[SOLVED] Tunnel apt traffic over SSH

czezz · 05-15-2017, 02:51 PM

This is the simple overview:
[internet] - [hostA] - [hostB]

hostA: has full access to internet and also is SSH server.
hostB: has only ssh connection to hostA (no internet access).

To be able to install any package eg. samba OR do apt update on hostB, I have established ssh tunnel:

Code:

1. hostA: sudo ssh -R 10090:archive.raspberrypi.org:80 pi@hostB
2. Next, on hostB:
/etc/apt/apt.conf
Acquire::http::Proxy "http://localhost:10090";
Acquire::https::Proxy "https://localhost:10090";

Now, theoretically that should do the work.
Any request over apt should go through PROXY 127.0.0.1:10090, and that is SSH tunnel established from hostA.
Unfortunately, it does not fully work. I tried some other combination of tunneling (eg. -L or -D from hostB) but that also fails.
Any clues what I might be doing wrong?

3. Here is the final step on hostB:

Code:

pi@raspberrypi:~ $ sudo apt update
Hit http://archive.raspberrypi.org jessie InRelease
Ign http://mirrordirector.raspbian.org jessie InRelease
Ign http://mirrordirector.raspbian.org jessie Release.gpg
Hit http://archive.raspberrypi.org jessie/main armhf Packages
Ign http://mirrordirector.raspbian.org jessie Release
Hit http://archive.raspberrypi.org jessie/ui armhf Packages
Ign http://archive.raspberrypi.org jessie/main Translation-en 
Ign http://archive.raspberrypi.org jessie/ui Translation-en
Err http://mirrordirector.raspbian.org jessie/main armhf Packages                                                                                                                             
  Received HTTP code 501 from proxy after CONNECT
Err http://mirrordirector.raspbian.org jessie/contrib armhf Packages                                                                                                                          
  Received HTTP code 501 from proxy after CONNECT
Err http://mirrordirector.raspbian.org jessie/non-free armhf Packages                                                                                                                         
  Received HTTP code 501 from proxy after CONNECT
Err http://mirrordirector.raspbian.org jessie/rpi armhf Packages                                                                                                                              
  Received HTTP code 501 from proxy after CONNECT
Ign http://mirrordirector.raspbian.org jessie/contrib Translation-en                                                                                                                          
Ign http://mirrordirector.raspbian.org jessie/main Translation-en                                                                                                                             
Ign http://mirrordirector.raspbian.org jessie/non-free Translation-en                                                                                                                         
Ign http://mirrordirector.raspbian.org jessie/rpi Translation-en                                                                                                                              
W: Failed to fetch http://mirrordirector.raspbian.org/raspbian/dists/jessie/main/binary-armhf/Packages  Received HTTP code 501 from proxy after CONNECT                                       

W: Failed to fetch http://mirrordirector.raspbian.org/raspbian/dists/jessie/contrib/binary-armhf/Packages  Received HTTP code 501 from proxy after CONNECT

W: Failed to fetch http://mirrordirector.raspbian.org/raspbian/dists/jessie/non-free/binary-armhf/Packages  Received HTTP code 501 from proxy after CONNECT

W: Failed to fetch http://mirrordirector.raspbian.org/raspbian/dists/jessie/rpi/binary-armhf/Packages  Received HTTP code 501 from proxy after CONNECT

E: Some index files failed to download. They have been ignored, or old ones used instead.

pan64 · 05-16-2017, 08:42 AM

proxy and tunnel are two different things. a tunnel cannot work as proxy for apt.

czezz · 05-16-2017, 08:55 AM

I open SSH tunnel from hostA to hostB.
That creates socket 127.0.0.1:10090 on hostB.

That allows me to eg. use: wget and that works.

Code:

# wget -e use_proxy=yes -e http_proxy=127.0.0.1:10090 http://archive.raspbian.org/raspbian/dists/jessie/Release

However it does not work with apt.

!!! · 05-19-2017, 01:49 AM

Edit: Probably wrong answer, sorry. (same as you tried)
Proxy in apt maybe? http://stackoverflow.com/questions/3...om-client-side

czezz · 05-19-2017, 06:05 AM

Hi !!!
Thank you for reply. I have already tired that one but it doesnt work to me :/
Its actually example that I started this post with.

[UPDATE]
actually SSH tunneling does work and pushing apt requests over SOCKS proxy (apt.conf) gives following output.
So, to the most of the sources apt connects and to some fails - giving the error: Received HTTP code 501 from proxy after CONNECT

