LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 10-12-2007, 11:01 AM   #1
1N4148
LQ Newbie
 
Registered: Jun 2006
Distribution: Gentoo
Posts: 22

Rep: Reputation: 15
NX (SSH) over http proxy


Hi there.

I recently discovered NX. It's kinda like VNC, but better. I'm not using freeNX, but the nomachine.com one (Free Edition 3.0.0-74), since it actually works. NX is based on SSH but provides a graphical interface to your machine.
I try to access my machine at home from work.
But there's a problem. Here's some information first:

connection:@ work over proxy, @ home directly to internet with dynamic IP and DynDNS
proxy: only HTTP traffic allowed, authentication required. Browsers on Windoze/Linux work when set up correctly.
OS: @ work Windows, @ home Linux

Direct connections from different locations to my NX server at home work. But at work, I'm getting problems with their proxy.

1st try:
I set the NX client (the Windows one) up to use the proxy and authentication.
results: didn't work
conclusion: proxy only lets http traffic through

2nd try:
Use desproxy to tunnel through proxy
results: proxy returns "not allowed"
conclusion: desproxy does not imitate http traffic close enough

3rd try:
Use httptunnel (which needs to be set up both on client and server)
configuration (port): NX client -> (900) -> httptunnel@work -> (80) -> proxy@work-> (80) -> httptunnel@home -> (22) -> NX server
results: connection to PC at home works, however aborts at some point.
test: Tried the same client configuration (but without proxy) at a friends
results: same as at work
test2: Tried the same client configuration (but without proxy) at home in local network
results: It works.
conclusion: wtf?

I get a connection alright, but it aborts.

client log:
Code:
NX> 203 NXSSH running with pid: 5532
NX> 285 Enabling check on switch command
NX> 285 Enabling skip of SSH config files
NX> 285 Setting the preferred NX options
NX> 200 Connected to address: 127.0.0.1 on port: 900
ssh_exchange_identification: Connection closed by remote host
I can't figure out why this happens. There's nothing in the logs on my machine (server)
Obviously, the remote host (which is my machine) closes the connection. Why does it do that? I wonder if that's because it discovers that a tunnel is used.

Any ideas?

Last edited by 1N4148; 10-12-2007 at 11:02 AM.
 
Old 10-12-2007, 08:10 PM   #2
jmwatts
LQ Newbie
 
Registered: Oct 2007
Posts: 6

Rep: Reputation: 0
You may want to take a look at this Article on the NoMachine Knowledge Base:

How to set-up a basic environment to connect NX through a HTTP proxy
http://www.nomachine.com/ar/view.php?ar_id=AR04E00457

Please browse/search the Knowledge Base for any other information as there is lots of good information there regarding the product.

Let me know how it goes.
 
Old 10-13-2007, 04:26 AM   #3
1N4148
LQ Newbie
 
Registered: Jun 2006
Distribution: Gentoo
Posts: 22

Original Poster
Rep: Reputation: 15
Thanks, but I already read that and it didn't really help since I'd need access to the proxy's configuration, which I don't have.
The proxy lets traffic only through port 80, so I set NX up to use that port. It didn't work, see first try

Last edited by 1N4148; 10-13-2007 at 05:24 AM.
 
Old 10-13-2007, 02:53 PM   #4
jmwatts
LQ Newbie
 
Registered: Oct 2007
Posts: 6

Rep: Reputation: 0
The only thing I see from a quick standpoint might refer to this NX Knowledge Base article:

Problems involving ssh_exchange_identification
http://www.nomachine.com/ar/view.php?ar_id=AR04D00382

Looks very similar to the messages you are getting in the client log.
 
Old 10-13-2007, 02:55 PM   #5
1N4148
LQ Newbie
 
Registered: Jun 2006
Distribution: Gentoo
Posts: 22

Original Poster
Rep: Reputation: 15
Oh my, I kept looking for something regarding proxys, not the actual error...
I'll definitely look into that, thanks!
 
Old 10-13-2007, 02:58 PM   #6
jmwatts
LQ Newbie
 
Registered: Oct 2007
Posts: 6

Rep: Reputation: 0
No problem. Let me know how it goes.
 
Old 10-15-2007, 10:18 AM   #7
1N4148
LQ Newbie
 
Registered: Jun 2006
Distribution: Gentoo
Posts: 22

Original Poster
Rep: Reputation: 15
Today i tried modifying my /etc/hosts.allow according to this tutorial
http://www.snailbook.com/faq/libwrap-oops.auto.html
and connect from work.
Sadly it didn't work, I get the same error as before. Do I need to restart networking when I change hosts.* ? I only restarted SSH and nxserver.

