HTTP tunnel

HTTP Tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol, the network protocols in question usually belonging to theTCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a channel that the network protocol being tunneled uses to communicate.

HTTP 隧道是一种使用HTTP协议封装不同的网络协议的技术, 这里提到的网络协议一般指的是TCP/IP族协议, HTTP协议扮演了隧道包装器的角色, 网络协议则通过隧道来进行通信.

The HTTP stream with its covert channel is termed an HTTP Tunnel.

使用转换通道的HTTP流被称为HTTP隧道.

HTTP Tunnel software consists of client-server HTTP Tunneling applications that integrate with existing application software, permitting them to be used in conditions of restricted network connectivity including firewalled networks, networks behind proxy servers, and NATs.

HTTP隧道软件由客户端-服务器HTTP隧道程序组成, 它集成了已经存在的程序软件, 允许他们在受限的网络连接下使用, 例如防火墙, 或者位于代理服务器后的网络, 和NATs.

Contents

[hide] 

• 1 Usage
• 2 Mechanism
• 3 HTTP CONNECT Tunneling
• 4 HTTP Tunneling without using CONNECT
• 5 HTTP Tunnel Clients
  • 5.1 Uses of HTTP Tunnel Clients
• 6 See also
• 7 References
• 8 External links

Usage[edit]

An HTTP Tunnel is used most often as a means for communication from network locations with restricted connectivity – most often behind NATs, firewalls, or proxy servers, and most often with applications that lack native support for communication in such conditions of restricted connectivity. Restricted connectivity in the form of blocked TCP/IP ports, blocking traffic initiated from outside the network, or blocking of all network protocols except a few is a commonly used method to lock down a network to secure it against internal and external threats.

HTTP隧道最常用的场景是作为与受限联网的网络通信工具 - 位于NATs, 防火墙, 或代理服务器之后的网络环境, 也用于与缺乏本地支持的应用程序通信. 阻塞TCP/IP端口, 阻塞外界流量, 或者阻塞绝大部分网络协议, 这样的受限联网是常用的封锁内部网络防止因特网和外部威胁的方式.

Mechanism[edit]

The application that wishes to communicate with a remote host opens an HTTP connection to a mediator server, which acts as a relay of communications to and from the remote host. The application then communicates with the mediator server using HTTP requests, encapsulating the actual communications within those requests. The mediator server is required to be in a network location with sufficiently unrestricted connectivity.

期望和远程主机通信的程序打开一个HTTP连接到中继服务器, 它扮演了一个本地和远程服务器通信的中继器角色. 程序然后会与中继服务器使用HTTP请求的方式通信,  把实际的通信数据封装在那些请求中. 中继服务器需要位于一个完全不受限的网络环境中.

The mediator server unwraps the actual data before forwarding it to the remote host in question. Symmetrically, when it receives data from the remote host, it wraps it in the HTTP protocol before sending it as part of an HTTP response to the application.

中继服务器在将数据发送到远端服务器之前会解包服务器.对应的, 当他从远端服务器接收到数据的时候, 他会在将数据发送给应用程序的之前会将数据包装到HTTP协议中, 然后将将其作为HTTP响应发送给客户程序.

In this situation, the application plays the role of a Tunneling Client, while the remote host plays the role of the server being communicated with.

在这种情况下, 应用程序作为隧道客户端, 远端服务器作为程序通信的服务器

HTTP CONNECT Tunneling[edit]

A variation of HTTP tunneling when behind an HTTP Proxy Server is to use the "CONNECT" HTTP method.^[1]

一个HTTP隧道的变种是当程序位于HTTP代理服务器之后,使用"CONNECT" HTTP方法.

In this mechanism, the client asks an HTTP Proxy server to forward the TCP connection to the desired destination using the "CONNECT" HTTP method. The server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the Proxy server continues to proxy the TCP stream to and from the client. Note that only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection.

在这种机制下, 客户端会询问HTTP代理服务器使用"CONNECT"方法转发TCP连接到期望的目的地. 服务器然后开始建立代表客户端的连接. 一旦连接建立, 代理服务器会继续为客户端代理TCP流. 注意唯一的初始化连接请求是HTTP - 之后服务器就只是简单地代理建立的TCP连接了.

This mechanism is how a client behind an HTTP proxy can access websites using SSL (i.e. HTTPS).

这种就是为什么一个位于代理服务器之后的客户端可以使用SSL访问网站的原因

Not all HTTP Proxy Servers support this feature, and even those that do may limit the behaviour (for example only allowing connections to the default HTTPS port 443, or blocking traffic which doesn't appear to be SSL).

