How Reverse Proxy with Squid or other tool when source box has no external connection?

MikeyCarter · 03-30-2019, 08:03 AM

Here's the config. No, I can't change it so don't ask.

Server <--- Internal Box <----> Resources

My server is protected via a firewall. I can make connections into to the server... but server can't talk to anything outside.

From the server I want to be able to connect to resources on the network.

Current solution is ssh tunnel from internal box to server and allow server to curl -x <localhost:3128> to connect to squid on Internal Box to access resources. Calling it a reverse proxy for lack of a better name.

My problem is ssh has a forced timeout or something and the ssh connection keeps hanging over time. Any attempts to see if ssh is still active return "yes". Sends traffic no problem but the server only sends a heartbeat back nothing else.

What I want to know is there a way to run squid (or other proxy server) then get the the squid on internal to make a bridge, monitor it for stability and reset if down? I can have a connection open to connect to squid on the server from the internal box. Just not the other way around. Any way to make a two way connection and have two squid (or other proxy) talk to each other?

Then I connect to local squid and it finds a route to get to the resources?

/dev/random · 03-30-2019, 12:43 PM

Quote:

Originally Posted by MikeyCarter

Here's the config. No, I can't change it so don't ask.

Server <--- Internal Box <----> Resources

Why not set the Internal Box to be a SSH vpn and gateway for the server?

let ssh setup the taps and assign it an ip and on the Internal box setup ip forwarding, then on the server side of things add a route to your resources via Internal Box ip (gateway).. do the same route on the resources and now you have a ssh vpn that can talk to the resources without mumbojumbo

MikeyCarter · 03-30-2019, 05:01 PM

Quote:

Originally Posted by /dev/random

Why not set the Internal Box to be a SSH vpn and gateway for the server?

let ssh setup the taps and assign it an ip and on the Internal box setup ip forwarding, then on the server side of things add a route to your resources via Internal Box ip (gateway).. do the same route on the resources and now you have a ssh vpn that can talk to the resources without mumbojumbo

SSH is proving to be problematic on the network. Solution right now is just to ssh tunnel the proxy from the internal box, and it keeps hanging in such away that ssh says it's still running but no traffic is coming back. Looking for a way that the network guys will let me get away with too... vpn isn't an option.

tyler2016 · 04-01-2019, 05:41 AM

If there is a legitimate operational or business case, I would try to reason with the network people or go to management. If you can create an SSH tunnel, for all practical purposes, the server you mention has equivalent network access as the internal box. If you have control over two hosts and they can ping each other, you can actually send data between them with ICMP echo request (ping) packets. It requires a lot of skill to implement, but it is possible. Ping packets can be 64k - 1 - the protocol overhead, so there is plenty of room to encrypt the payload with a block cipher if you need it.

Notice the payload section:

https://en.wikipedia.org/wiki/Ping_(...)#ECHO-REQUEST