network interface binding option

[crucifyer]

hi,

I wish bind address option.
thank you.

ex) pc ips (1.1.1.2, 1.1.1.3, 1.1.1.4)

`# ip a

2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether ****
inet 1.1.1.2/24 brd 1.1.1.255 scope global enp2s0
inet 1.1.1.3/24 brd 1.1.1.255 scope global enp2s0
inet 1.1.1.4/24 brd 1.1.1.255 scope global enp2s0`

I wish choice 1.1.1.3

`import http.client

conn = http.client.HTTPConnection('xenosi.de', source_address=tuple(['1.1.1.3', 0]));

h = {}
h['User-Agent'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36'
conn.request('GET', '/ip.php?json', headers=h);

res = conn.getresponse();
print(res.status, res.reason, res.read())`

result)
proxy --hostname=0.0.0.0 --bindip=1.1.1.3

[crucifyer]

proxy --hostname=1.1.1.3 is not solution. proxy using 1.1.1.2

[abhinavsingh]

Hi @crucifyer , IMO using desired interface IP with --hostname flag must do the trick.

Can you post the logs printed, when you start proxy with custom --hostname flag? Thank you!!!

[crucifyer]

# proxy --hostname=1.1.1.3
2021-04-08 16:15:01,771 - pid:1980 [I] load_plugins:334 - Loaded plugin proxy.http.proxy.HttpProxyPlugin
2021-04-08 16:15:01,772 - pid:1980 [I] listen:115 - Listening on 1.1.1.3:8899
2021-04-08 16:15:01,777 - pid:1980 [I] start_workers:136 - Started 2 workers
2021-04-08 16:15:20,754 - pid:1983 [I] access_log:397 - 3.4.5.6:59064 - CONNECT ogs.google.com:443 - 17772 bytes - 10508.13 ms
2021-04-08 16:15:21,073 - pid:1984 [I] access_log:397 - 3.4.5.6:59067 - CONNECT www.gstatic.com:443 - 792 bytes - 10320.72 ms
2021-04-08 16:15:21,090 - pid:1983 [I] access_log:397 - 3.4.5.6:59066 - CONNECT www.google.com:443 - 4121 bytes - 10447.67 ms
2021-04-08 16:15:21,255 - pid:1983 [I] access_log:397 - 3.4.5.6:59068 - CONNECT apis.google.com:443 - 1531 bytes - 10499.93 ms
2021-04-08 16:15:21,378 - pid:1984 [I] access_log:397 - 3.4.5.6:59069 - CONNECT lh3.google.com:443 - 2865 bytes - 10576.36 ms
2021-04-08 16:15:21,925 - pid:1983 [I] access_log:397 - 3.4.5.6:59070 - CONNECT lh3.googleusercontent.com:443 - 17078 bytes - 10553.79 ms
2021-04-08 16:15:22,163 - pid:1984 [I] access_log:397 - 3.4.5.6:59071 - CONNECT xenosi.de:443 - 1828 bytes - 10266.32 ms
2021-04-08 16:15:22,452 - pid:1984 [I] access_log:397 - 3.4.5.6:59065 - CONNECT ssl.gstatic.com:443 - 1566 bytes - 12104.30 ms```


but, 3.4.5.6 browser connect proxy https://xenosi.de/ip.php return 1.1.1.2
thank you.

[abhinavsingh]

I am unsure what that ip.php file is. If it simply returns IP address (like httpbin.org/get) then 1.1.1.2 is most likely your public facing interface, and hence you receive 1.1.1.2 in response. proxy.py itself is listening and serving over 1.1.1.3. You are already sending traffic to 1.1.1.3 (from browser) to access the proxy, right?

On Thu, 8 Apr 2021 at 12:49 PM, Song Hyo Jin ***@***.***> wrote: # proxy --hostname=1.1.1.3 2021-04-08 16:15:01,771 - pid:1980 [I] load_plugins:334 - Loaded plugin proxy.http.proxy.HttpProxyPlugin 2021-04-08 16:15:01,772 - pid:1980 [I] listen:115 - Listening on 1.1.1.3:8899 2021-04-08 16:15:01,777 - pid:1980 [I] start_workers:136 - Started 2 workers 2021-04-08 16:15:20,754 - pid:1983 [I] access_log:397 - 3.4.5.6:59064 - CONNECT ogs.google.com:443 - 17772 bytes - 10508.13 ms 2021-04-08 16:15:21,073 - pid:1984 [I] access_log:397 - 3.4.5.6:59067 - CONNECT www.gstatic.com:443 - 792 bytes - 10320.72 ms 2021-04-08 16:15:21,090 - pid:1983 [I] access_log:397 - 3.4.5.6:59066 - CONNECT www.google.com:443 - 4121 bytes - 10447.67 ms 2021-04-08 16:15:21,255 - pid:1983 [I] access_log:397 - 3.4.5.6:59068 - CONNECT apis.google.com:443 - 1531 bytes - 10499.93 ms 2021-04-08 16:15:21,378 - pid:1984 [I] access_log:397 - 3.4.5.6:59069 - CONNECT lh3.google.com:443 - 2865 bytes - 10576.36 ms 2021-04-08 16:15:21,925 - pid:1983 [I] access_log:397 - 3.4.5.6:59070 - CONNECT lh3.googleusercontent.com:443 - 17078 bytes - 10553.79 ms 2021-04-08 16:15:22,163 - pid:1984 [I] access_log:397 - 3.4.5.6:59071 - CONNECT xenosi.de:443 - 1828 bytes - 10266.32 ms 2021-04-08 16:15:22,452 - pid:1984 [I] access_log:397 - 3.4.5.6:59065 - CONNECT ssl.gstatic.com:443 - 1566 bytes - 12104.30 ms``` but, 3.4.5.6 browser connect proxy https://xenosi.de/ip.php return 1.1.1.2 thank you. — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#535 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA6Y4KMHX57OYTXLUQUVEDTHVKIRANCNFSM42SESC5Q> .

