jcs.org / sockhole
decrypting SOCKS proxy
fork atom
Ruby 100.0%
11 1 0

Clone this repository

https://tangled.org/jcs.org/sockhole https://tangled.org/did:plc:6ashubrd3ihfmnrpsatviswa/sockhole
git@git.jcs.org:jcs.org/sockhole git@git.jcs.org:did:plc:6ashubrd3ihfmnrpsatviswa/sockhole

For self-hosted knots, clone URLs may differ based on your setup.

Download tar.gz
README.md

sockhole#

sockhole is a decrypting SOCKS proxy. When it receives a request to make a connection to a port listed in its TLS_PORTS list, it will establish the encrypted connection itself, verify the TLS certificate, and then proxy decrypted data to the client as if the connection were made to a plaintext service.

This is intended to support old software/equipment which supports SOCKS proxies but does not support SSL/TLS or modern ciphers. That software can establish a plaintext connection over a trusted LAN connection to a local machine running sockhole, and the sockhole proxy can establish a secure tunnel over the public internet.

For example, a computer running a POP3 client with SOCKS proxy support but no SSL support can connect to a remote POP3 server over TLS just by switching the port configured in the POP3 client to 995 (POP3S).

Installation#

server$ bundle install --path vendor/bundle

Use#

server$ bundle exec ruby sockhole.rb

Supported options:

  • -a allowed range: add the IP/mask to the list of allowed IPs; defaults to the /24 of the listen IP
  • -d: enable debugging
  • -p port: set the listen port (defaults to 1080)
  • -i ip: set the listen IP (defaults to the first non-loopback IP on all interfaces)

Client Examples#

Curl#

curl should be instructed to use the http protocol on port 443, not https, or else it will expect encrypted data to come through the SOCKS proxy. However, when specifying a URL of http://example.com:443/, curl will send a header of Host: example.com:443 which may cause problems on the server end with it not matching a configured virtual host. The -H option can be used to override the sent Host header to remove the port:

server$ bundle exec ruby sockhole.rb
[2020-11-12 08:47:24 -0600] [I] [server] listening on 192.168.1.1:1080

client$ curl -H "Host: example.com" --preproxy socks5h://192.168.1.1 http://example.com:443/
<!doctype html>
...

When connecting to a TLS host with an invalid certificate, sockhole will reject the client before it sends any data.

client$ curl -H "Host: wrong.host.badssl.com" --preproxy socks5h://192.168.1.1 http://wrong.host.badssl.com:443/
curl: (97) connection to proxy closed

nc#

client$ nc -x 192.168.1.1 imap.fastmail.com imaps
* OK IMAP4 ready