Linux – Forward non HTTP traffic on port 80


I'm creating an Android application that uses MQTT protocol to send real time messages, however the local firewall is strict and blocks most ports so the android app can not connect. (Server is outside of the firewall, but users at my location cannot connect through it

Is it possible to forward non HTTP traffic from port 80 to 1883 or 443 to 8883 server side, while still handling HTTP traffic properly? (I'm aware that some firewalls also block non HTTP over tcp, but at least this can accomodate a few more people)

I have a VPS Linode running NGINX for the web server on CentOS 5.

Best Answer

You can write a proxy that intercepts the TCP stream, inspect the first three bytes of data sent by the client, and if they're not all letters (A-Z,a-z) of the same case, consider it to be non-HTTP. Proxy HTTP to a port the web server listens on. Proxy non-HTTP to the port your MQTT server listens on.

This is not strictly correct -- it's a hack. But I've used it successfully to do many similar things. I skimmed the MQTT protocol and it doesn't seem likely that an MQTT message would look like HTTP by this test. If it does, you'll have to check in more detail. For example, check for known HTTP verbs and/or the space after the verb.

I still think the best/right solution is to get a port opened in the firewall. This is an ugly hack that makes the firewall less useful. Anyone authorized to deploy a server application should also have the ability to get a port opened for that application.

Related Topic