I noticed at work that when I try to connect, the httptunnel client closes. I don't know if that's a result of the termination of the connection, or the cause of it. I'm going to try other tunneling software tomorrow.
 
Old 10-15-2007, 12:21 PM   #8
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Not to rain on the parade or anything, but have you asked your IT people at work about this? It could very well be that they've locked down their network so this sort of thing doesn't happen. And, at least in my experience, administrators are particularly humorless about attempts to circumvent their restrictions. At more than a few companies, it is grounds for dismissal.
 
Old 10-15-2007, 12:47 PM   #9
1N4148
LQ Newbie
 
Registered: Jun 2006
Distribution: Gentoo
Posts: 22

Original Poster
Rep: Reputation: 15
I wouldn't worry about that. I talked to them the other day, they're cool with me doing this, as long as I don't screw their network up.
Also they barely know how to configure this stuff (typical Windows user) and they're afraid they'd break it if they change anything. As far as I could tell, they're not using anything that could prevent this from working. It's a simple http proxy.
 
Old 10-16-2007, 06:33 PM   #10
jymbo
Member
 
Registered: Jan 2003
Posts: 217

Rep: Reputation: 30
There's a simple way to trick your proxy at work. Since it only allows http and https traffic, you need to fool it into thinking that your NX server at home is a web server.

Here's how I did it:

My FC7 box at home is behind a router, so I configured the router to open and forward port 443 to my FC7 box at port 22. All traffic destined for my home ip at port 443 will be forwarded to my FC7 box at port 22 (where NX is listening). My Asus router allows me to specify the port to forward to on the internal machine, but I know some routers may not have this feature. In this case, you'll need to edit sshd_config on your home machine to listen on port 443, or create an iptables rule on your home machine to forward port 443 to port 22.

On the NX client at work, I first configure the proxy settings, then I configure the server host with the dyndns name of my home ip, then use 443 as the port number. Since the connection through the proxy is sent through port 443, the work proxy sees it as https traffic and lets it through. Simple.

I'm writing this on my FC7 box from work over NX.

Last edited by jymbo; 10-16-2007 at 06:48 PM.
 
Old 10-22-2007, 09:15 PM   #11
1N4148
LQ Newbie
 
Registered: Jun 2006
Distribution: Gentoo
Posts: 22

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by jymbo View Post
There's a simple way to trick your proxy at work. Since it only allows http and https traffic, you need to fool it into thinking that your NX server at home is a web server.

Here's how I did it:

My FC7 box at home is behind a router, so I configured the router to open and forward port 443 to my FC7 box at port 22. All traffic destined for my home ip at port 443 will be forwarded to my FC7 box at port 22 (where NX is listening). My Asus router allows me to specify the port to forward to on the internal machine, but I know some routers may not have this feature. In this case, you'll need to edit sshd_config on your home machine to listen on port 443, or create an iptables rule on your home machine to forward port 443 to port 22.

On the NX client at work, I first configure the proxy settings, then I configure the server host with the dyndns name of my home ip, then use 443 as the port number. Since the connection through the proxy is sent through port 443, the work proxy sees it as https traffic and lets it through. Simple.

I'm writing this on my FC7 box from work over NX.
That's exactly what I tried at first - I set NX and SSH up to use port 80, forwared it through iptables and my router and configured the NX client to use that port and the proxy@work - the proxy refused the connection, so I figured it only lets real http traffic through.

Anyway, I'm still working on this problem. The farthest I got so far was by using httptunnel, but for some strange reason the tunnel software closes on the client side and terminates the connection (or the connection terminates, which closes the software, I can't really tell)
But I'm out of ideas...

Last edited by 1N4148; 10-22-2007 at 09:16 PM.
 
  


Reply

Tags
nomachine, nx


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
proxy via http sharadshankar Linux - Software 2 02-15-2006 06:57 PM
Proxy tunneling SSH over HTTP Gibsonist Linux - Networking 0 12-05-2005 04:43 AM
Connect to ssh via http proxy? jago25_98 Linux - Networking 1 04-04-2005 05:52 AM
Proxy problem: can`t connect SSH through proxy... bugzilla Linux - Networking 3 09-16-2004 11:36 AM
"socks5" -> "http" proxy protocol, or ssh tunnel to sock5 ? I'm beyond http p vmicho Linux - Networking 2 12-16-2003 06:32 AM


All times are GMT -5. The time now is 04:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration