various network protocols are encapsulated using the HTTP protocol, the
network protocols in question usually belonging to the TCP/IP family of
protocols. The HTTP protocol therefore acts as a wrapper for a channel
that the network protocol being tunneled uses to communicate.
The HTTP stream with its covert channel is termed an HTTP tunnel.
HTTP tunnel software consists of client-server HTTP tunneling
applications that integrate with existing application software,
permitting them to be used in conditions of restricted network
connectivity including firewalled networks, networks behind proxy
servers, and network address translation.
Usage
An HTTP tunnel is used most often as a means for communication from
network locations with restricted connectivity – most often behind
NATs, firewalls, or proxy servers, and most often with applications
that lack native support for communication in such conditions of
restricted connectivity. Restricted connectivity in the form of blocked
TCP/IP ports, blocking traffic initiated from outside the network, or
blocking of all network protocols except a few is a commonly used
method to lock down a network to secure it against internal and
external threats
Mechanism
A variation of HTTP tunneling when behind an HTTP Proxy Server is to
use the "CONNECT" HTTP method.
In this mechanism, the client, using the "CONNECT" HTTP method, asks an
HTTP Proxy server to forward the TCP connection to the desired
destination. The server then proceeds to make the connection on behalf
of the client. Once the connection has been established by the server,
the Proxy server continues to proxy the TCP stream to and from the
client. Note that only the initial connection request is HTTP - after
that, the server simply proxies the established TCP connection.
This mechanism is how a client behind an HTTP proxy can access websites
using SSL (i.e. HTTPS).
Not all HTTP Proxy Servers support this feature, and even those that
do, may limit the behaviour (for example only allowing connections to
the default HTTPS port 443, or blocking traffic which doesn't appear to
be SSL).
No comments:
Post a Comment