并不是所有的HTTP代理服务器都支持这种特性, 那样甚至可能会限制他的行为(例如仅仅允许链接到默认的HTTPS端口443, 或者阻塞非SSL的流量)

HTTP Tunneling without using CONNECT[edit]

In some networks, the use of CONNECT method is restricted to some trusted sites. In such cases, an HTTP tunnel can still be implemented using only the usual HTTP methods as POST, GET, PUT and DELETE. This is similar to the approach used in Bidirectional-streams Over Synchronous HTTP (BOSH).

有些网络, CONNECT方法被限制到某些受信任的网站. 这种情况下, 一个HTTP隧道任然可以支持POST, GET, PUT 和 DELETE方法. 这种方法和基于统统不HTTP的双向流(BOSH)很相似.

In this proof-of-concept program , the server runs outside the protected network and acts as a special HTTP server. The client program is run on a computer inside the protected network. Whenever any network traffic is passed to the client, it repackages it as an HTTP request and relays it to the outside server, which extracts and executes the original network request for the client. The response to the request, sent to the server, is then repackaged as an HTTP response and relayed back to the client. Since all traffic is encapsulated inside normal GET and POST requests and responses, this approach works through most proxies and firewalls.

在这个概念验证程序中, server跑在受保护网络之外, 扮演特殊的服务器. 客户端程序跑在受保护的客户端以内. 无论何时任何流量传给客户端, 他会重新将数据打包成HTTP请求并转非给外部服务器, 这个服务器为客户端解压并执行原始网络请求. 请求的响应发给server,然后被重新打包成HTTP 响应并转播会客户端. 因为所有的流量都封装到普通的GET和POST请求和响应中, 这个方法可以穿透大多数代理和防火墙.

HTTP Tunnel Clients[edit]

There are several free/open-source, and commercial HTTP Tunneling client applications that allow even applications that lack native tunneling support to communicate from locations with restricted connectivity.

有一些免费开源和商业化的HTTP隧道客户端程序, 他们允许缺乏本地隧道支持的程序在受限网络环境下进行通信.

The free or open-source HTTP Tunneling clients are usually packaged as a pair of applications, one of which performs the role of the mediator server, the other performing the role of the Tunneling client. This requires the user to have access to their own server that they can run the mediator server software on.

免费或开源的HTTP隧道客户端通常被打包成一对程序, 一个用来作为中继服务器, 另一个用来作为隧道客户端. 这需要用户可以访问他们自己的服务器, 这样就能将终极服务器程序跑在上面

The commercial HTTP Tunneling client applications are provided by companies that run their own mediator server farms. They charge for the service provided, with various tiers of service that depend on the bandwidth provided.

商业HTTP隧道客户端程序由公司提供, 公司运行他们自己的中继服务器群组. 他们向服务收费, 根据提供的带宽提供不同的服务

This has the infamous use for students and employees to bypass any internet filters placed on school or work computers. Rather than using the place's internet connection to get website information, it only uses it to connect to another, unrestricted-access computer. That computer then uses its internet connection to gather web information and send it to the person tunneling it. Similar to the remote desktop concept, but only using that computers unrestricted internet connection.

这被学生和员工用于绕开位于学校或公司的网络过滤器. 不使用因特网连接获取网站信息, 只是用它链接到别处, 然后无限制的访问计算机. 然后那台计算机使用它的因特网连接来获取web信息, 并将它们发回给那个发起隧道的人. 类似于远程桌面的概念, 只是使用那台计算机没有网络限制.

Uses of HTTP Tunnel Clients[edit]

• To use applications (games/IM clients/browsers) from behind restrictive firewalls or proxy servers
• To access blocked sites
• To share some confidential resource over HTTP securely
• 从受限的防火墙或代理服务器后使用程序(游戏/IM 客户端/浏览器)

See also[edit]

• ICMP tunnel
• Pseudo-wire
• Tunnel broker
• Virtual private network
• VXLAN
• NVGRE

References[edit]

1. Jump up^ Fielding, R. (June 1999). "Method Definitions, CONNECT". Hypertext Transfer Protocol -- HTTP/1.1. IETF. p. 56. sec. 9.9. RFC 2616. Retrieved 2010-07-09.

External links[edit]

• BarbaTunnel Project - Free open source implementation of HTTP-Tunnel and UDP-Tunnel on Windows