Making a socket connection via a proxy server

Heiko Wundram heikowu at ceosg.de
Sun Aug 1 16:55:45 CEST 2004


> Fuzzyman wrote:
> > In a nutshell - the question I'm asking is, how do I make a socket
> > conenction go via a proxy server ?
> > All our internet traffic has to go through a proxy-server at location
> > 'dav-serv:8080' and I need to make a socket connection through it.

Am Freitag, 30. Juli 2004 18:51 schrieb Diez B. Roggisch:
> Short answer: Its not possible.

Longer answer: it is possible if you use DNAT on some router between the 
computer which opens the request and the destination machine. Check out squid 
transparent proxy howtos you can find on the net. The protocol will need 
HTTP/1.1 for this, though.

Small example, which clarifies why this is possible:

Computer 1 opens http (port 80) connection to computer 2.

Router 1 sits in the middle, sees a port 80 connection is opened to some 
computer 2, and rewrites the incoming packet to have a new destination 
address/port (DNAT), namely proxy 1 with port 3128 (standard http-proxy port, 
at least for squid), and a new source address/port (SNAT), namely router 1 
with some port.

Proxy 1 gets the following (from router 1):

GET /foo.html HTTP/1.1
Host: www.foo.com:80
<other headers>

Proxy 1 opens the connection to www.foo.com port 80 (now, the router sees that 
the connection comes from proxy, it must not do address rewriting), gets the 
result, and stores it locally.

proxy 1 then sends the packets back to router 1 (because the proxy request 
seems to have come from router; if you leave out SNAT in the rewriting step, 
it'll seem to have come from the actual computer, and this is fine too, but 
then you have to be sure that the return packet also has to go through the 
router), and now router 1 does reverse DNAT and SNAT to return the packet to 
computer 1, which will see a source address of computer 2 and port 80 on the 
packet.

computer 1 sees the result, and thinks it came from the outside machine, 
although through some SNAT/DNAT the packets actually originated from the 
proxy.

This is basically it.

If you want to implement this, as I said, read up on transparent proxy howtos 
for squid. Pretty much every proxy can be made to support this, as with 
HTTP/1.1 the Host: header is a required header, and thus the proxy can always 
extract the host which was queried from the request, even when it isn't 
passed as the others have suggested.

On another note: I assumed you wanted to transparently relay/rewrite HTTP 
through the proxy. If you need to open some form of socket connection to the 
proxy which is not HTTP, the proxy protocol supports the method CONNECT, 
which will simply open up a socket connection which is relayed by the proxy. 
But: This cannot be made transparent, except by some deeper magic in the 
router.

HTH!

Heiko.



More information about the Python-list mailing list