Corporate proxy bypass

At a certain point in the development of any company, it comes to the realization that it is necessary to control the working hours of its employees. Unfortunately, many of them choose the wrong method - closing access to certain resources on a corporate proxy. It can be as icq, and many other resources that contain the "wrong words". But very often, icq, lj and other resources with “wrong words” are required for work, but the employer does not understand this. Do you have a lot of customers who contact you only through icq? Looking for answers to your questions, do you come across a solution in lj and twitter that are closed? What to do?


Of course, there are many webproxy, which can open you a closed page, but what to do with ICQ? And is it possible to automate this process somehow? Yes you can.

To solve the problem, we need an external server. In his role can act as a home computer under * nix, and a simple vds. To our happiness, many hosters now provide vds of small capacity for a penny. Moreover, our task will not require serious resources.
')

How will this work?

As a rule, 80 (http) and 443 (ssl) ports remain open. We will take advantage of this. We prokin http http tunnel to our vds (which does not fall under the black list) through port 80. All of our requests, disguised as normal http requests, will freely go through a proxy and get on our vds. On vds the tunnel will look in a proxy. Thus, after all the settings, a kind of proxy will be launched on our work computer, on which there are no restrictions.

Customization

All further actions are relevant for freebsd. For other unix systems, the differences should only be in the assembly and installation. To set up we need:

1) VDS or home unix computer permanently connected to the Internet.

2) httptunnel (take here: nocrew.org/software/httptunnel ). If you have windows, download the version for it. If the server is on freebsd, then httptunnel is in the ports / usr / ports / www / httptunnel.
3) some small proxy (3proxy, zipproxy (this one will also save us traffic), polipo, etc).

I decided to take myself a polipo, in principle, only because he was the first to catch my eye in the ports. For more than a year of use in tunneling and application at work in business processes, he did not let me down. Those who will install it not under freebsd can take polipo here (http://www.pps.jussieu.fr/~jch/software/polipo/)

Let's build and install:

$cd /usr/ports/www/httptunnel && make install && make clean
$cd /usr/ports/www/polipo && make install && make clean

Add to /etc/rc.conf:
polipo_enable="YES"

If the vds that we bought (or took an existing one), we decide to use only for tunneling, then we simply disable apache (or any other web server), and thereby free up the port 80 we need. However, in life this rarely happens, there are already sites on the existing vds, and on the new one we would not mind posting new ones. For this case, there is a second option: we will need to buy an additional ip (let it be: 2.2.2.2, and our ids main vds: 1.1.1.1), there will be a tunnel on port 80, and a web server on the main port. We connect additional ip:

ifconfig em0 inet 2.2.2.2 netmask 255.255.255.255 alias

in rc.conf:

ifconfig_em0_alias0="inet 2.2.2.2 netmask 255.255.255.255"

correct the apache config so that it listens to a strictly defined ip:

$vi /usr/local/etc/apache/httpd.conf
Listen 1.1.1.1:80
Listen 1.1.1.1:443

configure the config polipo:

$cd /usr/local/etc/polipo && cp ./config.simple ./config && vi ./config

proxyAddress = "2.2.2.2"
allowedClients = "127.0.0.1"
proxyPort = 3128

chunkHighMark = 819200
objectHighMark = 128

- Config is configured, now run it:
$ / usr / local / etc / rc.d / polipo.sh start

Raise the tunnel:
hts -F 2.2.2.2ل128 2.2.2.2:80

We check if everything is in order and if they listen correctly:

$ netstat -na || grep tcp
tcp4 0 0 2.2.2.2.80 *. * LISTEN
tcp4 0 0 2.2.2.2.3128 *. * LISTEN

Now we start the client on the local computer:

htc -P proxy.company.com…12128 -F 1020 2.2.2.2:80

It remains to correct the parameters of your browser, icq or other clients.
Register to use a proxy with the parameters: server: localhost, port: 1020

Everything is ready, and if you have configured everything correctly, icq will successfully connect to the server. In the future, I advise you to close the proxy firewall. despite the fact that we told him to receive requests only from the local ip, they will constantly try to connect to it, which carries an additional load.