Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
global-tunnel
Advanced tools
Configures the global
http
and
https
agents to use an upstream HTTP proxy.
Works transparently to tunnel modules that use node's default http.request()
method
as well as the popular request
module.
To make all HTTP and HTTPS connections go through an outbound HTTP proxy:
var globalTunnel = require('global-tunnel');
globalTunnel.initialize({
host: '10.0.0.10',
port: 8080,
sockets: 50 // optional pool size for each http and https
});
This will use the CONNECT
method for HTTPS requests and absolute-URIs for
HTTP requests, which is how many network proxies are configured.
Optionally, to tear-down the global agent and restore node's default global agents:
globalTunnel.end();
Any active connections will be allowed to run to completion, but new connections will use the default global agents.
The complete list of options to globalTunnel.initialize
:
CONNECT
method. It
has three possible values (strings):
CONNECT
; just use absolute URIsCONNECT
for HTTPS requestsCONNECT
for both HTTP and HTTPS requestshttp:
or https:
.Here's a few interesting variations on the basic config.
Another common proxy configuration is one that expects clients to use an absolute URI for the Request-URI for all HTTP and HTTPS requests. This is common for networks that use a proxy for security scanning and access control.
What does this mean? It means that instead of ...
GET / HTTP/1.1
Host: example.com
... your proxy expects ...
GET https://example.com/ HTTP/1.1
You'll need to specify tunnel: 'neither'
if this is the case. If the proxy
speaks HTTP (i.e. the connection from node --> proxy is not encrypted):
globalTunnel.initialize({
tunnel: 'neither',
host: '10.0.0.10',
port: 3128
});
or, if the proxy speaks HTTPS to your app instead:
globalTunnel.initialize({
tunnel: 'neither',
protocol: 'https:'
host: '10.0.0.10',
port: 3129
});
If the proxy expects you to use the CONNECT
method for both HTTP and HTTPS
requests, you'll need the tunnel: 'both'
option.
What does this mean? It means that instead of ...
GET https://example.com/ HTTP/1.1
... your proxy expects ...
CONNECT example.com:443 HTTP/1.1
Be sure to set the protocol:
option based on what protocol the proxy speaks.
globalTunnel.initialize({
tunnel: 'both',
host: '10.0.0.10',
port: 3130
});
EXPERIMENTAL
If tunnelling both protocols, you can use different HTTPS client configurations for the two phases of the connection.
globalTunnel.initialize({
tunnel: 'both',
protocol: 'https:'
host: '10.0.0.10',
port: 3130,
proxyHttpsConfig: {
// use this config for app -> proxy
},
originHttpsConfig: {
// use this config for proxy -> origin
}
});
The http_proxy
environment variable will be used if the first parameter to
globalTunnel.initialize
is null or an empty object.
process.env.http_proxy = 'http://10.0.0.1:3129';
globalTunnel.initialize();
Any module that doesn't specify an explicit agent:
option to
http.request
will also work with global-tunnel.
The unit tests for this module verify that the popular request
module works with global-tunnel active.
For untested modules, it's recommended that you load and initialize
global-tunnel first. This way, any copies of http.globalAgent
will point to
the right thing.
If you'd like to contribute to or modify global-tunnel, here's a quick guide to get you started.
Download via GitHub and install npm dependencies:
git clone git@github.com:goinstant/global-tunnel.git
cd global-tunnel
npm install
Testing is with the mocha framework.
Tests are located in the test/
directory.
To run the tests:
npm test
Email GoInstant Support or stop by #goinstant on freenode.
For responsible disclosures, email GoInstant Security.
To file a bug or propose a patch, please use github directly.
© 2014 GoInstant Inc., a salesforce.com company
Licensed under the BSD 3-clause license.
FAQs
Global HTTP & HTTPS tunneling
The npm package global-tunnel receives a total of 3,742 weekly downloads. As such, global-tunnel popularity was classified as popular.
We found that global-tunnel demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.