1PROXYTUNNEL(1) PROXYTUNNEL(1)
2
6 proxytunnel - program to tunnel a connection through a standard HTTPS
7 proxy
8
10 proxytunnel [OPTION]...
11
13 proxytunnel is a program to tunnel any connection through a standard
14 HTTPS proxy, circumventing standard HTTP filtering mechanisms. It’s
15 mostly used as a backend for OpenSSH’s ProxyCommand, and as a proxy
16 backend for Putty. It can also be used for other proxy-traversing
17 purposes like proxy bouncing.
18
20 -i, --inetd
21 Run from inetd (default: off)
22 -a, --standalone=port
24 Run as standalone daemon on specified port
25 -p, --proxy=host:_port_
27 Use host and port as the local proxy to connect to, if not
28 specified the HTTP_PROXY environment variable, if set, will be used
29 instead
30 -r, --remproxy=host:_port_
32 Use host and port as the remote (secondary) proxy to connect to
33 -d, --dest=host:_port_
35 Use host and port as the destination for the tunnel, you can also
36 specify them as the argument to the proxytunnel command
37 -e, --encrypt
39 SSL encrypt data between local proxy and destination
40 -E, --encrypt-proxy
42 SSL encrypt data between client and local proxy
43 -X, --encrypt-remproxy
45 SSL encrypt data between local and remote (secondary) proxy
46 -W, --wa-bug-29744
48 If SSL is in use (by -e, -E, -X options), stop using it immediately
49 after the CONNECT exchange to workaround apache server bugs. (This
50 might not work on all setups; see
51 /usr/share/doc/proxytunnel/README.Debian.gz for more details.)
52 -B, --buggy-encrypt-proxy
54 Equivalent to -E -W. (Provided for backwards compatibility.)
55
57 -T, --no-ssl3
58 Prevent the use of SSLv3 in encrypted connections (default:
59 enabled)
60 -z, --no-check-certificate
62 Do not verify server SSL certificate when establishing an SSL
63 connection. By default, the server SSL certificate is verified and
64 the target host name is checked against the server certificate’s
65 subject alternative names if any are present, or common name if
66 there are no subject alternative names.
67 -C, --cacert=filename/directory
69 Specify a CA certificate file (or directory containing CA
70 certificate(s)) to trust when verifying a server SSL certificate.
71 If a directory is provided, it must be prepared with OpenSSL’s
72 c_rehash tool. (default: /etc/ssl/certs)
73 -F, --passfile=filename
75 Use filename for reading username and password for HTTPS proxy
76 authentication, the file uses the same format as .wgetrc and can be
77 shared with wget. Use this option, or environment variables to hide
78 the password from other users
79 -P, --proxyauth=username:_password_
81 Use username and password as credentials to authenticate against a
82 local HTTPS proxy, the username and password can also be specified
83 in the PROXYUSER and PROXYPASS environment variables to hide them
84 from other users. If the password is omitted and no PROXYPASS
85 environment variable is set, proxytunnel will prompt for a password
86 -R, --remproxyauth=username:_password_
88 Use username and password as credentials to authenticate against a
89 remote (secondary) HTTPS proxy, the username and password can also
90 be specified in the REMPROXYUSER and REMPROXYPASS environment
91 variables to hide them from other users. If the password is omitted
92 and no REMPROXYPASS environment variable is set, proxytunnel will
93 prompt for a password
94 -N, --ntlm
96 Use NTLM basd authentication
97 -t, --domain=STRING
99 Specify NTLM domain (default: autodetect)
100 -H, --header=STRING
102 Add additional HTTP headers to send to proxy
103 -x, --proctitle=STRING
105 Use a different process title
106
108 -v, --verbose
109 Turn on verbosity
110 -q, --quiet
112 Suppress messages
113 -h, --help
115 Print help and exit
116 -V, --version
118 Print version and exit
119
121 host:_port_ is the destination hostname and port number combination
122 Note
124 Specifying the destination as arguments is exactly the same as
125 specifying them using the -d or --dest option.
