Institute proxies

From Metakgp Wiki
Jump to: navigation, search

Internet access through IIT Kharagpur's network requires configuring an HTTP proxy.

For HTTP and HTTPS connections, use 10.3.100.207:8080 (as of 22nd July, 2016).

Setup[edit | edit source]

Windows[edit | edit source]

In Windows, most GUI programs will internally use Internet Explorer's proxy settings.

The default proxy settings can be updated by navigating to Internet Explorer's options.

Tools > Internet Options > Connections > LAN settings.


There are some programs however which don't use Internet Explorer's proxy settings. A prominent example of that remains the Windows Store in Windows 8. They can be set using netsh, or network shell, a command-line utility which allows local or remote configuration of network devices such as the interface.

The following are some relevant commands (Run cmd as an adminisrator and type the following) :

1. netsh winhttp show proxy : This command shows the current proxy setting

2. netsh winhttp reset proxy: This command resets the current proxy setting to a direct connection.

3. netsh winttp import proxy source=ie : This command sets Internet Explorer as the proxy source for netsh, thus both sharing the same proxy.

Note: For some Windows users, the Git Bash accepts the proxy settings as mentioned below for Linux. In the Git Bash command line, input the following proxies:

http_proxy=http://10.3.100.207:8080/

https_proxy=https://10.3.100.207:8080/

ftp_proxy=http://10.3.100.207:8080/

Linux[edit | edit source]

In *nix based systems, proxy settings are controlled via environment variables which can be updated in a number of ways. A few of these methods are described below:

Setting up proxy settings in Ubuntu's Network Manager.

GUI[edit | edit source]

In most cases, a desktop environment (Unity for example; ships default with Ubuntu) provides a graphical user interface to access network settings under the System Settings > Network Manager option. An option to set up proxies can be found there.

Command Line[edit | edit source]

Command line interface provides a quick way of updating your environment variables and thus your proxy settings. The proxy values are contained within the following variables - http_proxy, https_proxy, ftp_proxy, socks_proxy, no_proxy. One can update these values using a sample command shown below:

export http_proxy=http://10.3.100.207:8080/

The variable no_proxy contains those addresses for which the proxy access is disabled (useful for certain library websites, DC website etc.,). These settings, however, are not persistent through different login sessions and you must put these commands in your .bashrc (for bash shell) or .zshrc (for zsh shell) to be applied every time on shell startup.

You can also permanently export these settings to root environment settings by editing the /etc/environment file. Open this file with sudo permission using your favorite text editor (vim for example) and paste the following:

http_proxy=http://10.3.100.207:8080/
HTTP_PROXY=http://10.3.100.207:8080/
https_proxy=https://10.3.100.207:8080/
HTTPS_PROXY=https://10.3.100.207:8080/
FTP_PROXY=http://10.3.100.207:8080/
ftp_proxy=http://10.3.100.207:8080/
no_proxy=127.0.0.1,localhost,.iitkgp.ernet.in,.iitkgp.in

Save and exit. The environment settings should now be always applied to your current environment. Verify this by checking the output of sudo env | grep proxy. It is, however, important to note that some applications might require their own proxy to be set up separately (git, apt-get, wget for example) and you must consult the appropriate man pages. To configure "apt-get" to use proxy add the following line to "/etc/apt/apt.conf"

Acquire::http::Proxy "http://10.3.100.207:8080";

In case you do not add the proxy options to root's environment, use the -E flag to ask sudo to preserve the existing environment variables. For example: sudo -E add-apt-repository "deb http://us.archive.ubuntu.com/ubuntu/ saucy universe multiverse"

OS X[edit | edit source]

  • Go to System Preferences > Network > Select the appropriate service on the left (eg. WiFi) > Advanced > Proxies, and set both HTTP and HTTPS proxies.
  • Proxy bypass rules can be configured at the bottom.

iOS[edit | edit source]

  • Go to Settings > Wi-Fi > Tap on the Wi-Fi network that you've connected to > Scroll down to HTTP Proxy > Set the server and port, and go back to the Wi-Fi screen for the settings to take effect.
  • There is no way to configure proxy bypass rules.

Android[edit | edit source]

Setting the HTTP proxy for WiFi on Android Lollipop.

When connected to any of the mentioned access points, opening WiFi settings and long pressing the current WiFi network will give a Modify Network option. Within this, scroll down and tick the Proxy Server checkbox and enter the IP address and port. This will allow you to use browser, play store and some other applications but WhatsApp and Skype will not work.

If the phone can be or is already rooted, applications like ProxyDroid and AutoProxy Lite may provide better experience. However, if you do not prefer to root your phone, use applications like DroidVPN, Psiphon or SurfEasy to configure proxy settings.

Windows Phone[edit | edit source]

Go to Settings > Wifi and touch on the required connection. It should give an option to setup the proxy.

Bypass[edit | edit source]

The proxy server does not route connections back inside the local subnet, but silently times out. To connect to a computer inside the KGP network, you need to bypass the proxy for that computer's IP, and make a direct connection. The following is a list of IPs and hostnames for which it is useful to bypass the proxy. An asterisk ( * ) or ( x ) represents any value.

  • localhost and 127.0.0.1
  • All IPs in KGP's subnet – 10.x.x.x
  • *.iitkgp.ernet.in

For instructions on how to bypass the proxy for your OS or device, see Setup.

Workarounds[edit | edit source]

KGP's proxies only allow HTTP connections on ports 80 and 443. This means that several much needed tools are broken behind the Great Fire Proxy. Depending on what you are trying to do, the following workarounds might be useful. These instructions are written with *nix based systems in mind, but equivalent alternatives for Windows can be found (often with same name).

tor[edit | edit source]

tor anonymises traffic, and has the useful side effect of convincing the proxy that we're making an HTTP connection.

As of September 2015, the institute is actively blocking tor connections, hence bridges might be necessary to connect to tor. If you are using tor browser, connecting through any bridge other than obs3 bridges should work.[1]

Browse the Internet through tor[edit | edit source]

If you only need to access websites through a browser, download the Tor Browser Bundle, which provides a nice and easy to configure GUI setup and is available for Linux, Mac, and Windows.

Run tor as a daemon[edit | edit source]

  • Set up tor to run as a daemon on some port (eg. 9050). You can usually do this by installing tor using your distro's package manager (eg. apt-get install tor).
  • In tor's config file (eg. /etc/tor/torrc), add HTTPSProxy <KGP proxy host>:<KGP proxy port>.
  • To make sure everything works, clear any existing HTTP or HTTPS proxy settings, and set your SOCKS proxy to use tor (eg. 127.0.0.1:9050). Go to https://check.torproject.org/, it should say that you're using tor.

Using tor to make the git protocol and OpenShift applications work (on Linux)[edit | edit source]

  • Download the Tor Browser Bundle
  • Navigate to the folder ~/.ssh and edit the config file. (You can create one if you don't have it already)
$ cd ~/.ssh
$ vim config

Add the following lines to the file to make the git protocol work: [2]

Host github.com
    User git
    ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050) %p
  • Now, run the following command after unzipping the downloaded archive of Tor:
$ ./start-tor-browser.desktop
  • Now, the git protocol should have started working.

To check this, you can run:

git clone [email protected]:metakgp/metakgp.git

Note that for this to work properly, your SSH public key must be added to your GitHub account.

If it is not added [visit this guide on GitHub https://help.github.com/articles/generating-ssh-keys/]

This method can be used to get SSH access to OpenShift RedHat cloud applications as well, by appending to the config file:

Host appname-domain.rhcloud.com
    User rhcloud.com
    ProxyCommand nc -x localhost:9150 %h %p

Replace appname and domain in the above lines with the appropriate names from the OpenShift dashboard.

Typically, an app that can be accessed at mentorship-gradescrapers.rhcloud.com has:

URL: mentorship-gradescrapers.rhcloud.com
appname: mentorship
domain: gradescrapers

proxychains[edit | edit source]

proxychains does TCP and DNS tunnelling through an HTTP server.

  • Set up tor as outlined above.
  • In proxychains's config file (eg. ~/.proxychains/proxychains.conf), configure tor as a socks proxy (eg. socks5 127.0.0.1 9050).

Now, programs that make TCP connections on any port should work when run with proxychains. For example, proxychains git clone git://example.com.

ProxyCap is a proxychains alternative for Windows and Mac.

ssh[edit | edit source]

  • Option 1 (recommended): corkscrew tunnels ssh through an HTTP proxy. You need root access on the destination server for this to work.
    • Install corkscrew and in ~/.ssh/config, add the following line:
      ProxyCommand <path to corkscrew> <proxy host> <proxy port> %h %p.
    • On the destination server, configure sshd to listen on port 443.
    • Pass in the -p 443 option when running ssh.
  • Option 2: You can use proxychains + tor as outlined above. This will be slower, since the connection is routed through tor. However, it has the advantage of not needing to change the port sshd is listening on.

ssh-socks[edit | edit source]

If you have a remote machine that can listen on port 443 (as outline above), you can run a local socks proxy server on your machine to tunnel traffic through your remote machine. For example, ssh -D 1080 -p 443 myserver.example.com will start an SSH tunnel on port 1080, which you can use as a SOCKS proxy.

