3

I've got a (virtualized) local LAMP server on Xubuntu 12.04 that I am using for Drupal development. I'd like to learn how to use web 2.0 integration Drupal modules (eg. youtube, facebook, etc.) but I live in China so these sites are obviously blocked.

I use SSH tunneling and a local SOCKS proxy for browsing these sites, but I am not sure how to make my virtualized Apache2 server use this proxy. I can see 3 potential solutions but I'm not really sure how to best go about implementing them.

(in order of preference, I prefer limiting the traffic sent through the ssh tunnel to only what needs to get around the firewall)

  1. set up ssh tunnel from guest OS get Apache2 server to route external traffic (or even better, only external traffic with specific host names, eg. facebook.com, youtube.com) through the local SOCKS proxy.

  2. set up ssh tunnel from guest OS, route all traffic through local SOCKS proxy (easy with Ubuntu but looks like configuring a global SOCKS proxy might be a touch harder with Xubuntu because it doesn't have Ubuntu's Network Proxy GUI)

  3. make virtualbox on host OS route all traffic through SOCKS proxy.

Any ideas on which route would be best and how to implement it? Thanks in advance for any help!

adempewolff
  • 11,958

1 Answers1

1

@adempewolff, Good question, but one thing I'm not clear is that

2) set up ssh tunnel from guest OS, route all traffic through local SOCKS proxy (easy with Ubuntu but looks like it might be a touch harder with Xubuntu)

What do you mean by this, a touch harder with Xubuntu? SSH is almost shipped with every Linux distros, just set up a tunnel with ssh, then configure it as the globe socks v5 proxy, things may get done.

UPDATED ANSWER: global proxy may available on weird Xubuntu http://proxychains.sourceforge.net/ edit proxychains.conf as follows,

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5  127.0.0.1 9050

execute proxychains /etc/init.d/apache2 start to launch your apache server.

vicd
  • 501
  • thanks for your response. Your right, I wasn't very clear about this. I have no problem making the SSH tunnel itself, it's just configuring it as the global socks proxy that is giving me trouble. Xubuntu doesn't come with ubuntu's Network Proxy GUI, and all of the solutions I found via googling were only for http and ftp proxies and suggested it is impossible to set a global socks proxy (which I don't believe). They suggested using tsocks, but I'm unsure how to/if I can use tsocks with apache5 without breaking it. – adempewolff May 15 '12 at 07:49
  • see this question for example, which suggests a socks global proxy is impossible with Xubuntu: http://askubuntu.com/questions/77509/how-do-i-set-a-global-socks-proxy-in-xubuntu – adempewolff May 15 '12 at 07:58
  • em, i have no experience in Xubuntu, from this point of view, it's a bit weird without global socks proxy setting even on 12.04!! in this case, i agree with other guys that you need proxy alternatives. if you hesitate to choose tsocks, why not give proxychains a chance(can be easily install by using apt-get install proxychains), but you may need to compile it from source on Xubuntu, who knows :P – vicd May 15 '12 at 08:51
  • start httpd server like this, proxychains /etc/init.d/apache2 start

    Good luck :P

     – vicd May 15 '12 at 08:52
  • thanks for the advice. unfortunately my problem is a lot more complicated than I originally thought it was. In addition to url and packet filtering China also uses DNS filtering. This is a problem because DNS lookups are UDP requests and only TCP requests get sent through the ssh tunnel (not a problem with firefox or chromium because they have options to route dns through the proxy--doubt apache has such). There is a solution (see http://hekate.homeip.net/tag/tsocks/) using the program socat to convert the lookups to/from UDP on either end of the tunnel but I can't get it to work correctly. – adempewolff May 20 '12 at 12:46
  • I can get some limited functionality (I'm testing with a tsocks-ed version of firefox) by putting the hostnames/IPs of sites I know are blocked into my /etc/hosts file, but sites such as youtube and facebook are so complicated these days and host their content on a wide (and constantly changing) range of sites (try watching the loading/looking up/connecting/etc. messages when you load a youtube video) it would take forever to find all the blocked hostnames and add them to my /etc/hosts file. So, currently I can browse youtube fine, but videos won't load... oh well, back to the drawing board! – adempewolff May 20 '12 at 12:50
  • emmmmmm, I've been China and heard that ISPs in China throttled internet connection, and what's the worse the local DNS resolving may get polluted. But if you use socks5, it supports remote DNS resolving. If your remote server can provide a trusted result, you should get the correct address to your target host. You might be in luck if you use proxychain, proxychains w3m www.youtube.com, welcome to the internet again, dude. – vicd May 20 '12 at 13:32
  • I'll give proxychains a try. I know my remote server works for remote DNS resolution because I've always been able to do this with Firefox and Chromium using their built in socks5 support which both support remote dns resolving, in firefox as an option and in Chromium by default. tsocks however didn't seem to capture the dns packets with firefox, which makes me dubious it would for the apache server. maybe proxychains does a better job of this.... – adempewolff May 20 '12 at 13:55
  • Proxychains worked fine for me when I was in China, I recommend a dummy way of using VPN, simple and nice. It's more stable and faster than using ssh tunnel, since KongFu firewall in China may disturb the ports of ssh. – vicd May 20 '12 at 14:14