20

I can use socat for the port forwarding like this:

socat TCP4-LISTEN:8080 TCP4:123.456.789.12:80

In this case, it works perfectly: all http-requests to localhost:8080 will be redirected to 123.456.789.12:80.

But how can I use such forwarding for https-requests?

UPDATE: I need a single socat process between Firefox and remote server. socat is just a forwarder (proxy redirector), nothing more. Something like this:

Firefox -> socat -> server
       ------------>
           https
Denis Shevchenko
  • 1,342
  • 2
  • 10
  • 23
  • Did you try [this recipe](http://www.dest-unreach.org/socat/doc/socat-openssltunnel.html)? – Thor Jan 14 '16 at 15:40
  • I have no two `socat`, but one `socat` and Firefox. So I don't understand that recipe... – Denis Shevchenko Jan 15 '16 at 05:10
  • I just have to redirect `https`-requests from Firefox (via `socat`) to remote server. `ssl` connection should be between Firefox and server, `socat` is just a redirector, nothing more. When I try this command `socat TCP-LISTEN:8081,fork,reuseaddr OPENSSL:123.456.789.123:80,verify=0`, I got an error "error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol". – Denis Shevchenko Jan 18 '16 at 10:34
  • I misread your question the first time. Does my answer solve your issue? – Thor Jan 18 '16 at 21:42
  • Unfortunately, no. I need single `socat` process, not two ones. `Firefox` -> `socat` -> `server`. – Denis Shevchenko Jan 19 '16 at 05:43

4 Answers4

28

Normally https servers run on port 443, so maybe that is your issue?

Trying to browse through socat to google.com with https works, albeit with an SSL certificate warning:

socat TCP-LISTEN:8080,fork,reuseaddr TCP:google.com:443

(use fork and reuseaddr to allow multiple connections and fast ip:port reuse, but beaware of the caveats).

Now you can access https at google from a browser, just go to https://localhost:8080.

Community
  • 1
  • 1
Thor
  • 45,082
  • 11
  • 119
  • 130
  • Thanks for your answer, but it doesn't fit in my task. I *do* need a secure connection (ideally without any SSL certificate warnings)! Firefox should establish such secure connection with remote server via `socat` as if there's no `socat`. `socat` is just a forwarder (redirector), nothing more. – Denis Shevchenko Jan 19 '16 at 05:38
  • 3
    @DenisShevchenko: As far as I know, you will not be able to avoid the certificate warning because you are pointing your browser to the server running `socat`, which does not match the certificate. This is a design feature of the SSL protocol, to avoid man-in-the-middle attacks. – Thor Jan 19 '16 at 11:16
  • I use this `socat TCP-LISTEN:8080,fork,reuseaddr /dev/null` – Chand Feb 05 '20 at 14:26
11

The browser security warning you are getting is because of the host name mismatch in the url and in the server certificate (e.g. localhost vs. example.com).

To make the forwarding work without this warning you need to put the forwarder on the same TCP port and override DNS resolution for the effected domain (i.e. make example.com resolve to 127.0.0.1).

The simplest approach is as follows:

  1. edit your hosts file and add example.com domain to the localhost line (sort of howto is here)

  2. start your forwarding (beware that you need to use server IP address and not domain name as the domain name is already redirected to localhost)

    socat TCP-LISTEN:443,fork,reuseaddr TCP:123.456.789.12:443

  3. check it is working in the browser via https://example.com

Do not forget to remove the domain entry from the hosts file when done experimenting.

If you can't ensure the same TCP port number, this approach might work as well -- but only under some conditions:

  • the site is using relative paths in links (as an absolute path would use original (thus different) port number)

  • there is no port number written in the server certificate (which is usually not the case)

Note: It is possible to setup a MITM socat proxy, but this would require adding an artificial trusted CA.

Good luck!

vlp
  • 7,811
  • 2
  • 23
  • 51
8

Try something like this:

socat TCP-LISTEN:8080,fork,reuseaddr ssl:google.com:443
Khalfella
  • 99
  • 1
  • 1
-5

Unfortunately, socat cannot be used for such a task. I should use the real HTTP proxy server instead of socat.

Denis Shevchenko
  • 1,342
  • 2
  • 10
  • 23