I just want to point out that this last option does a lot more than what the article does: it actually encapsulates the ssh session in HTTPS requests, so it'll work even if your firewall does layer-7 filtering. The article just runs sshd on port 443 and connects to that.
>Would anyone on HN work at a company that filters http?
I'm consulting for one now. For the most part, they filter porn and borderline porn. However, they also filter Facebook (but not LinkedIn!), YouTube, and a few other things mainstream sites.
Circumvention certainly isn't that hard, but it also likely violates some company policy. I connected my Droid to their Exchange servers and got a nastygram from IT security (albeit a few weeks later).
Ironically, the risk isn't just that I would get caught - the first time would be a hand slap unless they wanted a reason to get rid of me. The corporate culture is so focused on conformity and compliance that it would be absolutely shocking to others that I would have even considered such a thing. And, this affects perceptions of trustworthiness. [No, I do not like any of this!]
Given that Google App Engine gives away the first 5M requests/month for free and allows outgoing HTTP requests, would it be possible to build a proxy with it? Let's say I built a SOCKS client for Windows which delegated requests to a small AppEngine app via HTTPS. The server-side would simply make the request on the client's behalf and return the result. Would this work? I suspect latency would be much worse than the EC2/SSH option, but it would be more convenient. I could use something like FoxyProxy to only use the AppEngine hack for sites which required it.
I know this because the building where my office is has filters setup on the internet (I don't pay the bill, so who am I to complain). Because of the AppEngine proxies, they block all appspot.com domains.
The crappy part is that I have a couple of projects hosted on AppEngine, so in order to access those I have to run a reverse tunnel to get around their filters. (Making this thread circular).
I use this for my proxy (and set a system wide SOCKS proxy on OSX):
ssh -CfgN -D 9999 myserver.com
It's not too hard to MITM HTTPS traffic in a corporate setting -- you run your own internal root CA that approves the same cert for all domains, and add its public key to the browsers on all of the company's computers. Then instead of running a normal socks proxy, you just route all external IPs to a gateway box that proxies on 80 and 443.
I've seen this proxy method used at a company before, but I'm pretty sure they just passed through the https traffic instead of fucking with the certs. I'll have to check the next time I'm on-site...
There are bots that use SSL for C&C communication over port 443. There's also obligations under certain banking regulations to be able to intercept all communications (e.g. on the dealing floor) and whilst some Internet access may be useful, opening things up too far can cause more problems than it solves.
In China I found that using a UDP based OpenVPN to Slicehost was higher performing than the TCP on top of TCP issues that you get with SSH Tunneling when there's packet loss.
There's even some pretty decent desktop clients for OpenVPN, see Viscosity for OSX.
This is assuming you have the ports open (the Great Firewall of China does HTTP inspection but not port blocking).
A VPS (Slicehost anyone?) should do the same, and it's way less expensive than EC2. You just have to set up everything from a non-filtered connection (at home! ..hey, you can even build this in a home server!).
Anyway, if you can use a SOCKS proxy, it should work for almost every application supporting any kind of proxy (but not using the 443/SSL port).
Good writeup, ssh tunnels are something I can’t live without…
Step 9 can be skipped completely if no proxy is needed to be configured.
Also don’t forget, doing all of this still sends the DNS requests in the clear to the usual/old dns server and not through EC2. If the DNS server is also meant to filter and redirect, this can be an issue. To go around that, in firefox you can go to about:config and set network.proxy.socks_remote_dns = true
And for linux folks... you don't need any tools or any more special config... just run the ssh command with switch -D <SOCKS_PORT_NUMBER> and configure firefox or your browser to use that.
Has anyone on HN actually worked for a company that filters internet traffic? Would anyone on HN work at a company that filters http? I've always thought that if a company could effectively block internet traffic with a filter on a proxy then the problem wasn't that employees were wasting time surfing; the problem was that they were hiring employees incapable of getting around it.
I work somewhere that does this. The reason is not to prevent employees from wasting time; it's to prevent someone from unintentionally putting internal data in Google Docs or something like that. The filters are stupid, though, and only cover the very mainstream. Digg and Reddit are blocked, but Slashdot, Hacker News, and Metafilter aren't. Plenty Of Fish is blocked, but OKCupid isn't. Even sillier,
http://voice.google.com/ is blocked (because it's "voice over IP", which it's not) but http://google.com/voice/, the actual URL, isn't. Etc., etc. It's really stupid, but it's essentially government-mandated.
In exchange for this, though, nobody dictates what technology I use to do my work, I can show up at 2 in the afternoon and nobody cares, and I get a lot of money. (The company I worked at before didn't block any websites, but the work was boring, my manager micro-managed every library decision, and I got almost no money. Trade-offs.)
It's generally done for compliance reasons, banks are covered by fairly strict regulations which require communication audit logs. Similarly most personal brokerage websites and gambling websites are blocked to prevent insider trading, obviously it's not going to stop someone who's determined to break the law, but banks have to be able to show they've taken reasonable measures to prevent it.
For $60/mo you can get a Sprint MiFi, and have mobile broadband access anywhere there's coverage. I know, this doesn't work for everyone, but compared to a $57/mo EC2 instance, I think it's a win in many cases.
You can shut it down and start it up whenever you like. Billing is by the hour so it is perfectly possible to just have it running when you need it and have it shut down for the rest of the time.
it's pretty common for vpn providers like witopia or acevpn to provide access via tcp 443 to get through these same firewalls and it's a whole lot simpler, not to mention more cost effective.
I just want to point out that this last option does a lot more than what the article does: it actually encapsulates the ssh session in HTTPS requests, so it'll work even if your firewall does layer-7 filtering. The article just runs sshd on port 443 and connects to that.