The need of proxy server is inevitable nowadays especially if you have servers located in a paranoid security environments. Where virtually all is being passed through some kind of a proxy server. In my work we have recently started a CentOS Linux release 7.9.2009 on HP Proliant DL360e Gen8 (host named rhel-testing).
HP DL360e are quite old nowadays but since we have spare servers and we can refurnish them to use as a local testing internal server Hypervisor it is okay for us. The machine is attached to a Rack that is connected to a Secured Deimilitarized Zone LAN (DMZ Network) which is so much filtered that even simple access to the local company homebrew RPM repository is not accessible from the machine.
Thus to set and remove software from the machine we needed a way to make yum repositories be available, and it seems the only way was to use a proxy server (situated on another accessible server which we use as a jump host to access the testing machine).
Since opening additional firewall request was a time consuming non-sense and the machine is just for testing purposes, we had to come with a solution where we can somehow access a Local repository RPM storage server http://rpm-package-server-repo.com/ for which we have a separate /etc/yum.repos.d/custom-rpms.repo definition file created.
This is why we needed a simplistic way to run a proxy but as we did not have the easy way to install privoxy / squid / haproxy or apache webserver configured as a proxy (to install one of those of relatively giant piece of software need to copy many rpm packages and manually satisfy dependencies), we looked for a simplistic way to run a proxy server on jump-host machine host A.
A note to make here is jump-host that was about to serve as a proxy had already HTTP access towards the RPM repositories http://rpm-package-server-repo.com and could normally fetch packages with curl or wget via it …
For to create a simple proxy server out of nothing, I've googled a bit thinking that it should be possible either with BASH's TCP/IP capabilities or some other small C written tool compiled as a static binary, just to find out that netcat swiss army knife as a proxy server bash script is capable of doing the trick.
Jump host machine which was about to be used as a proxy server for http traffic did not have enabled access to tcp/port 8888 (port's firewall policies were prohibiting access to it).Since 8888 was the port targetted to run the proxy to allow TCP/IP port 8888 accessibility from the testing RHEL machine towards jump host, we had to issue first on jump host:
[root@jump-host: ~ ]# firewall-cmd –permanent –zone=public –add-port=8888/tcp
To run the script once placed under /root/tcp-proxy.sh on jump-host we had to run a never ending loop in a GNU screen session to make sure it runs forever:
Original tcp-proxy.sh script used taken from above article is:
#!/bin/sh -e
if [ $# != 3 ]
then
echo "usage: $0 <src-port> <dst-host> <dst-port>"
exit 0
fiTMP=`mktemp -d`
BACK=$TMP/pipe.back
SENT=$TMP/pipe.sent
RCVD=$TMP/pipe.rcvd
trap 'rm -rf "$TMP"' EXIT
mkfifo -m 0600 "$BACK" "$SENT" "$RCVD"
sed 's/^/ => /' <"$SENT" &
sed 's/^/<= /' <"$RCVD" &
nc -l -p "$1" <"$BACK" | tee "$SENT" | nc "$2" "$3" | tee "$RCVD" >"$BACK"
Above tcp-proxy.sh script you can download here.
I've tested the script one time and it worked, the script syntax is:
[root@jump-host: ~ ]# sh tcp-proxy.sh
usage: tcp-proxy.sh <src-port> <dst-host> <dst-port>
To make it work for one time connection I've run it as so:
[root@jump-host: ~ ]# sh tcp-proxy.sh 8888 rpm-package-server-repo.com 80
To make the script work all the time I had to use one small one liner infinite bash loop which goes like this:
[root@jump-host: ~ ]# while [ 1 ]; do sh tcp-proxy.sh 8888 rpm-package-server-repo.com 80; done
On rhel-testing we had to configure for yum and all applications to use a proxy temporary via
[root@rhel-tresting: ~ ]# export http_proxy=jump-host_machine_accessibleIP:8888
And then use the normal yum check-update && yum update to apply to rhel-testing machine latest RPM package security updates.
The nice stuff about the tcp-proxy.sh with netcat in a inifite loop is you will see the binary copy of traffic flowing on the script which will make you feel like in those notorious Hackers movies ! 🙂
The stupid stuff is that sometimes some connections and RPM database updates or RPMs could be cancelled due to some kind of network issues.
To make the connection issues that are occuring to the improvised proxy server go away we finally used a slightly modified version from the original netcat script, which read like this.
#!/bin/sh -e
if [ $# != 3 ]
then
echo "usage: $0 <src-port> <dst-host> <dst-port>"
exit 0
fiTMP=`mktemp -d`
BACK=$TMP/pipe.back
SENT=$TMP/pipe.sent
RCVD=$TMP/pipe.rcvd
trap 'rm -rf "$TMP"' EXIT
mkfifo -m 0600 "$BACK" "$SENT" "$RCVD"
sed 's/^/ => /' <"$SENT" &
sed 's/^/<= /' <"$RCVD" &
nc –proxy-type http -l -p "$1" <"$BACK" | tee "$SENT" | nc "$2" "$3" | tee "$RCVD" >"$BACK"
Modified version tcp-proxy1.sh with –proxy-type http argument passed to netcat script u can download here.
With –proxy-type http yum check-update works normal just like with any normal fully functional http_proxy configured.
Next step wasto make the configuration permanent you can either add to /root/.bashrc or /etc/bashrc (if you need the setting to be system wide for every user that logged in to Linux system).
[root@rhel-tresting: ~ ]# echo "http_proxy=http://jump-host_machine_accessibleIP:8888/" > /etc/environment
If you need to set the new built netcat TCP proxy only for yum package update tool include proxy only in /etc/yum.conf:
[root@rhel-tresting: ~ ]# vi /etc/yum.conf
proxy=http_proxy=http://jump-host_machine_accessibleIP:8888/
That's all now you have a proxy out of nothing with just a simple netcat enjoy.
