I am a newbie in network programming in C# and I want to create a proxy server which can be used to restrict users from connecting to internet if they have exceeded the download limit.
My current config is ---- User -> proxy server -> wifi router -> internet.
I searched everywhere and I found that HTTP proxy can be created but it is very hard to create a HTTPS proxy in C#
Even the c# library like Trotinet and mentalis does not support the HTTPS proxy.
But I found that there are many library in JAVA like little proxy that support HTTPS connection.
So, Is it possible to create a fully functional proxy in C#? or should I try switching to JAVA?
One More question. Can I create a simple TCP client read its networkstearm and forward that stream as it is to wifi router without need to read its header or anything, will this method work? Just a guess, sorry for noob question.
Thanks
Answer for your first question : YES, you can create full functional HTTPS proxy with C# (similar to Fiddler). No need for changing to Java. Just for testing purpose you can use Fiddler Core. Fiddler core is a complete HTTPS Proxy written in C#. If you have time and knowledge, do reverse engineering by using reflector on fiddler core and get some idea about implementation.
Last commit on Trotinet has a shy implementation of HTTPS pass thru. So unless you dont want to decrypt the https data, Trotinet will be a good choice.
-Kumar
Related
I'm writing a server-client application where communication is done over the internet and I have several questions and concerns regarding security. I have done some research and found some posts here useful, but I would like more information. Some related questions I read were:
Secure authentication of client over RMI
java rmi authentication & security. exportObject makes it public?
Is communication in java rmi secure?
I have 3 parts to consider:
Information exchanged between the client and the server.
Authentication of the client.
Exploiting a running RMI server (hacking etc.).
What I know:
RMI over SSL. Using SSL sockets instead of the default socket would encrypt all information passed between the client and the server. This includes the objects exchange and method calls.
Authentication using username/password combination over SSL before RMI connection has been established. To my understanding there was supposed to be a way to authenticate inside the RMI connection but it was voted down.
Not too sure what can or needs to be done here. I do know that you can't just write your own client and ask to connect to the server since you need an ObjectID and the remote interfaces. However, is it not possible to decompile the classes \ interfaces you need since they are sent in RMI anyway? I also saw this Youtube video [http://www.youtube.com/watch?v=otjllNaBxiw] while researching and it got me worried with how easy it is, although I don't know if the server was not setup correctly.
All in all, are there other security issues I need to consider in RMI over the internet? Am I missing a solution I need to look at? Is what I already know wrong?
Information exchanged between the client and the server.
RMI over SSL.
Authentication of the client.
Authentication of the client is done by SSL. You mean authorisation, which is 'relatively' easy. Define your own RMIServerSocketFactory that returns an ServerSocket override whose implAccept() method wraps the socket in an SSLSocket, to which you add a handshake listener and set needClientAuth to true on it (and clientMode to false). Your handshake listener should then get and check the client certificate from the SSLSession, to see if the identity it authenticates is authorised, and simply close the socket if non-authorised.
Authorising the server, in the client, is on the other hand baroquely complex. You really need the JERI API in Jini to do it properly.
Exploiting a running RMI server (hacking etc.).
I won't go so far as to say it's impossible, but it's extremely difficult, and there are several strong lines of defence. You need the ObjectID, which is random, and can be made securely random, and you need the classes. Classes and interfaces aren't sent in RMI unless you specifically enable it, and they are sent by a side channel that you can secure arbitrarily strongly, for example with two-way-authenticated HTTPS. So you can't get those. Then you need to get yourself authorised, which basically requires compromising the server. And if that's possible, anything is.
I am new to java.I need to develop a proxy server for IBC 2011 conference.I have some Questions regrading the Proxy server.
1.I am going to develop the proxy server using java.
Suppose A(sending the information) to B(receive the message) through the proxy server.
Here A is sending the information through HTTP serves(application running in A is a wed application) how can i receive the information send by A in proxy server and how can I forward it to the B which is also a HTTP serves.
2.What r the Things I have to now before I start developing the proxy server.
3.How can i get the information from the HTTP protocol.
4.How can i check frequently for the any message is there in line to forward to B from A or B to A.
Can any one helpme.Thanks in advance.
Use one of these instead http://proxies.xhaus.com/java/. Rolling your own proxy implementation will be much harder than you think once you've taken all the intricacies of HTTP into account.
there are many libraries which can you use.
for the A and B they can running hessian server(for listening) + client(for sending)
and for the proxy server you can use JMS + hessian server + client same as for A and B.
In this way you can send java objects.
But hessian is only on suggestion you can use RMI or spring remoting or maybe web services.
By far which a have working hessian is the fastest and very easy to develop.
from 1 to 4 you ask how to design a application which is out of the scope and you need to do it by you self :).
I did something similar in my course project.
As far as i am concerned, the core knowledge u need to learn about java for this a proxy server is socket programming.
you can setup two sockets: one communicates between your proxy server and the web browser, the other communicates between your proxy server and the target server.
Also, you will need some knowledge about thread in Java, open one thread for each connection will be a efficient way.
And I assume that you already have the knowledge about those computer networking stuffs like http, tcp.etc.
