Practical /dev/tcp in the HTTPS Era

Getting Soar onto systems with no download tools is a chicken-and-egg problem. Fresh containers, minimal distributions, and legacy Unix systems often lack curl, wget, or even working SSL libraries. You need a tool to get tools.

The Challenge

Consider these scenarios:

# Fresh Debian container
$ docker run -it debian:latest
# No curl, no wget, no ca-certificates

# Legacy system
$ uname -a
# SunOS legacy 5.10 Generic_147441-01 i86pc i386 i86pc
$ which curl wget
# command not found

# No Privileges
$ apt install curl
Error: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)
Error: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?

You need to download Soar, but you can't download Soar without download tools. Traditional solutions fail:

apt install curl requires privileges and a working package manager
Copying files requires existing access/infrastructure or is just too slow over scp
Building from source needs compilers and dependencies

The Solution

Every system with bash has /dev/tcp - a built-in feature for raw TCP connections.

⚠

Bash must be compiled with--enable-net-redirections,but this is by default always enabled.

No external dependencies, no SSL requirements, just basic HTTP over TCP:

#From: https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet?tab=readme-ov-file#4vii-file-download-without-curl
burl() {
    IFS=/ read -r proto x host query <<<"$1"
    exec 3<>"/dev/tcp/${host}/${PORT:-80}"
    echo -en "GET /${query} HTTP/1.0\r\nHost: ${host}\r\n\r\n" >&3

    #Skip headers until we hit the empty line
    while read -r line <&3; do
        # Remove carriage return and check if line is empty
        line=${line%$'\r'}
        [[ -z "$line" ]] && break
    done

    #Output only the body
    cat <&3
    exec 3>&-
}

#Examples:
burl "http://http.pkgforge.dev/https://ip.pkgforge.dev/json"
burl "http://http.pkgforge.dev/https://github.com/pkgforge/soar/releases/latest/download/soar-x86_64-linux" > "./soar"

This works on any bash system, but GitHub serves HTTPS. Legacy systems can't connect to HTTPS endpoints.

This works in:

Fresh Docker containers (debian:latest)
Legacy Unix systems without SSL
Minimal environments with only bash
Systems with broken certificate stores

🕸

http://http.pkgforge.dev will not open in your browser.

The HTTP-to-HTTPS Proxy Bridge

The solution: an HTTP proxy that handles HTTPS termination. A Cloudflare Worker accepts HTTP requests and forwards them to HTTPS destinations:

Client (HTTP) → Worker (HTTP) → Target (HTTPS) → Worker → Client

// Extract target URL from path
const destUrl = url.pathname.substring(1);

// Forward to HTTPS endpoint
const response = await fetch(destUrl, {
  method: request.method,
  redirect: 'follow',
  headers: cleanHeaders(request.headers)
});

return response;

Edge Cases

The code of worker resides @https://github.com/pkgforge-dev/reverse-proxies/blob/main/http.pkgforge.dev/worker.js & handles several edge cases for compatibility:

#From a system that has curl, you can read the help page
$ curl -qfsSL "http://http.pkgforge.dev/help"
'
This is a reverse proxy that works over HTTP (also HTTPS) to proxy to HTTPS sites.
For example, if you are on an ancient system with no SSL and only bash,
you can use this to download a static curl binary & join the modern internet.

Simply append your URL to http://http.pkgforge.dev/$URL
Example, http://http.pkgforge.dev/https://example.com --> Requests example.com (HTTPS) --> Returns the Response Back
If you want to use the DNS or IP Address to access this proxy, then visit the endpoints below.
Each endpoint will print a template HTTP request (with bash /dev/tcp example).

If your client has DNS, visit: http.pkgforge.dev/self-dns
If your client has IPv4, visit: http.pkgforge.dev/self-ipv4
If your client has IPv6, visit: http.pkgforge.dev/self-ipv6

Source Code: https://github.com/pkgforge-dev/reverse-proxies/tree/main/http.pkgforge.dev
Contact: https://docs.pkgforge.dev/contact/chat
'

DNS-less clients: Provides IPv4/IPv6 endpoints for systems without DNS resolution:

# Use IP directly if DNS is broken
burl "http://172.67.74.226/https://github.com/..."

Header management: Strips problematic headers that interfere with proxying:

// Clean headers for forwarding
requestInit.headers.delete('host');
requestInit.headers.delete('connection');

Redirect handling: Follows redirects automatically since GitHub releases often redirect to CDN URLs.

Real-World Usage

This is used in Soar's official installer:

# Fallback for systems without download tools
if ! command -v curl >/dev/null && ! command -v wget >/dev/null; then
  raw_http_get "http://http.pkgforge.dev/https://github.com/pkgforge/soar/releases/latest/download/soar-${ARCH}" > "./soar"
  sed "1,/^\r\{0,1\}$/d" -i "./soar"
fi

ℹ

We have added quite a lot of fallbacks in the script, the bash /dev/tcp being only one of those. We recommend reading the rest yourself & trying some of them.

Why This Matters

Soar needs to run on diverse systems - from cutting-edge containers to decades-old Unix boxes. Traditional package managers assume modern tooling exists. This bootstrap method ensures Soar can install itself anywhere bash runs.

Once Soar is installed, it handles all future downloads with proper SSL, certificate validation, and modern HTTP features. The proxy is just for the initial bootstrap.

Security Trade-offs

The proxy breaks end-to-end encryption for the bootstrap download. This is acceptable because:

Soar releases are public binaries
Checksums can be verified after download
It's only used when no secure alternatives exist
The alternative is manual file copying or no access at all

For production usage, Soar uses proper HTTPS connections.

Beyond Soar

This technique works for any static asset like webpages or files that needs to reach legacy systems:

# Get any GitHub release
burl "http://http.pkgforge.dev/https://github.com/user/repo/releases/latest/download/binary-linux-amd64"

# Public package repositories
burl "http://http.pkgforge.dev/https://packages.example.com/tool.tar.gz"

The proxy solves the fundamental bootstrap problem: getting the first tool onto a system so it can get better tools.

The complete proxy runs as a Cloudflare Worker, handling the HTTPS complexity while presenting a simple HTTP interface to legacy clients. Source code and deployment instructions are available in the reverse-proxies repository.

This architectural approach prioritizes compatibility over security for the narrow use case of system bootstrapping, enabling modern tools to run on systems that predate modern web infrastructure.

Bootstrapping Soar on HTTP-Only Bare/Legacy Systems