Firefox can talk to a unix socket. In your proxy settings specify the socket.
E.g., it is how you can more safely proxy through tor (which also can listen on a socket), with firefox running inside a network name space without access to a network interface. Things like webrtc cannot leak your real IP.
It would appear that Firefox's built-in SOCKS support successfully proxies DNS as well, though I've always wondered whether or not there aren't other ways to leak your IP via browser APIs. I imagine that Flash almost certainly would, and I wouldn't be surprised if WebRTC does somehow.
How does this work? If A has a channel to B, and sends that channel to C, do B and C now communicate directly, or is it proxied through A?
EDIT: I see you mentioned the Unix socket transport passes around file descriptors. How about the inter-host transports? Obviously two browsers can't directly connect to each other (or could they with WebRTC...?) what about, say, TCP between hosts on the same local network?
Note that you don't need an extension to proxy in Firefox, which has built-in support for SOCKS proxies (go to "Options" and search for "proxy"); all you need is an SSH client and a server that you can SSH into (`ssh -D 1234 foo@example.com`). I don't use it for privacy (rather, to prevent MITM on public networks), but it seems to avoid the pitfalls discussed in the article (e.g. does not allow split tunneling and DNS is resolved over the proxy). However, I suspect that if you were running a Flash or Java plugin then that could make network requests that bypass this proxy.
Can run it in a isolated namespace and communicate with unix sockets. If the service does not support listening on sockets you can use socat within the namespace to forward from the unix socket to a port on lo in the namespace. Most reverse proxies can forward to a unix socket.
I've done similar things (and sometimes with a wireguard tunnel out to internet) for privacy reasons.
> There are plenty of cases where a web server is just a reverse proxy to :8080 or some other non-privileged port that could potentially be taken over in such a manner
True, but you can also proxy through a named unix domain socket on the filesystem and control access to it that way. At least nginx, haproxy, and caddy can all use a unix domain socket as an upstream.
Firefox over a SOCKS5 proxy done with ssh passes this test if you enable the proxy DNS setting. Creating the proxy is as simple as:
ssh -D 9999 -q -N <your ssh server>
and then configure that in the firefox proxy settings (socks to localhost:9999). If you want a simple way to enable/disable this in firefox I built a minimal extension to do it:
it doesn't matter -- in putty, forward your choice of ports (I use 9853 randomly), make sure the type of forwarding in putty is set to "dynamic", and set firefox to use localhost and that port as a socks proxy. works well for skype as well, by the way.
The subauth socket. I generally suggest people run all their services on Unix sockets as much as possible to prevent accidentally exposing things to the internet unintentionally, however it's not the best idea to run your reverse proxy on a Unix socket unless you have even more cursed things going on :)
Firefox 6 uses the latest spec. So it's active in the wild already.
I don't think reverse proxies are that big a deal personally, as you as a website owner have control of that part of the system. If the reverse proxy can't deal with it, fix it so it can or use a different one or write your own.
There's certainly ISPs out there that proxy all HTTP through their own cache/proxies and fallover with previous spec websocket. Of course the alternative is just to use HTTPS.
Pretty close yeah, except that serverB is only listening on a private IP, and I want to connect to it in by web browser (http). My primary use case is with hadoop clusters, where I access the jobtracker ui on the public hostname, but when I drill down into task logs it points to private/internal IPs. FoxyProxy allows me to access the private IPs directly/transparently, but I do most of my browsing with Chrome these days, so it'd be nice to just be able to do it all in one browser.
ProxyCommand looks pretty cool though, wasn't aware of it - thanks!
Neat! FF Proxy reminds me of one of my projects ( https://github.com/fanout/zurl ), but more extreme since the sender uses raw UDP. It seems like it would be great for remote use by lightweight senders. Maybe low power devices emitting stats?
P.S. good to see the comment, "TODO: filter out private IP ranges". I was going to suggest this but it seems you already know. :)
E.g., it is how you can more safely proxy through tor (which also can listen on a socket), with firefox running inside a network name space without access to a network interface. Things like webrtc cannot leak your real IP.
reply