proxytunnel - Man Page

program to tunnel a connection through a standard HTTPS proxy

Synopsis

proxytunnel [OPTION]...

Description

proxytunnel is a program to tunnel any connection through a standard HTTPS proxy, circumventing standard HTTP filtering mechanisms. It’s mostly used as a backend for OpenSSH’s ProxyCommand, and as a proxy backend for Putty. It can also be used for other proxy-traversing purposes like proxy bouncing.

Options

-i,  --inetd

Run from inetd (default: off)

-a,  --standalone=port

Run as standalone daemon on specified port

-p,  --proxy=host:_port_

Use host and port as the local proxy to connect to, if not specified the HTTP_PROXY environment variable, if set, will be used instead

-r,  --remproxy=host:_port_

Use host and port as the remote (secondary) proxy to connect to

-d,  --dest=host:_port_

Use host and port as the destination for the tunnel, you can also specify them as the argument to the proxytunnel command

-e,  --encrypt

SSL encrypt data between local proxy and destination

-E,  --encrypt-proxy

SSL encrypt data between client and local proxy

-X,  --encrypt-remproxy

SSL encrypt data between local and remote (secondary) proxy

-W,  --wa-bug-29744

If SSL is in use (by -e, -E, -X options), stop using it immediately after the CONNECT exchange to workaround apache server bugs. (This might not work on all setups; see /usr/share/doc/proxytunnel/README.Debian.gz for more details.)

-B,  --buggy-encrypt-proxy

Equivalent to -E -W. (Provided for backwards compatibility.)

Additional Options

-T,  --no-ssl3

Prevent the use of SSLv3 in encrypted connections (default: enabled)

-z,  --no-check-certificate

Do not verify server SSL certificate when establishing an SSL connection. By default, the server SSL certificate is verified and the target host name is checked against the server certificate’s subject alternative names if any are present, or common name if there are no subject alternative names.

-C,  --cacert=filename/directory

Specify a CA certificate file (or directory containing CA certificate(s)) to trust when verifying a server SSL certificate. If a directory is provided, it must be prepared with OpenSSL’s c_rehash tool. (default: /etc/ssl/certs)

-F,  --passfile=filename

Use filename for reading username and password for HTTPS proxy authentication, the file uses the same format as .wgetrc and can be shared with wget. Use this option, or environment variables to hide the password from other users

-P,  --proxyauth=username:_password_

Use username and password as credentials to authenticate against a local HTTPS proxy, the username and password can also be specified in the PROXYUSER and PROXYPASS environment variables to hide them from other users. If the password is omitted and no PROXYPASS environment variable is set, proxytunnel will prompt for a password

-R,  --remproxyauth=username:_password_

Use username and password as credentials to authenticate against a remote (secondary) HTTPS proxy, the username and password can also be specified in the REMPROXYUSER and REMPROXYPASS environment variables to hide them from other users. If the password is omitted and no REMPROXYPASS environment variable is set, proxytunnel will prompt for a password

-N,  --ntlm

Use NTLM basd authentication

-t,  --domain=STRING

Specify NTLM domain (default: autodetect)

-H,  --header=STRING

Add additional HTTP headers to send to proxy

-x,  --proctitle=STRING

Use a different process title

Miscellaneous Options

-v,  --verbose

Turn on verbosity

-q,  --quiet

Suppress messages

-h,  --help

Print help and exit

-V,  --version

Print version and exit

Arguments

host:_port_ is the destination hostname and port number combination

Note

Specifying the destination as arguments is exactly the same as specifying them using the -d or --dest option.

Usage

Depending on your situation you might want to do any of the following things:

Openssh Configuration

To use this program with OpenSSH to connect to a host somewhere, create a ~/.ssh/config file with the following content:

Host system.athome.nl
    ProxyCommand proxytunnel -p proxy.company.com:8080 -d %h:%p
    ServerAliveInterval 30

Note

The ServerAliveInterval directive makes sure that idle connections are not being dropped by intermediate firewalls that remove active sessions aggresively. If you see your connection dropping out, try to lower the value even more.

To use the dynamic (SOCKS) portforwarding capability of the SSH client, you can specify the DynamicForward directive in your ssh_config file like:

Host system.athome.nl
    DynamicForward 1080
    ProxyCommand proxytunnel -p proxy.company.com:8080 -d %h:%p
    ServerAliveInterval 30

Notes

Important

Most HTTPS proxies do not allow access to ports other than HTTPS (tcp/443) and SNEWS (tcp/563). In this case you need to make sure the SSH daemon or remote proxy on the destination system is listening on either tcp/443 or tcp/563 to get through.

Environment

Proxytunnel can be influenced by setting one of the following environment variables:

HTTP_PROXY

If this environment variable is set, proxytunnel will use it as the local proxy if -p or --proxy is not provided

PROXYUSER

If this environment variable is set, proxytunnel will use it as the username for proxy authentication, unless specified using the -P or --proxyauth option

PROXYPASS

If this environment variable is set, proxytunnel will use it as the password for proxy authentication, unless specified using the -P or --proxyauth option

REMPROXYUSER

If this environment variable is set, proxytunnel will use it as the username for remote (secondary) proxy authentication, unless specified using the -R or --remproxyauth option

REMPROXYPASS

If this environment variable is set, proxytunnel will use it as the password for remote (secondary) proxy authentication, unless specified using the -R or --remproxyauth option

See Also

ssh(1), ssh_config(8)

Bugs

This software is bug-free, at least we’d like to think so. If you do not agree with us, please attach the proof to your friendly email :)

Author

This manpage was initially written by Loïc Le Guyader <loic.leguyader@laposte.net[1]> for the Debian GNU/Linux system, revamped in asciidoc by Dag Wieërs <dag@wieers.com[2]> and is now maintained by the Proxytunnel developers.

Homepage at http://proxytunnel.sourceforge.net/

Author

Proxytunnel developers

Author.

Notes

  1. loic.leguyader@laposte.net
    mailto:loic.leguyader@laposte.net
  2. dag@wieers.com
    mailto:dag@wieers.com

Info

Augustus 2008 1.9.0