sockhole icon indicating copy to clipboard operation
sockhole copied to clipboard

verified publisher icon jcs

Metadata

sockhole

sockhole is a decrypting SOCKS proxy. When it receives a request to make a connection to a port listed in its TLS_PORTS list, it will establish the encrypted connection itself, verify the TLS certificate, and then proxy decrypted data to the client as if the connection were made to a plaintext service.

This is intended to support old software/equipment which supports SOCKS proxies but does not support SSL/TLS or modern ciphers. That software can establish a plaintext connection over a trusted LAN connection to a local machine running sockhole, and the sockhole proxy can establish a secure tunnel over the public internet.

For example, a computer running a POP3 client with SOCKS proxy support but no SSL support can connect to a remote POP3 server over TLS just by switching the port configured in the POP3 client to 995 (POP3S).

Installation

server$ bundle install --path vendor/bundle

Use

server$ bundle exec ruby sockhole.rb

Supported options:

  • -a allowed range: add the IP/mask to the list of allowed IPs; defaults to the /24 of the listen IP
  • -d: enable debugging
  • -p port: set the listen port (defaults to 1080)
  • -i ip: set the listen IP (defaults to the first non-loopback IP on all interfaces)

Client Examples

Curl

curl should be instructed to use the http protocol on port 443, not https, or else it will expect encrypted data to come through the SOCKS proxy. However, when specifying a URL of http://example.com:443/, curl will send a header of Host: example.com:443 which may cause problems on the server end with it not matching a configured virtual host. The -H option can be used to override the sent Host header to remove the port:

server$ bundle exec ruby sockhole.rb
[2020-11-12 08:47:24 -0600] [I] [server] listening on 192.168.1.1:1080

client$ curl -H "Host: example.com" --preproxy socks5h://192.168.1.1 http://example.com:443/
<!doctype html>
...

When connecting to a TLS host with an invalid certificate, sockhole will reject the client before it sends any data.

client$ curl -H "Host: wrong.host.badssl.com" --preproxy socks5h://192.168.1.1 http://wrong.host.badssl.com:443/
curl: (97) connection to proxy closed

nc

client$ nc -x 192.168.1.1 imap.fastmail.com imaps
* OK IMAP4 ready

Metadata

15
Stars
1
Forks
Watchers

Owner

verified publisher icon jcs

Metadata

Back