Gareth Middleton

Director of Innovation & Software Engineering @Holland & Hart LLP • building AI tools for law • PhD from Rice ECE

1 minute read

If connecting to a client’s environment from a remote site requires an SSH tunnel, how can we make local HTTP requests to access client resources? I didn’t want to install a system-wide proxy solution that I would only need on an infrequent basis, so I explored pproxy and found it to be exactly what I needed.

When used with dynamic port forwarding over ssh, pproxy can forward localhost HTTP requests through the SOCKS tunnel, into the protected environment. Filters can specify which requests are forwarded through the tunnel, meaning only those requests for resources on the other side of the tunnel are redirected through it. Suppose that a gateway server gateway.corporation.com exists which itself has access to the resources you need, and you can SSH into it. Here’s how to set it up:

First, connect to your remote gateway using dynamic forwarding. Here I’ve chosen to forward requests made to port 9300 over the tunnel. The N flag indicates that remote commands can’t be run on the gateway, a good security practice.

ssh -N -D 9300 myname@gateway.corporation.com

To pass only specific requests to the proxy (for example, requests to corporation.com), first create a rules file for pproxy (e.g., rules.re), with content such as:

# Forwarded domains
(?:.+\.)?corporation.*\.com

Then, launch the proxy server with those rules:

pproxy -r socks5://127.0.0.1:9300?rules.re -vv

pproxy is now listening on localhost:8080. It will forward any requests matching your rules to port 9300, which will send them through the tunnel to gateway.corporation.com. Any application (browser, Postman, etc) needing to use the tunnel must be configured to use a local proxy listening on localhost:8080

For command lines tools that may require a proxy, such as curl or wget, set the environment variables in the terminal session:

export http_proxy=http://localhost:8080
export https_proxy=http://localhost:8080

Note that both http and https are forwarded to http://localhost:8080

We can now issue a request to a protected resource from outside the environment:

wget https://protectedserver.corporation.com

Updated: