1PROXYTUNNEL(1) PROXYTUNNEL(1)
2
3
4
6 proxytunnel - program to tunnel a connection through a standard HTTPS
7 proxy
8
10 proxytunnel [OPTION]...
11
13 proxytunnel is a program to tunnel any connection through a standard
14 HTTPS proxy, circumventing standard HTTP filtering mechanisms. It’s
15 mostly used as a backend for OpenSSH’s ProxyCommand, and as a proxy
16 backend for Putty. It can also be used for other proxy-traversing
17 purposes like proxy bouncing.
18
20 -i, --inetd
21 Run from inetd (default: off)
22
23 -a, --standalone=port
24 Run as standalone daemon on specified port
25
26 -p, --proxy=host:_port_
27 Use host and port as the local proxy to connect to, if not
28 specified the HTTP_PROXY environment variable, if set, will be used
29 instead
30
31 -r, --remproxy=host:_port_
32 Use host and port as the remote (secondary) proxy to connect to
33
34 -d, --dest=host:_port_
35 Use host and port as the destination for the tunnel, you can also
36 specify them as the argument to the proxytunnel command
37
38 -e, --encrypt
39 SSL encrypt data between local proxy and destination
40
41 -E, --encrypt-proxy
42 SSL encrypt data between client and local proxy
43
44 -X, --encrypt-remproxy
45 SSL encrypt data between local and remote (secondary) proxy
46
47 -W, --wa-bug-29744
48 If SSL is in use (by -e, -E, -X options), stop using it immediately
49 after the CONNECT exchange to workaround apache server bugs. (This
50 might not work on all setups; see
51 /usr/share/doc/proxytunnel/README.Debian.gz for more details.)
52
53 -B, --buggy-encrypt-proxy
54 Equivalent to -E -W. (Provided for backwards compatibility.)
55
57 -T, --no-ssl3
58 Prevent the use of SSLv3 in encrypted connections (default:
59 enabled)
60
61 -z, --no-check-certificate
62 Do not verify server SSL certificate when establishing an SSL
63 connection. By default, the server SSL certificate is verified and
64 the target host name is checked against the server certificate’s
65 subject alternative names if any are present, or common name if
66 there are no subject alternative names.
67
68 -C, --cacert=filename/directory
69 Specify a CA certificate file (or directory containing CA
70 certificate(s)) to trust when verifying a server SSL certificate.
71 If a directory is provided, it must be prepared with OpenSSL’s
72 c_rehash tool. (default: /etc/ssl/certs)
73
74 -F, --passfile=filename
75 Use filename for reading username and password for HTTPS proxy
76 authentication, the file uses the same format as .wgetrc and can be
77 shared with wget. Use this option, or environment variables to hide
78 the password from other users
79
80 -P, --proxyauth=username:_password_
81 Use username and password as credentials to authenticate against a
82 local HTTPS proxy, the username and password can also be specified
83 in the PROXYUSER and PROXYPASS environment variables to hide them
84 from other users. If the password is omitted and no PROXYPASS
85 environment variable is set, proxytunnel will prompt for a password
86
87 -R, --remproxyauth=username:_password_
88 Use username and password as credentials to authenticate against a
89 remote (secondary) HTTPS proxy, the username and password can also
90 be specified in the REMPROXYUSER and REMPROXYPASS environment
91 variables to hide them from other users. If the password is omitted
92 and no REMPROXYPASS environment variable is set, proxytunnel will
93 prompt for a password
94
95 -N, --ntlm
96 Use NTLM basd authentication
97
98 -t, --domain=STRING
99 Specify NTLM domain (default: autodetect)
100
101 -H, --header=STRING
102 Add additional HTTP headers to send to proxy
103
104 -x, --proctitle=STRING
105 Use a different process title
106
108 -v, --verbose
109 Turn on verbosity
110
111 -q, --quiet
112 Suppress messages
113
114 -h, --help
115 Print help and exit
116
117 -V, --version
118 Print version and exit
119
121 host:_port_ is the destination hostname and port number combination
122
123 Note
124 Specifying the destination as arguments is exactly the same as
125 specifying them using the -d or --dest option.
126
128 Depending on your situation you might want to do any of the following
129 things:
130
131 • Connect through a local proxy to your home system on port 22
132
133 $ proxytunnel -v -p proxy.company.com:8080 -d system.home.nl:22
134
135 • Connect through a local proxy (with authentication) to your home
136 system
137
138 $ proxytunnel -v -p proxy.company.com:8080 -P username:password -d system.home.nl:22
139
140 • Connect through a local proxy (with authentication) hiding your
141 password
142
143 $ export PROXYPASS=password
144 $ proxytunnel -v -p proxy.company.com:8080 -P username -d system.home.nl:22
145
146 • Connect through a local proxy to a remote proxy and bounce to any
147 system
148
149 $ proxytunnel -v -p proxy.company.com:8080 -r proxy.athome.nl:443 -d system.friend.nl:22
150
151 • Connect using SSL through a local proxy to your home system
152
153 $ proxytunnel -v -E -p proxy.company.com:8080 -d system.home.nl:22
154
156 To use this program with OpenSSH to connect to a host somewhere, create
157 a ~/.ssh/config file with the following content:
158
159 Host system.athome.nl
160 ProxyCommand proxytunnel -p proxy.company.com:8080 -d %h:%p
161 ServerAliveInterval 30
162
163
164 Note
165 The ServerAliveInterval directive makes sure that idle connections
166 are not being dropped by intermediate firewalls that remove active
167 sessions aggresively. If you see your connection dropping out, try
168 to lower the value even more.
169
170 To use the dynamic (SOCKS) portforwarding capability of the SSH client,
171 you can specify the DynamicForward directive in your ssh_config file
172 like:
173
174 Host system.athome.nl
175 DynamicForward 1080
176 ProxyCommand proxytunnel -p proxy.company.com:8080 -d %h:%p
177 ServerAliveInterval 30
178
180 Important
181 Most HTTPS proxies do not allow access to ports other than HTTPS
182 (tcp/443) and SNEWS (tcp/563). In this case you need to make sure
183 the SSH daemon or remote proxy on the destination system is
184 listening on either tcp/443 or tcp/563 to get through.
185
187 Proxytunnel can be influenced by setting one of the following
188 environment variables:
189
190 HTTP_PROXY
191 If this environment variable is set, proxytunnel will use it as the
192 local proxy if -p or --proxy is not provided
193
194 PROXYUSER
195 If this environment variable is set, proxytunnel will use it as the
196 username for proxy authentication, unless specified using the -P or
197 --proxyauth option
198
199 PROXYPASS
200 If this environment variable is set, proxytunnel will use it as the
201 password for proxy authentication, unless specified using the -P or
202 --proxyauth option
203
204 REMPROXYUSER
205 If this environment variable is set, proxytunnel will use it as the
206 username for remote (secondary) proxy authentication, unless
207 specified using the -R or --remproxyauth option
208
209 REMPROXYPASS
210 If this environment variable is set, proxytunnel will use it as the
211 password for remote (secondary) proxy authentication, unless
212 specified using the -R or --remproxyauth option
213
215 ssh(1), ssh_config(8)
216
218 This software is bug-free, at least we’d like to think so. If you do
219 not agree with us, please attach the proof to your friendly email :)
220
222 This manpage was initially written by Loïc Le Guyader
223 <loic.leguyader@laposte.net[1]> for the Debian GNU/Linux system,
224 revamped in asciidoc by Dag Wieërs <dag@wieers.com[2]> and is now
225 maintained by the Proxytunnel developers.
226
227 Homepage at http://proxytunnel.sourceforge.net/
228
230 Proxytunnel developers
231 Author.
232
234 1. loic.leguyader@laposte.net
235 mailto:loic.leguyader@laposte.net
236
237 2. dag@wieers.com
238 mailto:dag@wieers.com
239
240
241
242 1.9.0 Augustus 2008 PROXYTUNNEL(1)