NAME¶
proxytunnel - program to tunnel a connection through a standard
HTTPS proxy
SYNOPSIS¶
proxytunnel [OPTION...]
[host:port]
DESCRIPTION¶
proxytunnel is a program to tunnel any connection through a
standard HTTPS proxy, circumventing standard HTTP filtering mechanisms.
It’s mostly used as a backend for OpenSSH’s ProxyCommand, and
as a proxy backend for Putty. It can also be used for other proxy-traversing
purposes like proxy bouncing.
OPTIONS¶
-i, --inetd
Run from inetd (default: off).
-a, --standalone=[address:]port
Run as standalone daemon on specified
address and
port.
address may be a IPv4 address, a bracket-enclosed IPv6
address or a bracket-enclosed combination of IPv6 address, '%' and interface
name. The latter format is only required with link-local IPv6 addresses. The
daemon listens on any address if
address is not given.
Examples
22, 123.45.67.89:22, [2001:db8::123:4567:89ab:cdef]:22,
[2001:db8::123:4567:89ab:cdef%eth0]:22
-p, --proxy=host:port
Use host and port as the local proxy to
connect to, if not specified the HTTP_PROXY environment variable, if
set, will be used instead.
-r, --remproxy=host:port
Use host and port as the remote (secondary)
proxy to connect to.
-d, --dest=host:port
Use host and port as the destination for
the tunnel, you can also specify them as the argument to the proxytunnel
command.
-e, --encrypt
SSL encrypt data between local proxy and
destination.
-E, --encrypt-proxy
SSL encrypt data between client and local proxy.
-X, --encrypt-remproxy
SSL encrypt data between local and remote (secondary)
proxy.
ADDITIONAL OPTIONS¶
-W, --wa-bug-29744
Workaround ASF Bugzilla 29744: If SSL is in use (by
-e, -E, -X options), stop using it immediately after the
CONNECT exchange to workaround apache server bugs (This might not work on all
setups).
-B, --buggy-encrypt-proxy
Equivalent to -E -W (Provided for backwards
compatibility).
-z, --no-check-certificate
Do not verify server SSL certificate when establishing an
SSL connection. By default, the server SSL certificate is verified and the
target host name is checked against the server certificate’s subject
alternative names if any are present, or common name if there are no subject
alternative names.
-C, --cacert=filename/directory
Specify a CA certificate file (or directory containing CA
certificate(s)) to trust when verifying a server SSL certificate. If a
directory is provided, it must be prepared with OpenSSL’s c_rehash tool
(default, unless changed at compile time using DEFAULT_CA_FILE or
DEFAULT_CA_DIR options: /etc/ssl/certs).
-4, --ipv4
Enforce the use of IPv4 when connecting to the local
proxy.
-6, --ipv6
Enforce the use of IPv6 when connecting to the local
proxy.
-F, --passfile=filename
Use filename for reading username and password for
HTTPS proxy authentication, the file uses the same format as .wgetrc and can
be shared with wget. Use this option, or environment variables to hide the
password from other users.
-P, --proxyauth=username:password
Use username and password as credentials to
authenticate against a local HTTPS proxy, the username and password can also
be specified in the PROXYUSER and PROXYPASS environment
variables to hide them from other users. If the password is omitted and
no PROXYPASS environment variable is set, proxytunnel will prompt for a
password.
-R,
--remproxyauth=username:password
Use username and password as credentials to
authenticate against a remote (secondary) HTTPS proxy, the username and
password can also be specified in the REMPROXYUSER and
REMPROXYPASS environment variables to hide them from other users. If
the password is omitted and no REMPROXYPASS environment variable
is set, proxytunnel will prompt for a password.
-c, --cert=filename
Provide the name of the file containing the SSL client
certificate to authenticate by client certificate against local proxy, remote
proxy or destination. The file must be in PEM format. On top of this it may
contain one or more intermediary certificates missing at the servers’s
end, effectively forming a certificate chain. Requires specification of
-k, --key in addition. Ignored if neither -e,
--encrypt nor -E, --encrypt-proxy nor -X,
--encrypt-remproxy is given.
