HTTP tunnel
HTTP Tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol, the network protocols in question usually belonging to theTCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a channel that the network protocol being tunneled uses to communicate.
HTTP 隧道是一种使用HTTP协议封装不同的网络协议的技术, 这里提到的网络协议一般指的是TCP/IP族协议, HTTP协议扮演了隧道包装器的角色, 网络协议则通过隧道来进行通信.
The HTTP stream with its covert channel is termed an HTTP Tunnel.
使用转换通道的HTTP流被称为HTTP隧道.
HTTP Tunnel software consists of client-server HTTP Tunneling applications that integrate with existing application software, permitting them to be used in conditions of restricted network connectivity including firewalled networks, networks behind proxy servers, and NATs.
HTTP隧道软件由客户端-服务器HTTP隧道程序组成, 它集成了已经存在的程序软件, 允许他们在受限的网络连接下使用, 例如防火墙, 或者位于代理服务器后的网络, 和NATs.
Contents
[hide]
Usage[edit]
An HTTP Tunnel is used most often as a means for communication from network locations with restricted connectivity – most often behind NATs, firewalls, or proxy servers, and most often with applications that lack native support for communication in such conditions of restricted connectivity. Restricted connectivity in the form of blocked TCP/IP ports, blocking traffic initiated from outside the network, or blocking of all network protocols except a few is a commonly used method to lock down a network to secure it against internal and external threats.
HTTP隧道最常用的场景是作为与受限联网的网络通信工具 - 位于NATs, 防火墙, 或代理服务器之后的网络环境, 也用于与缺乏本地支持的应用程序通信. 阻塞TCP/IP端口, 阻塞外界流量, 或者阻塞绝大部分网络协议, 这样的受限联网是常用的封锁内部网络防止因特网和外部威胁的方式.
Mechanism[edit]
The application that wishes to communicate with a remote host opens an HTTP connection to a mediator server, which acts as a relay of communications to and from the remote host. The application then communicates with the mediator server using HTTP requests, encapsulating the actual communications within those requests. The mediator server is required to be in a network location with sufficiently unrestricted connectivity.
期望和远程主机通信的程序打开一个HTTP连接到中继服务器, 它扮演了一个本地和远程服务器通信的中继器角色. 程序然后会与中继服务器使用HTTP请求的方式通信, 把实际的通信数据封装在那些请求中. 中继服务器需要位于一个完全不受限的网络环境中.
The mediator server unwraps the actual data before forwarding it to the remote host in question. Symmetrically, when it receives data from the remote host, it wraps it in the HTTP protocol before sending it as part of an HTTP response to the application.
中继服务器在将数据发送到远端服务器之前会解包服务器.对应的, 当他从远端服务器接收到数据的时候, 他会在将数据发送给应用程序的之前会将数据包装到HTTP协议中, 然后将将其作为HTTP响应发送给客户程序.
In this situation, the application plays the role of a Tunneling Client, while the remote host plays the role of the server being communicated with.
在这种情况下, 应用程序作为隧道客户端, 远端服务器作为程序通信的服务器
HTTP CONNECT Tunneling[edit]
A variation of HTTP tunneling when behind an HTTP Proxy Server is to use the "CONNECT" HTTP method.[1]
一个HTTP隧道的变种是当程序位于HTTP代理服务器之后,使用"CONNECT" HTTP方法.
In this mechanism, the client asks an HTTP Proxy server to forward the TCP connection to the desired destination using the "CONNECT" HTTP method. The server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the Proxy server continues to proxy the TCP stream to and from the client. Note that only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection.
在这种机制下, 客户端会询问HTTP代理服务器使用"CONNECT"方法转发TCP连接到期望的目的地. 服务器然后开始建立代表客户端的连接. 一旦连接建立, 代理服务器会继续为客户端代理TCP流. 注意唯一的初始化连接请求是HTTP - 之后服务器就只是简单地代理建立的TCP连接了.
This mechanism is how a client behind an HTTP proxy can access websites using SSL (i.e. HTTPS).
这种就是为什么一个位于代理服务器之后的客户端可以使用SSL访问网站的原因
Not all HTTP Proxy Servers support this feature, and even those that do may limit the behaviour (for example only allowing connections to the default HTTPS port 443, or blocking traffic which doesn't appear to be SSL).
