages, and define the wire format of the messages. tunnel proxy Author: Bill Frantz (frantz-at-pwpconsult.com). Introduction This document describes some ideas for extending the DataComm system to operate through stunnel various types of firewall. There are four basic levels of problem: Where the only problem is setting up the firewall to pass incoming sockets to the listen address on the proxy server local machine and advertising the ip:port used on the firewall machine. Where incoming sockets can not be accepted. Where the only communications permitted throught the firewall are via outgoing HTTP. Where the only communications permitted throught the firewall are via outgoing HTTP, and connections must be made to port 80. Related Documents See New E Data Comm System for information
Ssh
about the E Data Comm System. See DataComm Startup Protocol for information on the start up protocol. Requirements The basic requirements is that the E Data Comm system be able to operate through firewalls without special configuration of the firewall. Furthermore this operation should be possible without the cooperation or permission of the firewall operator. Architecture HTTP Tunneling HTTP Tunneling works by sending POST requests to a "HTTP server" and receiving replies. If the firewall allows us to use HTTP on any port, then we just need the DataComm HTTP Server code. Otherwise, if the machine must also support a real HTTP server, we will use a CGI to redirect the request to the non-port 80 server. Note that the Java virtual machine is configured to use a firewall proxy with the Java system properties: http.proxyHost and http.proxyPort. After this configuration has been set, the URL will use the firewall proxy to contact hosts outside the firewall. If we can use HTTP/1.1 instead of HTTP/1.0, we may be able to take advantage of the reusable TCP connections w
you’re dealing with web proxies, you’re liable to encounter a wide range of possible errors. This is primarily because the web was not designed with the use of proxies in mind. They are, in a
Wireshark
sense, exploits in the way the web works. Unfortunately, there’s a sort of sliding scale of errors in proxies. Errors come when a piece of software, a server, or a website expects one thing and gets something else. It’s like opening a box labeled “puppies” and getting spiders. You error out of that situation right quick. The more data the proxy passes, the fewer errors there are. However, if the server passes enough data, it’s no http://erights.org/elib/distrib/vattp/DataCommThruFirewalls.html longer even really a proxy, it’s just a referral server and is part of normal web operation. Many people use proxies because they want a more anonymous connection, though, and that’s what causes problems. A proxy server that passes your requests but strips out header data is sending one thing while a server expects another. Most of the time, this doesn’t cause any issues; it just means the server thinks you’re located somewhere else and doesn’t have http://ghostproxies.com/blog/2015/12/how-to-fix-an-err-tunnel-connection-failed-proxy-error/ much data about you to report to analytics. Sometimes, though, the discrepancy between expected data and provided data causes an error. That’s what the ERR_TUNNEL_CONNECTION_FAILED error is. It’s a particular set of software interacting with a proxy in a particular way such that it causes an issue. To Err is Human To forgive is divine, but forgiveness doesn’t help you in this situation. In fact, you may be begging for it if you’ve been fighting this error for a while. The problem is, it’s a pretty specific, narrow situation that doesn’t come up a lot, so you may have been happily using proxies for quite a while without ever encountering the error. The error is specific to Google Chrome, which may be helpful to know if you’re willing to use another browser. That’s not always possible, though; similar errors will show up on Firefox and – god forbid – IE if you’re using them. The error itself is caused when you try to access a page that uses SSL, which is going to be more and more pages moving forward ever since Google declared SSL was a search ranking factor. If you’re interested in making sure that the error you’re getting is the one we’re talking about, and not just a related error, you can replicate the behavior by using a proxy that filters SSL requests and use it
using ICMP echo request and reply packets, commonly known as ping requests and replies. At first glance, this might seem like a rather useless thing to do, but it can http://www.mit.edu/afs.new/sipb/user/golem/tmp/ptunnel-0.61.orig/web/ actually come in handy in some cases. The following example illustrates the main motivation in creating ptunnel: Setting: You're on the go, and stumble across an open wireless network. The network gives you an IP address, but won't let you send TCP or UDP packets out to the rest of the internet, for instance to check your mail. What to do? By chance, you discover that the error sending network will allow you to ping any computer on the rest of the internet. With ptunnel, you can utilize this feature to check your mail, or do other things that require TCP. Features and requirements Ptunnel is not a feature-rich tool by any means, but it does what it advertises. So here is what it can do: Tunnel TCP using ICMP echo request and reply packets Connections error sending data are reliable (lost packets are resent as necessary) Handles multiple connections Acceptable bandwidth (150 kb/s downstream and about 50 kb/s upstream are the currently measured maximas for one tunnel, but with tweaking this can be improved further) Authentication, to prevent just anyone from using your proxy So what do you need for all this to work? One computer accessible on the internet that is not firewalled (or at least allows incoming ICMP packets) A computer to act as the client (this will usually be your laptop, on the go..) Root access, preferably on both computers A posix-compliant OS, with libpcap (for packet capturing) Compiling the sources simply consists of running make. No ./configure, make, make install, just make. The resulting binary is called ptunnel. See the usage section below for info on running it. How it works This is a technical description of how ptunnel works. If you're not interested in low-level networking details, you can skip this section. It might help to read it either way, as it provides some insights into the situations where ptunnel doesn't work. Ptunnel works by tunneling TCP connections over ICMP packets. In the following, we will talk about the proxy, the cli