-k, --key=filename
Provide the name of the file containing the SSL client
key to authenticate by client certificate against local proxy, remote proxy or
destination. The file must be in PEM format. Requires specification of
-c, --cert in addition. Ignored if neither -e,
--encrypt nor -E, --encrypt-proxy nor -X,
--encrypt-remproxy is given.
-N, --ntlm
Use NTLM based authentication.
-t, --domain=STRING
Specify NTLM domain (default: autodetect).
-H, --header=STRING
Add additional HTTP headers to send to proxy.
-o, --host=host[:port]
Send a custom Host header. With SSL connections
host is also sent as SNI.
-x, --proctitle=STRING
Use a different process title.
MISCELLANEOUS OPTIONS¶
-v, --verbose
Turn on verbosity.
-q, --quiet
Suppress messages.
-h, --help
Print help and exit.
-V, --version
Print version and exit.
ARGUMENTS¶
host:port is the destination hostname and port
number combination.
Note
Specifying the destination as arguments is exactly the same as
specifying them using the -d or --dest option.
USAGE¶
Depending on your situation you might want to do any of the
following things:
•
Connect through a local proxy to your home
system on port 22
$ proxytunnel -v -p proxy.company.com:8080 -d system.home.nl:22
•
Connect through a local proxy (with
authentication) to your home system
$ proxytunnel -v -p proxy.company.com:8080 -P username:password -d system.home.nl:22
•
Connect through a local proxy (with
authentication) hiding your password
$ export PROXYPASS=password
$ proxytunnel -v -p proxy.company.com:8080 -P username -d system.home.nl:22
•
Connect through a local proxy to a remote
proxy and bounce to any system
$ proxytunnel -v -p proxy.company.com:8080 -r proxy.athome.nl:443 -d system.friend.nl:22
•
Connect using SSL through a local proxy to
your home system
$ proxytunnel -v -E -p proxy.company.com:8080 -d system.home.nl:22
OPENSSH CONFIGURATION¶
To use this program with OpenSSH to connect to a host somewhere,
create a ~/.ssh/config file with the following content:
Host system.athome.nl
ProxyCommand proxytunnel -p proxy.company.com:8080 -d %h:%p
ServerAliveInterval 30
Note
The ServerAliveInterval directive makes sure that idle connections
are not being dropped by intermediate firewalls that remove active sessions
aggressively. If you see your connection dropping out, try to lower the
value even more.
To use the dynamic (SOCKS) portforwarding capability of the SSH
client, you can specify the DynamicForward directive in your ssh_config file
like:
Host system.athome.nl
DynamicForward 1080
ProxyCommand proxytunnel -p proxy.company.com:8080 -d %h:%p
ServerAliveInterval 30
NOTES¶
Important
Most HTTPS proxies do not allow access to ports other than HTTPS
(tcp/443) and SNEWS (tcp/563). In this case you need to make sure the SSH
daemon or remote proxy on the destination system is listening on either
tcp/443 or tcp/563 to get through.
ENVIRONMENT¶
Proxytunnel can be influenced by setting one of the following
environment variables:
HTTP_PROXY
If this environment variable is set, proxytunnel will use
it as the local proxy if -p or --proxy is not
provided.
PROXYUSER
If this environment variable is set, proxytunnel will use
it as the username for proxy authentication, unless specified using the
-P or --proxyauth option.
PROXYPASS
If this environment variable is set, proxytunnel will use
it as the password for proxy authentication, unless specified using the
-P or --proxyauth option.
REMPROXYUSER
If this environment variable is set, proxytunnel will use
it as the username for remote (secondary) proxy authentication, unless
specified using the -R or --remproxyauth option.
REMPROXYPASS
If this environment variable is set, proxytunnel will use
it as the password for remote (secondary) proxy authentication, unless
specified using the -R or --remproxyauth option.
NOTES¶
- 1.
- loic.leguyader@laposte.net
mailto:loic.leguyader@laposte.net
- 2.
- dag@wieers.com
mailto:dag@wieers.com