Online ssh clients[edit | edit source]

Online ssh clients are available to connect to remote server. An advantage of using this is that you do not need any extra softwares/configuration on your local computer or the server. Names of some of the websites are as follows :

Serfish - A free AJAX SSH Client to quickly connect to remote server. (Registration not required)

Shiftedit - An online Web-based IDE with remote connection support. (Registration required)

Banned websites[edit | edit source]

  • Option 1: Use tor as outlined above.
  • Option 2 (probably faster speeds): Set up a ssh-socks proxy.

git[edit | edit source]

  • Option 1 (recommended): Check if there's an HTTPS version of the repo URL available, and use that if possible.
  • Option 2: Use proxychains and tor as outlined above.
  • Option 3: Use corkscrew for cloning, pushing, pulling using SSH instead of HTTPS (This avoids the requirement of having to enter username and password each time.)
Host github.com
   Hostname ssh.github.com
   Port 443
   ProxyCommand corkscrew 10.3.100.207 8080 %h %p

heroku[edit | edit source]

  • Option 1 (recommended): Running commands on your heroku command line's instance is not possible. Say you want to apply new migrations on a Ruby on Rails app, then, instead of running:
heroku run rake db:migrate

you can run:

 heroku run:detached rake db:migrate

This will run the command (rake db:migrate, in this particular case) on the remote machine, and give another command which can be used to view the logs. The output of this command is similar to:

Running `rake db:migrate` detached... up, run.8799
Use `heroku logs -p run.8799 -a app-name` to view the output.
  • Option 2: Use proxychains and tor as outlined above.

UDP[edit | edit source]

HTTP Tunneling is a way of encapsulating UDP packets in HTTPS protocol. Currently the tor network does not support UDP. However, you can use VPNs to tunnel UDP traffic.

  1. Install OpenVPN. For windows, there is a convenient GUI app.
  2. Go to OpenVPN settings and set HTTP proxy 10.3.100.207:8080.
  3. Get .conf file for an openvpn server. vpngate.net has some free servers, be careful to download TCP conf., and only for servers open on port 443. Paid VPNs with stable connections are also available if you look for them.
  4. Run OpenVPN GUI as administrator (windows) and add KGP proxy. Load the .conf file you downloaded. This should create a new TUN/TAP device, and internet should now work without a proxy.

The connection will be flaky if using vpngate servers. Don't expect to be able to play online games this way, since tunneling would delay your UDP packets too much to get a good ping, even with stable VPN servers.

sshuttle[edit | edit source]

sshuttle is more easy and powerful over normal ssh socks tunneling for many reasons :-

  1. App don't need to use a socks proxy
  2. Client don't need to have root access on remote machine
  3. You don't want to create an ssh port forward for every single host/port on the remote network.

It's very simple to use. sshuttle requires corkscrew for tunneling. Steps :-

  1. $ git clone https://github.com/apenwarr/sshuttle
  2. Configure corkscrew inside ~/.ssh/config`. A line in the file should be something like ProxyCommand corkscrew 10.3.100.207 8080 %h 443
  3. Start sshuttle by navigating inside the cloned directory and running ./sshuttle --dns -r [email protected] 0.0.0.0/0 -vv
  4. Remove all the proxy settings whatsoever from browser, applications, `/etc/environment`, etc. i.e. use Direct Connection.

sshuttle catches every tcp connection and routes it through the ssh server.


Digital Ocean[edit | edit source]

Digital Ocean is a cloud computing service, which provides SSH access to droplets in their data centers. Digital Ocean doesn't have a free plan, but credit of $50 can be obtained by signing up for the GitHub Student Developer Pack. (All currently enrolled students of the institute are eligible.) Further, Digital Ocean requires a Credit Card to be added as payment method (Credit/Debit card is only take as a payment method. You will not be charged anything on setting up the account, provided you are using student pack), or a $5 remittance through PayPal to get the account started.

Once the account can create droplets, droplets may be used for things such as SOCKS proxies, torrenting content through Command Line torrent clients (such as torrent), or as an OpenVPN server.

History[edit | edit source]

Before the load balancer proxy was introduced, several proxies could be configured. These proxies had different speeds and availabilities at different times. Some of the older proxies were:

  • 144.16.192.247
  • 144.16.192.245
  • 144.16.192.217
  • 144.16.192.218
  • 10.3.100.209
  • 10.3.100.210
  • 10.3.100.211
  • 10.3.100.212

In 2014, students were instructed to use a single load balancer proxy.[3] The other proxies no longer work.

Public IPs[edit | edit source]

The outside world sees one of the following IPs as your IP when you make any network request. This public IP is converted to an internal IP (which is what you see as your machine's IP) by the proxy server using NAT. You may need to whitelist these IPs if setting up an external web service that is frequently accessed from campus.

  • 203.110.246.22 (as of 11 August 2015)
  • 203.110.246.23 (as of 2 September 2015)
  • 203.110.243.23 (as of 12 August 2015)

You can see your current public IP at http://www.whatsmyip.org/.

It is important to know this because any activity done by you gets logged with these IPs and corresponds to the name of the institution. For example, if you make an anonymous edit to Wikipedia, it will be logged under these public IPs, and hence any disruptive behavior by single person might lead to an IP ban and unavailability of resources for everyone inside the campus. It's advisable to create an account for such activities wherever possible, or use one of the workarounds suggested in initial sections.

See Also[edit | edit source]

External Links[edit | edit source]

References[edit | edit source]

  1. Verified by Cic on September 9, 2015.
  2. Verified by Icyflame on 2015-09-25.
  3. "TSG Facebook post instructing students to use the load balancer proxy".