并不是所有的HTTP代理服务器都支持这种特性, 那样甚至可能会限制他的行为(例如仅仅允许链接到默认的HTTPS端口443, 或者阻塞非SSL的流量)
HTTP Tunneling without using CONNECT[edit]
In some networks, the use of CONNECT method is restricted to some trusted sites. In such cases, an HTTP tunnel can still be implemented using only the usual HTTP methods as POST, GET, PUT and DELETE. This is similar to the approach used in Bidirectional-streams Over Synchronous HTTP (BOSH).
有些网络, CONNECT方法被限制到某些受信任的网站. 这种情况下, 一个HTTP隧道任然可以支持POST, GET, PUT 和 DELETE方法. 这种方法和基于统统不HTTP的双向流(BOSH)很相似.
In this proof-of-concept program , the server runs outside the protected network and acts as a special HTTP server. The client program is run on a computer inside the protected network. Whenever any network traffic is passed to the client, it repackages it as an HTTP request and relays it to the outside server, which extracts and executes the original network request for the client. The response to the request, sent to the server, is then repackaged as an HTTP response and relayed back to the client. Since all traffic is encapsulated inside normal GET and POST requests and responses, this approach works through most proxies and firewalls.
在这个概念验证程序中, server跑在受保护网络之外, 扮演特殊的服务器. 客户端程序跑在受保护的客户端以内. 无论何时任何流量传给客户端, 他会重新将数据打包成HTTP请求并转非给外部服务器, 这个服务器为客户端解压并执行原始网络请求. 请求的响应发给server,然后被重新打包成HTTP 响应并转播会客户端. 因为所有的流量都封装到普通的GET和POST请求和响应中, 这个方法可以穿透大多数代理和防火墙.
HTTP Tunnel Clients[edit]
There are several free/open-source, and commercial HTTP Tunneling client applications that allow even applications that lack native tunneling support to communicate from locations with restricted connectivity.
有一些免费开源和商业化的HTTP隧道客户端程序, 他们允许缺乏本地隧道支持的程序在受限网络环境下进行通信.
The free or open-source HTTP Tunneling clients are usually packaged as a pair of applications, one of which performs the role of the mediator server, the other performing the role of the Tunneling client. This requires the user to have access to their own server that they can run the mediator server software on.
免费或开源的HTTP隧道客户端通常被打包成一对程序, 一个用来作为中继服务器, 另一个用来作为隧道客户端. 这需要用户可以访问他们自己的服务器, 这样就能将终极服务器程序跑在上面
The commercial HTTP Tunneling client applications are provided by companies that run their own mediator server farms. They charge for the service provided, with various tiers of service that depend on the bandwidth provided.
商业HTTP隧道客户端程序由公司提供, 公司运行他们自己的中继服务器群组. 他们向服务收费, 根据提供的带宽提供不同的服务
This has the infamous use for students and employees to bypass any internet filters placed on school or work computers. Rather than using the place's internet connection to get website information, it only uses it to connect to another, unrestricted-access computer. That computer then uses its internet connection to gather web information and send it to the person tunneling it. Similar to the remote desktop concept, but only using that computers unrestricted internet connection.
这被学生和员工用于绕开位于学校或公司的网络过滤器. 不使用因特网连接获取网站信息, 只是用它链接到别处, 然后无限制的访问计算机. 然后那台计算机使用它的因特网连接来获取web信息, 并将它们发回给那个发起隧道的人. 类似于远程桌面的概念, 只是使用那台计算机没有网络限制.
Uses of HTTP Tunnel Clients[edit]
- To use applications (games/IM clients/browsers) from behind restrictive firewalls or proxy servers
- To access blocked sites
- To share some confidential resource over HTTP securely
- 从受限的防火墙或代理服务器后使用程序(游戏/IM 客户端/浏览器)
See also[edit]
References[edit]
- Jump up^ Fielding, R. (June 1999). "Method Definitions, CONNECT". Hypertext Transfer Protocol -- HTTP/1.1. IETF. p. 56. sec. 9.9. RFC 2616. Retrieved 2010-07-09.
External links[edit]
HTTP tunnel的更多相关文章
- 外网访问内网工具ngrok tunnel 使用总结
需求分析 在软件开发测试过程中,我们会经常遇到需要网站部署测试.给客户演示.APP开发的调试这样的需求.通常的做法是申请一个域名和空间,将网站放到外网上给客户演示. 这种方法确实可行不过会有两点不好, ...
- ssh reverse tunnel
ssh反向通道的可用场景之一:从外网访问内网的主机.所必须的是你需要一个有ssh登录权限的公网主机. 步骤如下(将内网主机称作A,公网ssh主机地址为hostP ): 1.在内网A上执行 :local ...