Code:

root@raspberrypi:/home/pi# apt-get update
Hit http://archive.raspberrypi.org jessie InRelease
Ign http://mirrordirector.raspbian.org jessie InRelease
Ign http://mirrordirector.raspbian.org jessie Release.gpg
Ign http://mirrordirector.raspbian.org jessie Release
Hit http://archive.raspberrypi.org jessie/main armhf Packages
Hit http://archive.raspberrypi.org jessie/ui armhf Packages
Ign http://archive.raspberrypi.org jessie/main Translation-en                 
Ign http://archive.raspberrypi.org jessie/ui Translation-en
Err http://mirrordirector.raspbian.org jessie/main armhf Packages
  Received HTTP code 501 from proxy after CONNECT
Err http://mirrordirector.raspbian.org jessie/contrib armhf Packages
  Received HTTP code 501 from proxy after CONNECT
Err http://mirrordirector.raspbian.org jessie/non-free armhf Packages
  Received HTTP code 501 from proxy after CONNECT
Err http://mirrordirector.raspbian.org jessie/rpi armhf Packages
  Received HTTP code 501 from proxy after CONNECT
Ign http://mirrordirector.raspbian.org jessie/contrib Translation-en
Ign http://mirrordirector.raspbian.org jessie/main Translation-en
Ign http://mirrordirector.raspbian.org jessie/non-free Translation-en
Ign http://mirrordirector.raspbian.org jessie/rpi Translation-en
W: Failed to fetch http://mirrordirector.raspbian.org/raspbian/dists/jessie/main/binary-armhf/Packages  Received HTTP code 501 from proxy after CONNECT

W: Failed to fetch http://mirrordirector.raspbian.org/raspbian/dists/jessie/contrib/binary-armhf/Packages  Received HTTP code 501 from proxy after CONNECT

W: Failed to fetch http://mirrordirector.raspbian.org/raspbian/dists/jessie/non-free/binary-armhf/Packages  Received HTTP code 501 from proxy after CONNECT

W: Failed to fetch http://mirrordirector.raspbian.org/raspbian/dists/jessie/rpi/binary-armhf/Packages  Received HTTP code 501 from proxy after CONNECT

E: Some index files failed to download. They have been ignored, or old ones used instead.

For test I tried to install something simple - iftop. The beginning was very promising but eventually it failed giving this same error: Received HTTP code 501 from proxy after CONNECT

Code:

root@raspberrypi:/home/pi# apt-get install iftop
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libpcap0.8
The following NEW packages will be installed:
  iftop libpcap0.8
0 upgraded, 2 newly installed, 0 to remove and 47 not upgraded.
Need to get 159 kB of archives.
After this operation, 344 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
WARNING: The following packages cannot be authenticated!
  libpcap0.8 iftop
Install these packages without verification? [y/N] Y
Err http://mirrordirector.raspbian.org/raspbian/ jessie/main libpcap0.8 armhf 1.6.2-2
  Received HTTP code 501 from proxy after CONNECT
Err http://mirrordirector.raspbian.org/raspbian/ jessie/main iftop armhf 1.0~pre4-2
  Received HTTP code 501 from proxy after CONNECT
E: Failed to fetch http://mirrordirector.raspbian.org/raspbian/pool/main/libp/libpcap/libpcap0.8_1.6.2-2_armhf.deb  Received HTTP code 501 from proxy after CONNECT

E: Failed to fetch http://mirrordirector.raspbian.org/raspbian/pool/main/i/iftop/iftop_1.0~pre4-2_armhf.deb  Received HTTP code 501 from proxy after CONNECT

E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

Anyone know what "Received HTTP code 501 from proxy after CONNECT" might mean in this situation?

czezz · 05-24-2017, 05:24 AM

Here is how I managed to solve this.
To simplify I execute here everything as root (note - this is unsafe). Better use "sudo".

[internet] - [hostA] - [hostB]

On hostA (the one with access to internet):
1. Execute following command:

Code:

# ssh -R 1111:mirrordirector.raspbian.org:80 -R 2222:archive.raspberrypi.org:80 -R 1443:archive.raspberrypi.org:443 -R 1080:raspbian.mirror.garr.it:80 pi@hostB

NOTE: you may need to change host raspbian.mirror.garr.it (depending from you location on the world). You will figure it out when you execute: apt install "package" - will drop error that cannot resolve specific host name. Take the host name from the error and replace it with the one from my example: raspbian.mirror.garr.it

On hostB (Raspbian):
2. backup and then edit following files (full file content shown here):

Code:

# cp -a /etc/apt/sources.list /etc/apt/sources.list.orig
# cp -a /etc/apt/sources.list.d/raspi.list /etc/apt/sources.list.d/raspi.list.orig
 
/etc/apt/sources.list
deb http://localhost:1111/raspbian/ jessie main contrib non-free rpi
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://archive.raspbian.org/raspbian/ jessie main contrib non-free rpi

/etc/apt/sources.list.d/raspi.list 
deb http://localhost:2222/debian/ jessie main ui
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://archive.raspberrypi.org/debian/ jessie main ui

3. Add following entry to /etc/hosts. NOTE for: raspbian.mirror.garr.it which might be different depending from your location in the world.

Code:

127.0.0.1	localhost www.raspberrypi.org raspbian.mirror.garr.it

4. Forward port: 80 and 443 to already existing tunnel - initiated in the 1st stop

Code:

ssh  -f -C -q -N -L 80:127.0.0.1:1080 pi@127.0.0.1
ssh  -f -C -q -N -L 443:127.0.0.1:1443 pi@127.0.0.1

5. Execute apt commands

Code:

apt-get update (some errors expexted)
apt-gat install "package"

Turbocapitalist · 05-24-2017, 05:54 AM

Thanks for the update. That is interesting.

I took a look at it earlier and didn't dig deep enough into why it seems that APT does not work with a SOCKS proxy to find a solution or work-around.

Another way might be to put Squid on the middle machine and just use it as a regular HTTP proxy either over SSH or, since you can, straight up.