Not working behind http proxy or firewall?

gerson · January 12, 2017, 4:53pm

I’m trying to sync my office Desktop to my computer at home with Syncthing. Currently I’m using Unison, which syncs via SSH and works well.

At my office, the desktop is behind a http proxy. I’m not sure if they have socks proxy here. Probably not. This is already a problem, right? Syncthing requires socks proxy?

Just to give a full picture, to connect via SSH from home, I have to point the ssh to an intermediate IP, which then redirects the connection to my office within the NAT.

It seems that Unison, Rsync (ssh based connections) are my only choices to sync. Is that correct? Or would it Syncthing work if I ask the IT department to open some ports for me?

Thanks.

AudriusButkevicius · January 12, 2017, 5:27pm

It might work if you set up http proxy env vars, as I suspect it’s failing during discovery.

gerson · January 12, 2017, 5:57pm

It doesn’t work. If I set

export http_proxy=http://… export https_proxy=…

Syncthing does not dectect proxy. The CLI only shows the “proxy detected” message if I set the

export all_proxy=socks://…

But then I think they don’t have socks here. Trying all_proxy=http://… also didn’t work.

AudriusButkevicius · January 12, 2017, 6:19pm

It would not print a message for http proxy, thats handled by the standard library.

AudriusButkevicius · January 12, 2017, 6:20pm

Never the less, see if you get errors from the discovery service. Maybe your firewall allows only http traffic (and no other traffic) and syncthing can’t work via a http proxy only without being able to make direct connections.

Corrisen · January 12, 2017, 6:59pm

I guess by ‘I have to point the ssh to an intermediate IP’ you mean that you added some code to your .ssh/config file in order to do so. What actually happens under the hood is that you connect via ssh to a computer (your organization’s gateway) and from there to your work PC.

You could use the same configuration to create a port forwarding or socks proxy to your work computer via ssh, look e.g. here: https://calomel.org/firefox_ssh_proxy.html

Although that would mean:

that you need to have the ssh client running on your home computer and to find a way to restart it automatically (ideally) if connection breaks;
that your organization’s sysadmins may be unhappy once they eventually figure out what you are doing.

I believe your best bet is to do the other way round, i.e. connect from work to home. Assuming you have the usual xDSL connection at home with a public and dynamic address, just use a dynamic domain and port forwarding on your home router and you are good to go.

gerson · January 12, 2017, 7:42pm

I don’t know how the IT department redirects my SSH connection from the intermediate IP to my desktop. Sorry.

Here’s the output of the syncthing CLI:

[gerson@girasol ~]$ env | grep proxy
FTP_PROXY=http://proxy.ufu.br:3128/
https_proxy=http://proxy.ufu.br:3128
http_proxy=http://proxy.ufu.br:3128
no_proxy=localhost,127.0.0.0/8,::1
ftp_proxy=http://proxy.ufu.br:3128/
[gerson@girasol ~]$ syncthing --no-browser
[monitor] 17:36:44 INFO: Starting syncthing
[SUWDK] 17:36:44 INFO: syncthing v0.14.18 "Dysprosium Dragonfly" (go1.7.4 linux-amd64) builduser@svetlemodry 2017-01-01 21:43:44 UTC
[SUWDK] 17:36:44 INFO: My ID: SUWDKC7-L2GCHV3-C4JVLGW-KE52KOV-A5D6OIH-BV726U7-CYDIGGR-NPZYKAP
[SUWDK] 17:36:45 INFO: Single thread hash performance is 218 MB/s using crypto/sha256 (43 MB/s using minio/sha256-simd).
[SUWDK] 17:36:46 INFO: Ready to synchronize "Default Folder" (default) (readwrite)
[SUWDK] 17:36:46 INFO: Using discovery server https://discovery-v4-2.syncthing.net/v2/?id=DVU36WY-H3LVZHW-E6LLFRE-YAFN5EL-HILWRYP-OC2M47J-Z4PE62Y-ADIBDQC
[SUWDK] 17:36:46 INFO: Using discovery server https://discovery-v4-3.syncthing.net/v2/?id=VK6HNJ3-VVMM66S-HRVWSCR-IXEHL2H-U4AQ4MW-UCPQBWX-J2L2UBK-NVZRDQZ
[SUWDK] 17:36:46 INFO: Using discovery server https://discovery-v4-4.syncthing.net/v2/?id=LYXKCHX-VI3NYZR-ALCJBHF-WMZYSPK-QG6QJA3-MPFYMSO-U56GTUK-NA2MIAW
[SUWDK] 17:36:46 INFO: TCP listener ([::]:22000) starting
[SUWDK] 17:36:46 INFO: Using discovery server https://discovery-v6-2.syncthing.net/v2/?id=DVU36WY-H3LVZHW-E6LLFRE-YAFN5EL-HILWRYP-OC2M47J-Z4PE62Y-ADIBDQC
[SUWDK] 17:36:46 INFO: Using discovery server https://discovery-v6-3.syncthing.net/v2/?id=VK6HNJ3-VVMM66S-HRVWSCR-IXEHL2H-U4AQ4MW-UCPQBWX-J2L2UBK-NVZRDQZ
[SUWDK] 17:36:46 INFO: Using discovery server https://discovery-v6-4.syncthing.net/v2/?id=LYXKCHX-VI3NYZR-ALCJBHF-WMZYSPK-QG6QJA3-MPFYMSO-U56GTUK-NA2MIAW
[SUWDK] 17:36:46 INFO: Device SUWDKC7-L2GCHV3-C4JVLGW-KE52KOV-A5D6OIH-BV726U7-CYDIGGR-NPZYKAP is "girasol" at [dynamic]
[SUWDK] 17:36:46 INFO: GUI and API listening on 127.0.0.1:8384
[SUWDK] 17:36:46 INFO: Access the GUI via the following URL: http://127.0.0.1:8384/
[SUWDK] 17:36:46 INFO: Completed initial scan (rw) of "Default Folder" (default)
[SUWDK] 17:36:57 INFO: Detected 1 NAT device
[SUWDK] 17:38:19 INFO: Could not connect to relay relay://69.197.185.164:80/?id=6LWAN23-5ZAI65D-5F67VQY-E7AWU3N-PEB33LM-6CLIVYU-5GJTBZ2-5EZIEQH&pingInterval=1m0s&networkTimeout=2m0s&sessionLimitBps=0&globalLimitBps=2097152&statusAddr=:22068&providedBy=Munzy - Kansas City, MO, USA: tls: oversized record received with length 20291
[SUWDK] 17:38:29 INFO: Could not connect to relay relay://178.238.228.171:22067/?id=HRHITUZ-PECCMAK-JEKLFHZ-3FBH6ZI-VS6CX3U-LSAJRXX-B6PJT5N-C4M7QAO&pingInterval=1m0s&networkTimeout=2m0s&sessionLimitBps=0&globalLimitBps=3750000&statusAddr=:22070&providedBy=Stefano: dial tcp 178.238.228.171:22067: i/o timeout

AudriusButkevicius · January 12, 2017, 11:58pm

Your corporate firewall is simply too much, as it’s interfering with everything.

calmh · January 13, 2017, 3:00am

Theoretically Syncthing could work behind an https proxy that supports connect. Whether our proxy implementation actually does this I have no idea, I’m guessing it doesn’t.

gerson · January 13, 2017, 12:18pm

Thanks. I’ll try to talk with the IT guys here. But they are already not happy with us using SSH from home… stupid, right? I’m really limited here. And I work at an University…

My initial question was essentially if http proxy should work, because the documentation mentions socks only. Maybe you could add there a line saying that http_proxy should work as well.

One last question: any tips on what I should ask the IT guys here?

check if our http proxy supports connect
open some ports on the firewall?

Thanks again for the help. In the worst case scenario, I’ll keep using Unison for now. But congrats on Syncthing. It seems great!

AudriusButkevicius · January 13, 2017, 12:26pm

Only discovery uses http as the transport so it’s not helping much, we need a socks proxy or permission to make generic outgoing connections to the internet for syncthing to work.

system · February 12, 2017, 12:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.