The HTTP Tunnel connects two computers separated by controlled access such as a firewall. The tunnel can be established by a proxy server placed behind the firewall. The role of a proxy server is to relay the HTTP requests without encryption using the HTTP proxy protocol. Traceroute is used to know the communication route of a request between one computer to another across a network.
However, traceroute are services using ICMP protocol, so HTTP proxy won’t be able to tunnel them. The alternate way is to use HTTP CONNECT to create an HTTP tunnel through a proxy server.
In this tutorial, we’ll show how to establish the HTTP tunnel to trace the communication paths through a proxy with a firewall.
2. HTTP Tunnel
A tunnel, also called “port forwarding,” facilitates transmitting a private network request over a public network.
A proxy server creates the HTTP tunnel in a DMZ (Demilitarized zone). A DMZ, a perimeter network, is a separate area on an enterprise network. DMZ is accessible by an enterprise network’s public and private network assets. Generally, inside the DMZ, we can place network assets that we want users outside of the enterprise network to be able to access:
When we set up an HTTP tunnel, a private and public network communication uses HTTP protocol-based encapsulation. An HTTP tunnel can be established using HTTP Connect or the usual HTTP methods such as POST, GET, PUT and DELETE.
2.1. HTTP Proxy Server
Proxy servers help in several types of anonymity needed at several levels for a client and a service provider. The need for a private proxy is as below:
- Prevent tracking of the original IP address by hackers
- Authenticate the user
- Caching the web content
- Track payloads and packet headers of internal server requests against the local access policy.
For instance, when we browse to access www.baeldung.com, it sends an HTTP request to the proxy server of our organization. The proxy server gets an HTTP response from the authoritative server for the baeldung.com zone and relays the same back to the browser, as shown in the figure below:
2.2. HTTP Connect
Let’s now discuss one of the popular tunneling methods called HTTP CONNECT. In this method, the browser requests an HTTP proxy server to relay the TCP connection to the target server. The server then establishes the tunnel on behalf of the requestor client (browser), and the proxy server relays the TCP stream.
While setting up the tunnel request, HTTP protocol is used; once the tunnel is set, the HTTP Proxy server relays the TCP connection.
When we connect to a computer using the internet, it goes through multiple network hops. To track the exact route a given packet takes, we can use traceroute (Unix, Linux, Mac OS X) or tracert (Windows) command. The command output may differ depending on the requestor location, router availability, and usage metrics.
3.1. How to Use Tracert?
Let’s start with a simple example – let’s execute the tracert command for the baeldung.com domain:
The result should look like the following:
Tracing route to baeldung.com [2606:4700:3108::ac42:2b08] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms 2001:8f8:1b27:4401:ea1b:69ff:fe06:7880 2 * * * Request timed out. 3 4 ms 3 ms 4 ms 2001:8f8:3:d106::1 4 8 ms 5 ms 6 ms 2001:8f8:0:10:0:23:208:5 5 6 ms 5 ms 6 ms 2001:8f8:0:10:0:20:23:1 6 6 ms 6 ms 45 ms 2001:8f8:0:20:cd::2 7 6 ms 10 ms 6 ms 2606:4700:3108::ac42:2b08 Trace complete.
To connect to baeldung.com, the request needs to hop through different routers. In the result, we can see that starting with the local network (#1) how the packet went through different hops to reach the destination at #7 (baeldung.com).
The following table gives an interpretation of the result:
4. Using HTTP Tunnel to Traceroute
Let’s now explore how to use traceroute with HTTP tunnel. The tracert command uses lower-layer network protocols (ICMP, UDP) similar to the ping command. An HTTP tunnel uses a higher layer. Hence directly tracert can’t be used in HTTP Tunnel.
A workaround for the use of tracert behind a proxy is to use SSH. SSH client to send tracert command using the client port to the proxy server and receive the response from the destination site through the proxy server:
The following are the essential considerations:
- We’ll need to reach port 443 (HTTPS) or 80 (HTTP) of the server hosting the destination site
- We’ll need the user credential to access the proxy server to listen to the request from the client machine
- Only after the tunnel is established will it be able to run traceart
In this article, we talked about HTTP Tunnel and HTTP Proxy Server and showed how to get the traceroute for a domain using the traceart command. We also explained the workaround for using traceart behind a proxy using HTTP tunneling with SSH.