-- ------------------------------------------------------ Abhinav Singh, https://abhinavsingh.com ------------------------------------------------------

[crucifyer]

Of course.
The foxy proxy is set to 1.1.1.3:8899.

I have a lot of ips on my server.
I want to pick one of them and use it.
Add an option that accepts source_address= like the code above.

The exact purpose is
PCs in the office intranet do not have Internet by themselves,
This is to make the Internet work only by proxy settings in the browser.

thank you.

[crucifyer]

Maybe this is the part.
Wouldn't it be possible to apply it with setsockopt?

https://docs.python.org/3/library/socket.html

# create a raw socket and bind it to the public interface
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP)
s.bind((HOST, 0))

# Include IP headers
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)

Please understand that this may be wrong as this is not well known.
thank you.

[abhinavsingh]

Maybe this is the part.
Wouldn't it be possible to apply it with setsockopt?

https://docs.python.org/3/library/socket.html

# create a raw socket and bind it to the public interface
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP)
s.bind((HOST, 0))

# Include IP headers
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)

Please understand that this may be wrong as this is not well known.
thank you.

@crucifyer This possibly can work (haven't tried it myself before) but will definitely require sudo privileges.

Can you work on a small POC, where:

1. Simple take your code above
2. Establish a connection to upstream server
3. Check upstream logs to see if IP header indeed gets injected

If it does, we can wrap this POC as a feature within proxy.py, wdyt?

[crucifyer]

I tested it like this. The bind() alone works very well.

import sys

HOST = 'xenosi.de'
PORT = 80
s = None

for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM):
    af, socktype, proto, canonname, sa = res
    try:
        s = socket.socket(af, socktype, proto)
    except OSError as msg:
        s = None
        print(msg)
        continue
    try:
        s.bind(('1.1.1.3', 0))
        s.connect(sa)
    except OSError as msg:
        s.close()
        s = None
        print(msg)
        continue
    break

if s is None:
    print('could not open socket')
    sys.exit(1)

with s:
    s.sendall(b'GET /ip.php?json HTTP/1.1\r\nHOST: xenosi.de\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36\r\n\r\n')
    data = s.recv(1024)

print(data)

b'HTTP/1.1 200 OK\r\nDate: Sun, 11 Apr 2021 06:57:32 GMT\r\nContent-Type: application/x-javascript; charset=utf-8\r\n
Transfer-Encoding: chunked\r\n
Connection: keep-alive\r\n
Set-Cookie: __cfduid=da71asdf8ab352awef7e3eee0dd61618124252; expires=Tue, 11-May-21 06:57:32 GMT; path=/; domain=.xenosi.de; HttpOnly; SameSite=Lax\r\n
X-Powered-By: PHP/5.5.9-1ubuntu4.29\r\n
Strict-Transport-Security: max-age=63072000; preload\r\n
CF-Cache-Status: DYNAMIC\r\ncf-request-id: 096151bcb5000asdf8000000001\r\n
Report-To: {"max_age":604800,"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report?s=esqZBasdf4KsVCy%2FkMT6Z5tPhdasdfH8t1JlxkIQ0YtlDLpcu5dLycGX3ZqQ%3D"}],"group":"cf-nel"}\r\nNEL: {"report_to":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nCF-RAY: 63e252412edf0a9c-NRT\r\nalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400\r\n\r\n15\r\n
{"ip":"1.1.1.3"}\r\n
0\r\n\r\n'

thank you.

[abhinavsingh]

Thank you @crucifyer , but I am left a little confused over what is our objective here. If I understand correctly, you did a bind on 1.1.1.3 and upstream server saw the request coming from 1.1.1.3.

I think same should be achievable using proxy --hostname 1.1.1.3. Is you upstream server seeing 1.1.1.2 when making a request from proxy.py? If yes, may be we must put the bind login you demonstrated. Please let me know.

[crucifyer]

yes.
I think, need bind on self.client

[crucifyer]

I want to put a bind statement, but I can't find where to make the client socket. 😿

[abhinavsingh]

@crucifyer You may hardcode bind here in the constructor of TcpClientConnection class https://github.com/abhinavsingh/proxy.py/blob/develop/proxy/core/connection/client.py#L25. If it works out, we can later add this in a more generic sense.

[abhinavsingh]

@crucifyer Are you still here with me on this :). I am looking into it but would like to clarify what exactly are we after. Your example is a little misaligned, because bind is supposed to be used by servers and connect by clients. But IIUC, you are trying to call bind and connect on the same socket object. This is not a valid usage.

May you be can convey your requirement via this diagram and let me know where exactly are you expecting bind.

More useful will be to explain the scenario you are trying to achieve, Thank you!!!