Overview
An implementation of HTTP Tunnel in Rust, which can also function as a TCP proxy.
The core code is entirely abstract from the tunnel protocol or transport protocols.
In this example, it supports both HTTP and HTTPS with minimal additional code.
Please note, this tunnel doesn't allow tunneling of plain text over HTTP tunnels (only HTTPS connections can be tunneled).
If you need this functionality you need to build the http-tunnel with the plain_text feature:
cargo build --release --features plain_textE.g. it can be extended to run the tunnel over QUIC+HTTP/3 or connect to another tunnel (as long as AsyncRead + AsyncWrite is satisfied for the implementation).
You can check benchmarks.
Read more about the design.
Quick overview of source files
configuration.rs- contains configuration structures + a basic CLI- see
config/with configuration files/TLS materials
- see
http_tunnel_codec.rs- a codec to process the initial HTTP request and encode a corresponding response.proxy_target.rs- an abstraction + basic TCP implementation to connect target servers.- contains a DNS resolver with a basic caching strategy (cache for a given
TTL)
- contains a DNS resolver with a basic caching strategy (cache for a given
relay.rs- relaying data from one stream to another,tunnel = upstream_relay + downstream_relay- also, contains basic
relay_policy
- also, contains basic
tunnel.rs- a tunnel. It's built from:- a tunnel handshake codec (e.g.
HttpTunnelCodec) - a target connector
- client connection as a stream
- a tunnel handshake codec (e.g.
main.rs- application. May startHTTPorHTTPStunnel (based on the command line parameters).- emits log to
logs/application.log(log/contains the actual output of the app from the browser session) - metrics to
logs/metrics.log- very basic, to demonstrate the concept.`
- emits log to
Run demo
Install via cargo:
cargo install http-tunnel
Now you can start it without any configuration:
$ http-tunnel --bind 0.0.0.0:8080 http
There are three modes.
HTTPS:
$ http-tunnel --config ./config/config.yaml \
--bind 0.0.0.0:8443 \
https --pk "./config/domain.pfx" --password "6B9mZ*1hJ#xk"
HTTP:
$ http-tunnel --config ./config/config-browser.yaml --bind 0.0.0.0:8080 http
TCP Proxy:
$ http-tunnel --config ./config/config-browser.yaml --bind 0.0.0.0:8080 tcp --destination $REMOTE_HOST:$REMOTE_PORT
Testing with a browser (HTTP)
In Firefox, you can set the HTTP proxy to localhost:8080. Make sure you run it with the right configuration:
https://support.mozilla.org/en-US/kb/connection-settings-firefox
(use HTTP Proxy and check "use this proxy for FTP and HTTPS")
$ ./target/release/http-tunnel --config ./config/config-browser.yaml --bind 0.0.0.0:8080 http
Testing with cURL (HTTPS)
This proxy can be tested with cURL:
Add simple.rust-http-tunnel.org' to /etc/hosts:
$ echo '127.0.0.1 simple.rust-http-tunnel.org' | sudo tee -a /etc/hosts
Then try access-listed targets (see ./config/config.yaml), e.g:
curl -vp --proxy https://simple.rust-http-tunnel.org:8443 --proxy-cacert ./config/domain.crt https://www.wikipedia.org
You can also play around with targets that are not allowed.
Privacy
The application cannot see the plaintext data.
The application doesn't log any information that may help identify clients (such as IP, auth tokens). Only general information (events, errors, data sizes) is logged for monitoring purposes.
DDoS protection
Slowlorisattack (opening tons of slow connections)- Sending requests resulting in large responses
Some of them can be solved by introducing rate/age limits and inactivity timeouts.
Build
Install cargo - follow these instructions
On Debian to fix OpenSSL build issue:
sudo apt-get install pkg-config libssl-dev
Installation
On MacOS:
curl https://sh.rustup.rs -sSf | sh
cargo install http-tunnel
http-tunnel --bind 0.0.0.0:8080 http
On Debian based Linux:
curl https://sh.rustup.rs -sSf | sh
sudo apt-get -y install gcc pkg-config libssl-dev
cargo install http-tunnel
http-tunnel --bind 0.0.0.0:8080 http