126
128 Depending on your situation you might want to do any of the following
129 things:
130 • Connect through a local proxy to your home system on port 22
132 $ proxytunnel -v -p proxy.company.com:8080 -d system.home.nl:22
134 • Connect through a local proxy (with authentication) to your home
136 system
137 $ proxytunnel -v -p proxy.company.com:8080 -P username:password -d system.home.nl:22
139 • Connect through a local proxy (with authentication) hiding your
141 password
142 $ export PROXYPASS=password
144 $ proxytunnel -v -p proxy.company.com:8080 -P username -d system.home.nl:22
145 • Connect through a local proxy to a remote proxy and bounce to any
147 system
148 $ proxytunnel -v -p proxy.company.com:8080 -r proxy.athome.nl:443 -d system.friend.nl:22
150 • Connect using SSL through a local proxy to your home system
152 $ proxytunnel -v -E -p proxy.company.com:8080 -d system.home.nl:22
154
156 To use this program with OpenSSH to connect to a host somewhere, create
157 a ~/.ssh/config file with the following content:
158 Host system.athome.nl
160 ProxyCommand proxytunnel -p proxy.company.com:8080 -d %h:%p
161 ServerAliveInterval 30
162 Note
165 The ServerAliveInterval directive makes sure that idle connections
166 are not being dropped by intermediate firewalls that remove active
167 sessions aggresively. If you see your connection dropping out, try
168 to lower the value even more.
169 To use the dynamic (SOCKS) portforwarding capability of the SSH client,
171 you can specify the DynamicForward directive in your ssh_config file
172 like:
173 Host system.athome.nl
175 DynamicForward 1080
176 ProxyCommand proxytunnel -p proxy.company.com:8080 -d %h:%p
177 ServerAliveInterval 30
178
180 Important
181 Most HTTPS proxies do not allow access to ports other than HTTPS
182 (tcp/443) and SNEWS (tcp/563). In this case you need to make sure
183 the SSH daemon or remote proxy on the destination system is
184 listening on either tcp/443 or tcp/563 to get through.
185
187 Proxytunnel can be influenced by setting one of the following
188 environment variables:
189 HTTP_PROXY
191 If this environment variable is set, proxytunnel will use it as the
192 local proxy if -p or --proxy is not provided
193 PROXYUSER
195 If this environment variable is set, proxytunnel will use it as the
196 username for proxy authentication, unless specified using the -P or
197 --proxyauth option
198 PROXYPASS
200 If this environment variable is set, proxytunnel will use it as the
201 password for proxy authentication, unless specified using the -P or
202 --proxyauth option
203 REMPROXYUSER
205 If this environment variable is set, proxytunnel will use it as the
206 username for remote (secondary) proxy authentication, unless
207 specified using the -R or --remproxyauth option
208 REMPROXYPASS
210 If this environment variable is set, proxytunnel will use it as the
211 password for remote (secondary) proxy authentication, unless
212 specified using the -R or --remproxyauth option
213
215 ssh(1), ssh_config(8)
216
218 This software is bug-free, at least we’d like to think so. If you do
219 not agree with us, please attach the proof to your friendly email :)
220
222 This manpage was initially written by Loïc Le Guyader
223 <loic.leguyader@laposte.net[1]> for the Debian GNU/Linux system,
224 revamped in asciidoc by Dag Wieërs <dag@wieers.com[2]> and is now
225 maintained by the Proxytunnel developers.
226 Homepage at http://proxytunnel.sourceforge.net/
228
230 Proxytunnel developers
231 Author.
232
234 1. loic.leguyader@laposte.net
235 mailto:loic.leguyader@laposte.net
236 2. dag@wieers.com
238 mailto:dag@wieers.com
239 1.9.0 Augustus 2008 PROXYTUNNEL(1)