I am having a problem with a signed Java applet which performs simple HTTPS requests to our server (using Java's URL, Connection classes). Everything looks ok for majority of the clients. However, we do have several clients under corporate network, which are behind a proxy that requires authentication (possibly windows-logon-based authentication)). And for these clients we often hear such feedback like:
The application behaves extremely slow though our network speed is 20mbps.
20mbps connection is a huge speed for our application to work perfectly.
So my first question specifically the following:
1) Can it be the case that proxy analyses the content of our requests and thus impacts the performance of the app. And could it be only a Java-specific problem ?
The next part is about Java and Java applets specifically.
From forums I know there is a problem with Java selecting the right proxy configured in Browser. Sometimes Java applet fails to detect the proxy configured in IE, and the only solution is to configure it also in Java's Control Panel.
Having said this, the next question is:
2) Taking into account that direct connection for the corporate clients is not allowed and Java Control Panel is not properly configured, could that be the case that Java plugin selects another - wrong proxy, thru which it eventually access to the servers and thus resulting very low performance ?
I also have tried to use Apache's HttpClient (http://hc.apache.org/httpcomponents-client-ga/), to check how it performs under such environment. I have configured the client as specified in Apache tutorial to automatically get the JRE's proxy:
httpclient = new DefaultHttpClient();
ProxySelectorRoutePlanner routePlanner = new ProxySelectorRoutePlanner(
httpclient.getConnectionManager().getSchemeRegistry(),
ProxySelector.getDefault());
httpclient.setRoutePlanner(routePlanner);
And what we faced is an authentication required error (407) when we try to execute requests via Apache's httpclient. Specifically407 proxy authentication required. the ISA server requires
authorisation to fulfill the request
So the last question is about this differences between Apache and Java's client.
3) How Java Applet chooses the proxy ? and How Apache Client's selection logic differs from that of Java's ?
Please share any strongly confirmed experience you might find out could be helpful for my situation.
Thanks in advance.
3) How Java Applet chooses the proxy ?
Default behaviour:
Applet checks control panel\java\ network\network proxy settings
and uses the proxy according to the configuration in there.
Setting system properties for an applet does not works.
i.e:
System.setProperty("java.net.useSystemProxies","true");
System.setProperty("http.proxyHost", "1.1.1.1");
System.setProperty("http.proxyPort", "8080");
If you want to alter the proxy selection for an applet.
then you can use ProxySelector class.
also check out this question how-to-set-http-proxy-in-an-applet you may find it useful.
If creating an IM platform in Java, which would be a better way to implement communications between the clients and server?
I was thinking either RMI or just a socket connection...
Advice please,
Thanks
I would use straight socket connection, using a well known protocol such as XMPP. You can use a library (like smack) to avoid implementing the whole protocol yourself.
The main advantage of XMPP over RMI or your self-made protocol is that is a well established protocol used for exactly that purpose: IM.
Some chat services already using XMPP include Google Chat (GTALK) and Facebook.
I already did this using Smack API, using XMPP protocol.
CometD has been specifically designed for use cases such as Chatrooms. Differently from other protocols, it works over HTTP port 80, which means (nearly) no hassles with Firewalls.
Listen to a recent podcast with Greg Wilkins about the project, which goes into some details of issues with implementing Chatrooms and how it gets handled by CometD.
I believe there is a Java client for CometD if you need to have client on both sides of conversation (normally frontend is JavaScript).
I'm trying to implement a Web Anonymizer (like ktunnel) in java, but I really could not get the idea, I need some information about how a web anonymizer works. I really do not need the source or a sample application, just the idea or a tutorial explaining the anonymizer idea.
Thanks.
A basic anonymizer just acts as an encrypted proxy, creating an encrypted "tunnel" between a proxy server and a client, where all traffic from the client goes through the proxy. This accomplishes 3 things:
The client cannot* be determined by looking at traffic between the proxy and endpoint. Hosts on the other end just see the proxy server.
The content of a client's traffic is hidden from monitoring, because the connection to the proxy is encrypted.
It is impossible* to determine the endpoint for traffic originating from the client, because all of it appears to go to the proxy only.
*In reality, a simple anonymizer doesn't provide full protection, because if you look at the amount of traffic between client and proxy, and the traffic between proxy and various sites, you can associate a specific client with their traffic. This is called traffic analysis.
Fancier anonymizers, such as Tor, provide protection against traffic analysis and a lot of other techniques to break anonymity, BUT that's really beyond the scope of the question.
From your point of view, all that matters is writing the proxy software. Your program should be able to create and manage encrypted connections to clients. This means it needs to be able to (securely) initiate an encrypted connection to a host, pass on connections to external hosts, and then pass traffic back and forth. Basically, it needs to act as a router.
There are protocols in place for how to accomplish this -- I suggest you read up on the SOCKS protocol, or Tor. Your best bet if this is a learning project is to write basic SOCKS proxy software. If this is for actual use, there should be libraries in Java that provide the necessary services.
EdiT:
Ktunnel is a less fancy proxy -- it uses a CGI script to redirect information from a URL back and forth. Basically, you enter an address, it fetches the page for that address, and sends it to you. Fairly simple, actually.
I don't know ktunnel, but for basic information about anonymity networks have a look at Tor at wikipedia.