- hdu1540 Tunnel Warfare
Tunnel Warfare Time Limit: 4000/2000 MS (Java/Others) Memory Limit: 65536/32768 K (Java/Others)To ...
- 通过ssh tunnel连接内网ECS和RDS
通过ssh tunnel连接内网ECS和RDS 这里讲了ssh tunnel的原理.很清晰. 此后又给外网访问内网增加了一种思路.感觉特别棒. 拓宽了思路:
- 【动态域名解析工具】tunnel,国内版的ngrok,花生壳可以睡觉了
在笔者的系列微信开发教程中,有一个比较基础且重要的一节:微信开发的调试.在文章中我推荐了两种动态域名解析的工具用于将本地的开发环境部署成服务器,一种是花生壳,一种是ngrok,但毕竟我等屌丝用不起或者 ...
- [POJ2892]Tunnel Warfare
[POJ2892]Tunnel Warfare 试题描述 During the War of Resistance Against Japan, tunnel warfare was carried ...
- HDU 1540 Tunnel Warfare 平衡树 / 线段树:单点更新,区间合并
Tunnel Warfare Time Limit: 4000/2000 MS (Java/Others) Memory Lim ...
- zjuoj 3604 Tunnel Network
http://acm.zju.edu.cn/onlinejudge/showProblem.do?problemCode=3604 Tunnel Network Time Limit: 2 Secon ...
- POJ 2892 Tunnel Warfare(线段树单点更新区间合并)
Tunnel Warfare Time Limit: 1000MS Memory Limit: 131072K Total Submissions: 7876 Accepted: 3259 D ...
- tunnel.p4
Tunneling: VXLAN and NVGRE (including L2/L3 Gateway), Geneve, GRE and IPinIP /* Copyright 2013-prese ...
随机推荐
- 024 Yarn核心生态系统
1.Yarn核心生态系统 2.Tez Tez是Apache最新的支持DAG作业的开源计算框架,它可以将多个有依赖的作业转换为一个作业从而大幅提升DAG作业的性能. 3.solo 全文检索 也可以部署在 ...
- JS图形化插件利器组件系列 —— Gojs组件
阅读目录 一.组件效果预览 二.初次接触 1.Gojs简介 2.使用入门 三.综合效果 1.自定义流程的使用 2.工业流程图 四.总结 正文 前言:之前分享过两篇关于流程画图的前端组件,使用的jsPl ...
- php 会话控制(理解会话控制的概念)
理解一个概念就需要理解他的背景及产生的原因,这里引入web环境及其http协议. 会话控制产生的背景: http协议是web服务器与客户端相互通信的协议,它是一种无状态协议,所谓无状态,指的是不会维护 ...
- [C] 错误笔记:函数调用——值传递
前提: 写一个函数,功能为在堆内开辟一块空间,并将首地址以函数参数的形式返回主调函数 错误demo void test(char *a) { ] = "hello"; printf ...
- 8.8 正睿暑期集训营 Day5
目录 2018.8.8 正睿暑期集训营 Day5 总结 A 友谊巨轮(线段树 动态开点) B 璀璨光滑 C 构解巨树 考试代码 A B C 2018.8.8 正睿暑期集训营 Day5 时间:3.5h( ...
- VM 虚拟机网络配置
VM网络设置,一共有四种模式. 分别是 1:bridge:桥接,直接和真实网卡相连.如果你要让虚拟机也要上网,就必须选这项,并且要配置和真实网卡在同一网段的IP地址. 2:host-only: 仅主机 ...
- 如何使用PhoneGap打包Web App
最近做了一款小游戏,定位是移动端访问,思来想去最后选择了jQuery mobile最为框架,制作差不多以后,是否可以打包成App,恰好以前对PhoneGap有耳闻,便想用这个来做打包,可以其中艰辛曲折 ...
- IBM BR10i阵列卡配置Raid0/Raid1(转)
说明:IBM的阵列卡无论多旧多新操作步骤都基本差不多. RAID1的步骤: 开机自检过程中出现ctrl+c提示,按ctrl+c进入LSI Logic Config Utility v6.10.02.0 ...
- android.os.handler(转)
android.os.handler相关知识整理 Handler在android里负责发送和处理消息.它的主要用途有: 1)按计划发送消息或执行某个Runnanble(使用POST方法): 2)从其他 ...
- 【Go命令教程】9. go list
go list 命令的作用是列出指定的 代码包 的信息.与其他命令相同,我们需要以 代码包导入路径 的方式给定代码包.被给定的代码包可以有多个.这些代码包对应的目录中必须直接保存有 Go 语言源码文件 ...