Skip to content

jcs/sockhole

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.gitignore
.gitignore
 
 
Gemfile
Gemfile
 
 
Gemfile.lock
Gemfile.lock
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
sockhole.rb
sockhole.rb
 
 

Repository files navigation

sockhole

sockhole is a decrypting SOCKS proxy. When it receives a request to make a connection to a port listed in its TLS_PORTS list, it will establish the encrypted connection itself, verify the TLS certificate, and then proxy decrypted data to the client as if the connection were made to a plaintext service.

This is intended to support old software/equipment which supports SOCKS proxies but does not support SSL/TLS or modern ciphers. That software can establish a plaintext connection over a trusted LAN connection to a local machine running sockhole, and the sockhole proxy can establish a secure tunnel over the public internet.

For example, a computer running a POP3 client with SOCKS proxy support but no SSL support can connect to a remote POP3 server over TLS just by switching the port configured in the POP3 client to 995 (POP3S).

Installation

server$ bundle install --path vendor/bundle

Use

server$ bundle exec ruby sockhole.rb

Supported options:

  • -a allowed range: add the IP/mask to the list of allowed IPs; defaults to the /24 of the listen IP
  • -d: enable debugging
  • -p port: set the listen port (defaults to 1080)
  • -i ip: set the listen IP (defaults to the first non-loopback IP on all interfaces)

Client Examples

Curl

curl should be instructed to use the http protocol on port 443, not https, or else it will expect encrypted data to come through the SOCKS proxy. However, when specifying a URL of http://example.com:443/, curl will send a header of Host: example.com:443 which may cause problems on the server end with it not matching a configured virtual host. The -H option can be used to override the sent Host header to remove the port:

server$ bundle exec ruby sockhole.rb
[2020-11-12 08:47:24 -0600] [I] [server] listening on 192.168.1.1:1080

client$ curl -H "Host: example.com" --preproxy socks5h://192.168.1.1 http://example.com:443/
<!doctype html>
...

When connecting to a TLS host with an invalid certificate, sockhole will reject the client before it sends any data.

client$ curl -H "Host: wrong.host.badssl.com" --preproxy socks5h://192.168.1.1 http://wrong.host.badssl.com:443/
curl: (97) connection to proxy closed

nc

client$ nc -x 192.168.1.1 imap.fastmail.com imaps
* OK IMAP4 ready

About

No description, website, or topics provided.

Resources

Readme

License

ISC license
Activity

Stars

15 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages