Proxy: Difference between revisions
No edit summary |
|||
(10 intermediate revisions by the same user not shown) | |||
Line 9: | Line 9: | ||
** http://proxys4all.cgi.net/ |
** http://proxys4all.cgi.net/ |
||
== |
== Configure Proxy == |
||
=== Environment (http_proxy) === |
|||
<source lang="bash"> |
|||
export http_proxy=http://[user:pass@]proxy:port # user=USERNAME or DOMAIN\USERNAME |
|||
export https_proxy=http://[user:pass@]proxy:port |
|||
export ftp_proxy=http://[user:pass@]proxy:port |
|||
</source> |
|||
If the password contains special characters, it is best to '''encode''' them. |
|||
Here a script that does that and request the password interactively: |
|||
<source lang="bash"> |
|||
# Function to URL-encode special characters - Thank you ChatGPG |
|||
url_encode() { |
|||
local string="${1}" |
|||
local encoded="" |
|||
local length="${#string}" |
|||
for (( i = 0; i < length; i++ )); do |
|||
local c="${string:i:1}" |
|||
case "${c}" in |
|||
[a-zA-Z0-9.~_-]) encoded+="${c}" ;; |
|||
*) encoded+=$(printf '%%%02X' "'${c}") ;; |
|||
esac |
|||
done |
|||
echo "${encoded}" |
|||
} |
|||
PROXY=PROXY:PORT |
|||
read -p "Enter user '$HTTP_PROXY_USER': " HTTP_PROXY_USER; export HTTP_PROXY_USER |
|||
stty -echo; read -p "Enter proxy password for user '$HTTP_PROXY_USER': " HTTP_PROXY_PASSWORD; HTTP_PROXY_PASSWORD=$(url_encode "$HTTP_PROXY_PASSWORD"); export HTTP_PROXY_PASSWORD; stty echo |
|||
export http_proxy="http://$HTTP_PROXY_USER:$HTTP_PROXY_PASSWORD@$PROXY" |
|||
export https_proxy=$http_proxy |
|||
export ftp_proxy=$http_proxy |
|||
</source> |
|||
=== apt-get === |
|||
* Either through environment variables. |
|||
* configuration file '''/etc/apt/apt.conf''' |
|||
<source lang="text"> |
|||
Acquire::http::Proxy "http://[user:pass@]proxy:port" # user=USERNAME or DOMAIN\USERNAME |
|||
</source> |
|||
=== [https://github.com/larryhou/connect-proxy connect-proxy] === |
|||
'''[https://github.com/larryhou/connect-proxy connect-proxy]''' is typically used to setup a <code>proxycommand</code> in {{file|~/.ssh/config}}. For instance: |
|||
<source lang="bash"> |
|||
ProxyCommand /usr/bin/connect -H proxyserver:port %h %p |
|||
</source> |
|||
If the proxy requires username/password, these must be given by env. variables: |
|||
<source lang=bash> |
|||
export HTTP_PROXY_USER=your_user_name |
|||
stty -echo; read -p "Enter proxy password for user '$HTTP_PROXY_USER': " HTTP_PROXY_PASSWORD; export HTTP_PROXY_PASSWORD; stty echo |
|||
# From now on, password in clear in env - caution! |
|||
</source> |
|||
And now connection will be granted: |
|||
<source lang=bash> |
|||
ssh myhost |
|||
</source> |
|||
Note that ''connect-proxy'' is only a single source file and only require ''gcc'' to compile. It is then trivial to install it even without binary package (MSYS2, Cygwin...). |
|||
To '''debug''', one can emit proxy command directly on the command-line: |
|||
<source lang="bash"> |
|||
connect-proxy -Hd "proxyuser@proxy.server.org:8080" distant.server.org 22 |
|||
# DEBUG: No direct address are specified. |
|||
# DEBUG: relay_method = HTTP (3) |
|||
# DEBUG: relay_host=proxy.server.org |
|||
# DEBUG: relay_port=8080 |
|||
# DEBUG: relay_user=proxyuser |
|||
# DEBUG: local_type=stdio |
|||
# DEBUG: dest_host=distant.server.org |
|||
# DEBUG: dest_port=22 |
|||
# DEBUG: checking distant.server.org is for direct? |
|||
# DEBUG: distant.server.org is for not direct. |
|||
# DEBUG: resolving host by name: proxy.server.org |
|||
# DEBUG: resolved: proxy.server.org (10.129.92.5) |
|||
# DEBUG: connecting to 10.129.92.5:8080 |
|||
# DEBUG: begin_http_relay() |
|||
# DEBUG: >>> "CONNECT distant.server.org:22 HTTP/1.0\r\n" |
|||
# DEBUG: >>> "\r\n" |
|||
# DEBUG: <<< "HTTP/1.1 407 Proxy Authentication Required\r\n" |
|||
# DEBUG: <<< "Proxy-Authenticate: BASIC realm="GRENOBLE_GATEWAY_AUTHENTICATION"\r\n" |
|||
# DEBUG: <<< "Cache-Control: no-cache\r\n" |
|||
# DEBUG: <<< "Pragma: no-cache\r\n" |
|||
# DEBUG: <<< "X-XSS-Protection: 1\r\n" |
|||
# DEBUG: <<< "Content-Type: text/html; charset=utf-8\r\n" |
|||
# DEBUG: <<< "Proxy-Connection: close\r\n" |
|||
# DEBUG: <<< "Connection: close\r\n" |
|||
# DEBUG: <<< "Content-Length: 849\r\n" |
|||
# DEBUG: <<< "\r\n" |
|||
# DEBUG: checking distant.server.org is for direct? |
|||
# DEBUG: distant.server.org is for not direct. |
|||
# DEBUG: resolving host by name: proxy.server.org |
|||
# DEBUG: resolved: proxy.server.org (10.129.92.5) |
|||
# DEBUG: connecting to 10.129.92.5:8080 |
|||
# DEBUG: begin_http_relay() |
|||
# DEBUG: >>> "CONNECT distant.server.org:22 HTTP/1.0\r\n" |
|||
# DEBUG: >>> "Proxy-Authorization: Basic xxxxx\r\n" |
|||
# DEBUG: >>> "\r\n" |
|||
# DEBUG: <<< "HTTP/1.1 200 Connection established\r\n" |
|||
# DEBUG: connected, start user session. |
|||
# DEBUG: <<< "\r\n" |
|||
# DEBUG: connected |
|||
# DEBUG: start relaying. |
|||
# DEBUG: recv 23 bytes |
|||
# SSH-2.0-OpenSSH_6.7p1 |
|||
</source> |
|||
=== FireFox === |
|||
* See '''[http://foxyproxy.mozdev.org/ FoxyProxy]''' extensions. |
|||
=== wget === |
|||
* Through environment variables. |
|||
* Configuration file {{file|/etc/wgetrc}} {{file|~/.wgetrc}} |
|||
<source lang="text"> |
|||
http_password = pass |
|||
http_proxy = http://proxy:port |
|||
http_user = user |
|||
https_proxy = http://proxy:port |
|||
</source> |
|||
== Bypassing proxy == |
|||
The principle is to install a software on local machine that will map local port to the target server port. The desired application will then connect to this local port, and all traffic is transfered by this extra software, through the proxy. They are basically 2 methods: |
The principle is to install a software on local machine that will map local port to the target server port. The desired application will then connect to this local port, and all traffic is transfered by this extra software, through the proxy. They are basically 2 methods: |
||
* '''Port Forwarding (SSL/CONNECT)'''- This method doesn't require a remote host server, but requires proxy to support SSL/CONNECT command for other protocols than HTTPS (which usually is not the case). Also traffic is not encrypted (and so all activity is visible in the proxy log in clear).<br/>Bypass software opens a port locally. When application connects to that port, the bypass sw first sends a <tt>CONNECT</tt> command to the proxy, that will establish a connection to the target host/port, and then that will simply feed all traffic from the local port through this newly opened connection.<br/>Note that CONNECT command does not ''per se'' imply SSL protocol, but is used by SSL to establish connection. So the target server does not need to support SSL on the target port. This is actually a mere ''port forwarding''. |
* '''Port Forwarding (SSL/CONNECT)'''- This method doesn't require a remote host server, but requires proxy to support SSL/CONNECT command for other protocols than HTTPS (which usually is not the case). Also traffic is not encrypted (and so all activity is visible in the proxy log in clear).<br/>Bypass software opens a port locally. When application connects to that port, the bypass sw first sends a <tt>CONNECT</tt> command to the proxy, that will establish a connection to the target host/port, and then that will simply feed all traffic from the local port through this newly opened connection.<br/>Note that CONNECT command does not ''per se'' imply SSL protocol, but is used by SSL to establish connection. So the target server does not need to support SSL on the target port. This is actually a mere ''port forwarding''. |
||
* '''Remote Host''' - This method assumes user has an access to a remote host that will forward all traffic from the proxy to the target server/port. There are some public proxies offering this services. Alternatively user may set up his own relaying remote host with some custom server software. This method supports encryption if this intermediate host does have support for it. This method is very similar to the one using ''SSH''. |
* '''Remote Host''' - This method assumes user has an access to a remote host that will forward all traffic from the proxy to the target server/port. There are some public proxies offering this services. Alternatively user may set up his own relaying remote host with some custom server software. This method supports encryption if this intermediate host does have support for it. This method is very similar to the one using ''SSH''. |
||
== HTTP Connect == |
|||
Here some examples of HTTP Connect session. First connect to proxy with one of these commands: |
|||
[http://www.htthost.com/ HTTHost+HTTPort] is a free HTTP Tunneling package, that supports both methods described above. ''HTTHost'' is the client software, and ''HTTPort'' is the software that can be used to setup a remote relaying server. Installation is quite straightforward. |
|||
<source lang=bash> |
|||
nc proxy proxyport |
|||
</source> |
|||
First simple example, connecting to SSH port: |
|||
<font color="red">'''! Privacy/confidentiality Issues!'''</font> - In ''remote host'' mode, if no remote host is specified, HTTHost will then automatically try to connect to some public proxies. This means that all unencrypted data (including passwords) will be send to these public proxies. If that's an issue, then for maximum safety choose explicitly mode ''SSL/CONNECT'', and don't use option ''auto''. |
|||
CONNECT '''192.168.1.1:22''' HTTP/1.1 |
|||
Host: '''example.com''' |
|||
Proxy-Connection: Keep-Alive |
|||
Second example of larger header: |
|||
== Bypassing proxy - SSH == |
|||
CONNECT '''remote-server:443''' HTTP/1.0 |
|||
=== Port forwarding === |
|||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0) |
|||
If you have a connection to a remote host server on which you can connect using ''SSH'', there is good chance that this method will work for you. The principle is the same as for the method '''Remote HOst''' described above: First setup a SSH connection to that remote SSH server, and then do port forwarding through this SSH connection from a port on the local machine to another port on either the same SSH server or even another machine. Port forwarding is a standard feature in ''SSH'' (command-line option <tt>'''-L'''</tt>). |
|||
Host: '''remote-server''' |
|||
Content-Length: 0 |
|||
Proxy-Connection: Keep-Alive |
|||
Pragma: no-cache |
|||
One can connect to anyport |
|||
Example of command to connect to remote IMAP and SMTP server, using SSH port forwarding on a remote SSH server: |
|||
CONNECT '''another-server:anyport''' HTTP/1.0 |
|||
<source lang="bash">ssh -f -N -L143:imap.server:143 -L25:smtp.server:25 ssh.server.org</source> |
|||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0) |
|||
Host: '''another-server''' |
|||
Content-Length: 0 |
|||
Proxy-Connection: Keep-Alive |
|||
Pragma: no-cache |
|||
== Proxy and Tunneling Software == |
|||
Now, you just need to configure ''SSH'' to connect through the proxy. For this, check the excellent [http://wiki.yobi.be/wiki/Bypass_Proxy Yobi Wiki page]. |
|||
{| class="wikitable" |
|||
=== Browser SOCKS proxy === |
|||
|- |
|||
The easiest is to use '''Firefox''' along with extension '''FoxyProxy'''. |
|||
!rowspan="2"|Software!!colspan="6"|Proxy Server!!rowspan="2"|Port Fwding!!colspan="3"|Proxy Forwarding!!rowspan="2"|Comments |
|||
|- |
|||
!HTTP!!HTTPS!!FTP!!SOCKS!!Caching!!NTLM!!HTTP<br>proxy!!SOCKS<br>proxy!!NTLM<br>auth |
|||
|- align="center" |
|||
| align="left"|apache ||?||?||?||?||?||?||?||?||?||?||align="left"|Using <code>mod_proxy</code> and <code>proxyremote</code> |
|||
|- align="center" |
|||
| align="left"|cntlm ||Y||Y||Y||Y||-||-||Y||Y||Y||Y||align="left"|Only forward through a parent proxy. |
|||
|- align="center" |
|||
| align="left"|connect ||-||-||-||-||-||-||Y||Y||-||Y||align="left"|ssh proxycommand, but time-out on some proxy |
|||
|- align="center" |
|||
| align="left"|nltmaps ||?||?||?||?||?||?||?||?||?||?||align="left"|outperformed by cntlm... |
|||
|- align="center" |
|||
| align="left"|privoxy ||Y||Y||-||-||-||-||-||Y||Y||-?||align="left"| |
|||
|- align="center" |
|||
| align="left"|proxychain||?||?||?||?||-||-||-||Y||Y||Y||align="left"|Requires an external proxy to bypass local proxy |
|||
|- align="center" |
|||
| align="left"|ssh ||-||-||-||Y||-||-||Y||Y||-||Y||align="left"|Using ssh-tunnel.pl |
|||
|- align="center" |
|||
| align="left"|ssh-tunnel||-||-||-||-||-||-||Y||Y||-||Y||align="left"|ssh proxycommand. Send ssh client banner early to prevent time-out |
|||
|- align="center" |
|||
| align="left"|socat ||-||-||-||-||-||-||Y||Y||Y||Y||align="left"| |
|||
|- align="center" |
|||
| align="left"|tinyproxy ||Y||Y||-||-||-||Y||-||Y||-||-||align="left"|Patches to support SOCKS proxy fwding and NTLM auth |
|||
|} |
|||
=== Apache === |
|||
First create a SOCKS proxy on '''localhost:8080''' to remote '''hostname''' using SSH: |
|||
* Apache can be used as an HTTP proxy using [http://httpd.apache.org/docs/1.3/mod/mod_proxy.html|mod_proxy] module. |
|||
<source lang="bash">% ssh -f -N -D8080 hostname</source> |
|||
* It can also forward request to a parent proxy using command <code>ProxyRemote</code> |
|||
Then configure '''FoxyProxy''': |
|||
** What about NTLM authentication to parent proxy? Could it be that this authentication can be done by the client, and forwarded as is to the parent proxy? |
|||
* ''Options'' → ''Global Settings'' → '''Use SOCKS proxy for DNS lookups'''. |
|||
* Create new proxy, eg. '''SSH''': |
|||
** Select '''Manual Proxy Configuration''' |
|||
** IP Address '''127.0.0.1''', Port '''8080''' |
|||
** Select '''SOCKS proxy?''' |
|||
* In FoxyProxy menu, select '''Use proxy "SSH" for all URLs''' |
|||
=== [http://cntlm.awk.cz/ cntlm] === |
|||
== Using <tt>'''socat'''</tt> == |
|||
* Authenticating FTP, HTTP, HTTPS, SOCKS proxy server (i.e. always forward connection to a remote proxy) |
|||
'''socat''' is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It is a very powerful utility that can be used to establish connection between various type of interfaces (TCP/Serial/...). |
|||
* Transparent TCP/IP port forwarding (tunneling) |
|||
* More efficient than '''ntlmaps''' |
|||
* Support NTLMv2, support hashed user/password, can auto-detect automatically most secure auth. mode to use with parent proxy (see -M) |
|||
* Gateway mode |
|||
* See also combination with '''tsocks''' |
|||
=== [http://www.htthost.com/ HTTHost+HTTPort] === |
|||
Manpages are [http://www.dest-unreach.org/socat/doc/socat.html here]. Don't forget [http://wiki.yobi.be/wiki/Bypass_Proxy#Client_side:_using_socat Yobi]. |
|||
'''Windows only''' - '''[http://www.htthost.com/ HTTHost+HTTPort]''' is a free HTTP Tunneling package, that supports both methods described above. ''HTTHost'' is the client software, and ''HTTPort'' is the software that can be used to setup a remote relaying server. Installation is quite straightforward. |
|||
<font color="red">'''! Privacy/confidentiality Issues!'''</font> - In ''remote host'' mode, if no remote host is specified, HTTHost will then automatically try to connect to some public proxies. This means that all unencrypted data (including passwords) will be send to these public proxies. If that's an issue, then for maximum safety choose explicitly mode ''SSL/CONNECT'', and don't use option ''auto''. |
|||
For instance, the following command do the same as ''SSL/CONNECT''' method above (using HTTHost), in just one line. It opens a local port 143, that maps to a remote IMAP server through corporate proxy (requires socat v2.0): |
|||
=== [http://www.privoxy.org/ Privoxy] === |
|||
See [[Privoxy]]. |
|||
=== [http://proxychains.sourceforge.net/ Proxychains] === |
|||
'''Proxychains''' can be used to tunnel a given http traffic from some program (e.g. telnet) through a random chain of proxies. |
|||
=== [http://www.dest-unreach.org/socat/ socat] === |
|||
'''socat''' is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It is a very powerful utility that can be used to establish connection between various type of interfaces (TCP/Serial/...). See also page on [[Linux Commands#socat|socat]]. |
|||
For instance, the following command can be used to tunnel a connection on local port to remote host/port using proxy ''SSL/CONNECT''' command: |
|||
<source lang="bash"> |
<source lang="bash"> |
||
# Using socat v2.0 BETA |
|||
/usr/local/bin/socat -ly 'TCP4-LISTEN:143,reuseaddr,fork' PROXY:imap.server:143|TCP:proxy.server:8080 |
/usr/local/bin/socat -ly 'TCP4-LISTEN:143,reuseaddr,fork' PROXY:imap.server:143|TCP:proxy.server:8080 |
||
</source> |
</source> |
||
Note that '''socat''' is '''not a proxy server''' in itself because the destination is always fixed. It can be used to bypass a proxy (using <code>PROXY:</code>), but only to pre-defined location. |
|||
Alternatively, one can also use ''socat'' as the ssh ''ProxyCommand'' in <tt>~/.ssh/config</tt>: |
|||
=== SSH === |
|||
There are basically two ways to bypass a proxy using SSH: |
|||
* Port forwarding (option '''-L''') and reverse-forwarding (option '''-R''') |
|||
* SOCKS proxy (option '''-D''') |
|||
==== Port forwarding ==== |
|||
The principle is to establish an SSH connection through the proxy to a remote SSH Server host, and then to tunnel all connections made on some port on the local machine to a remote host that is accessible from the SSH Server. All communications through the proxy are encrypted, and so the proxy only sees a SSH connection. This method assumes that the proxy accepts SSL/CONNECT command to an external SSH port (port 22). |
|||
Port forwarding is a standard feature in ''SSH'' (command-line option <tt>'''-L'''</tt>). For example, to connect to remote IMAP and SMTP server, using SSH port forwarding: |
|||
<source lang="bash"> |
<source lang="bash"> |
||
ssh -f -N -L143:imap.server:143 -L25:smtp.server:25 ssh.server.org |
|||
ProxyCommand /usr/local/bin/socat -ly - 'PROXY:%h:%p|TCP:proxy.server:8080' |
|||
</source> |
</source> |
||
Now, '''SSH''' must also be configured to proxy all connections to <tt>ssh.server.org</tt> through the proxy. This can be done with option <code>ProxyCommand</code>. See page on [[[SSH]]]. See also this page for example of ''reverse-forwarding''. |
|||
==== SOCKS proxy ==== |
|||
In some case, the proxy might wait for the client (ie. local pc) to send an authentication string as it is the case in the SSL protocol. A solution for this is described in [http://wiki.yobi.be/wiki/Bypass_Proxy#Client_side:_using_socat Yobi]. It consists in sending immediately the client SSH banner, and strip it when it is sent by the client. The solution described uses a custom Perl script. Let's see if we can do it with ''socat'' only. |
|||
SSH can also be configured to act as a SOCKS5 proxy. Using option '''-D''', SSH will open a port on local machine, and client applications may request to connect to some remote host/port through that local port. Example (this example also assumes that SSH is configured to connect through proxy using command <code>ProxyCommand</code>): |
|||
For this we would need a small process that would output the client SSH banner in ''stdout'', and afterwards simply pipe ''stdin'' to ''stdout'', except if the piped line matches the client SSH banner. For this we could use '''sed''' as follows (assuming client banner is ''SSH-2.0-OpenSSH_5.1''): |
|||
<source lang="bash"> |
<source lang="bash"> |
||
ssh -f -N -D1080 hostname |
|||
sed -n "1 s/^/SSH-2.0-OpenSSH_5.1\n/p; /SSH-2.0-OpenSSH_5.1/d; /SSH-2.0-OpenSSH_5.1/! p" |
|||
</source> |
</source> |
||
Client applications must be configured to connect through the opened SOCS5 proxy. Also they must be configured to '''not resolve DNS locally''', but through the SOCKS5 proxy. For instance, in '''FireFox''', this can be done using the extension '''FoxyProxy'''. |
|||
== Proxy Softwares == |
|||
=== [https://www.banu.com/tinyproxy/ Tinyproxy] === |
|||
HTTP - On Windows: |
|||
'''Tinyproxy''' is an HTTP non-caching Proxy Server. It does not support FTP proxy. |
|||
* '''[http://www.privoxy.org/ Privoxy]''' |
|||
: ''Privoxy'' is a HTTP non-caching filtering Proxy server. It does not support FTP. |
|||
=== [http://tsocks.sourceforge.net/ tsocks] === |
|||
HTTP - On Linux: |
|||
Transparently intercept TCP connections and forward them through a specified SOCKS proxy. This is done by specifying '''tsocks''' library in environment variable '''LD_PRELOAD'''. See [http://linux.die.net/man/8/tsocks man pages]. |
|||
* '''[https://www.banu.com/tinyproxy/ Tinyproxy]''' |
|||
* '''[http://proxychains.sourceforge.net/ Proxychains]''' |
|||
: ''Proxychains'' can be used to tunnel a given http traffic from some program (e.g. telnet) through a random chain of proxies. |
|||
* '''[http://www.dest-unreach.org/socat/ socat]''' |
|||
: ''Socat'' can be used to establish connections through proxies, but it is not in itself a proxy server (because you must tell in advance what is the target host). |
|||
== Other proxy-related software == |
|||
FTP - On Linux: |
|||
* Frox |
* Frox |
||
* FTP-Proxy |
* FTP-Proxy |
Latest revision as of 13:50, 9 July 2024
References
- For SSH, check excellent page on Yobi wiki on how to bypass corporate proxy using SSH.
- Good FAQ on proxy.
- HTTHost+HTTPort is a free software to create a HTTP tunnel through a proxy to connect to any remote host/port (using SSL/CONNECT). It also provides software to run a remote host to which HTTHost can tunnel through.
- List of free HTTP proxies:
Configure Proxy
Environment (http_proxy)
export http_proxy=http://[user:pass@]proxy:port # user=USERNAME or DOMAIN\USERNAME
export https_proxy=http://[user:pass@]proxy:port
export ftp_proxy=http://[user:pass@]proxy:port
If the password contains special characters, it is best to encode them. Here a script that does that and request the password interactively:
# Function to URL-encode special characters - Thank you ChatGPG
url_encode() {
local string="${1}"
local encoded=""
local length="${#string}"
for (( i = 0; i < length; i++ )); do
local c="${string:i:1}"
case "${c}" in
[a-zA-Z0-9.~_-]) encoded+="${c}" ;;
*) encoded+=$(printf '%%%02X' "'${c}") ;;
esac
done
echo "${encoded}"
}
PROXY=PROXY:PORT
read -p "Enter user '$HTTP_PROXY_USER': " HTTP_PROXY_USER; export HTTP_PROXY_USER
stty -echo; read -p "Enter proxy password for user '$HTTP_PROXY_USER': " HTTP_PROXY_PASSWORD; HTTP_PROXY_PASSWORD=$(url_encode "$HTTP_PROXY_PASSWORD"); export HTTP_PROXY_PASSWORD; stty echo
export http_proxy="http://$HTTP_PROXY_USER:$HTTP_PROXY_PASSWORD@$PROXY"
export https_proxy=$http_proxy
export ftp_proxy=$http_proxy
apt-get
- Either through environment variables.
- configuration file /etc/apt/apt.conf
Acquire::http::Proxy "http://[user:pass@]proxy:port" # user=USERNAME or DOMAIN\USERNAME
connect-proxy
connect-proxy is typically used to setup a proxycommand
in ~/.ssh/config. For instance:
ProxyCommand /usr/bin/connect -H proxyserver:port %h %p
If the proxy requires username/password, these must be given by env. variables:
export HTTP_PROXY_USER=your_user_name
stty -echo; read -p "Enter proxy password for user '$HTTP_PROXY_USER': " HTTP_PROXY_PASSWORD; export HTTP_PROXY_PASSWORD; stty echo
# From now on, password in clear in env - caution!
And now connection will be granted:
ssh myhost
Note that connect-proxy is only a single source file and only require gcc to compile. It is then trivial to install it even without binary package (MSYS2, Cygwin...).
To debug, one can emit proxy command directly on the command-line:
connect-proxy -Hd "proxyuser@proxy.server.org:8080" distant.server.org 22
# DEBUG: No direct address are specified.
# DEBUG: relay_method = HTTP (3)
# DEBUG: relay_host=proxy.server.org
# DEBUG: relay_port=8080
# DEBUG: relay_user=proxyuser
# DEBUG: local_type=stdio
# DEBUG: dest_host=distant.server.org
# DEBUG: dest_port=22
# DEBUG: checking distant.server.org is for direct?
# DEBUG: distant.server.org is for not direct.
# DEBUG: resolving host by name: proxy.server.org
# DEBUG: resolved: proxy.server.org (10.129.92.5)
# DEBUG: connecting to 10.129.92.5:8080
# DEBUG: begin_http_relay()
# DEBUG: >>> "CONNECT distant.server.org:22 HTTP/1.0\r\n"
# DEBUG: >>> "\r\n"
# DEBUG: <<< "HTTP/1.1 407 Proxy Authentication Required\r\n"
# DEBUG: <<< "Proxy-Authenticate: BASIC realm="GRENOBLE_GATEWAY_AUTHENTICATION"\r\n"
# DEBUG: <<< "Cache-Control: no-cache\r\n"
# DEBUG: <<< "Pragma: no-cache\r\n"
# DEBUG: <<< "X-XSS-Protection: 1\r\n"
# DEBUG: <<< "Content-Type: text/html; charset=utf-8\r\n"
# DEBUG: <<< "Proxy-Connection: close\r\n"
# DEBUG: <<< "Connection: close\r\n"
# DEBUG: <<< "Content-Length: 849\r\n"
# DEBUG: <<< "\r\n"
# DEBUG: checking distant.server.org is for direct?
# DEBUG: distant.server.org is for not direct.
# DEBUG: resolving host by name: proxy.server.org
# DEBUG: resolved: proxy.server.org (10.129.92.5)
# DEBUG: connecting to 10.129.92.5:8080
# DEBUG: begin_http_relay()
# DEBUG: >>> "CONNECT distant.server.org:22 HTTP/1.0\r\n"
# DEBUG: >>> "Proxy-Authorization: Basic xxxxx\r\n"
# DEBUG: >>> "\r\n"
# DEBUG: <<< "HTTP/1.1 200 Connection established\r\n"
# DEBUG: connected, start user session.
# DEBUG: <<< "\r\n"
# DEBUG: connected
# DEBUG: start relaying.
# DEBUG: recv 23 bytes
# SSH-2.0-OpenSSH_6.7p1
FireFox
- See FoxyProxy extensions.
wget
- Through environment variables.
- Configuration file /etc/wgetrc ~/.wgetrc
http_password = pass
http_proxy = http://proxy:port
http_user = user
https_proxy = http://proxy:port
Bypassing proxy
The principle is to install a software on local machine that will map local port to the target server port. The desired application will then connect to this local port, and all traffic is transfered by this extra software, through the proxy. They are basically 2 methods:
- Port Forwarding (SSL/CONNECT)- This method doesn't require a remote host server, but requires proxy to support SSL/CONNECT command for other protocols than HTTPS (which usually is not the case). Also traffic is not encrypted (and so all activity is visible in the proxy log in clear).
Bypass software opens a port locally. When application connects to that port, the bypass sw first sends a CONNECT command to the proxy, that will establish a connection to the target host/port, and then that will simply feed all traffic from the local port through this newly opened connection.
Note that CONNECT command does not per se imply SSL protocol, but is used by SSL to establish connection. So the target server does not need to support SSL on the target port. This is actually a mere port forwarding. - Remote Host - This method assumes user has an access to a remote host that will forward all traffic from the proxy to the target server/port. There are some public proxies offering this services. Alternatively user may set up his own relaying remote host with some custom server software. This method supports encryption if this intermediate host does have support for it. This method is very similar to the one using SSH.
HTTP Connect
Here some examples of HTTP Connect session. First connect to proxy with one of these commands:
nc proxy proxyport
First simple example, connecting to SSH port:
CONNECT 192.168.1.1:22 HTTP/1.1 Host: example.com Proxy-Connection: Keep-Alive
Second example of larger header:
CONNECT remote-server:443 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0) Host: remote-server Content-Length: 0 Proxy-Connection: Keep-Alive Pragma: no-cache
One can connect to anyport
CONNECT another-server:anyport HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0) Host: another-server Content-Length: 0 Proxy-Connection: Keep-Alive Pragma: no-cache
Proxy and Tunneling Software
Software | Proxy Server | Port Fwding | Proxy Forwarding | Comments | |||||||
---|---|---|---|---|---|---|---|---|---|---|---|
HTTP | HTTPS | FTP | SOCKS | Caching | NTLM | HTTP proxy |
SOCKS proxy |
NTLM auth | |||
apache | ? | ? | ? | ? | ? | ? | ? | ? | ? | ? | Using mod_proxy and proxyremote
|
cntlm | Y | Y | Y | Y | - | - | Y | Y | Y | Y | Only forward through a parent proxy. |
connect | - | - | - | - | - | - | Y | Y | - | Y | ssh proxycommand, but time-out on some proxy |
nltmaps | ? | ? | ? | ? | ? | ? | ? | ? | ? | ? | outperformed by cntlm... |
privoxy | Y | Y | - | - | - | - | - | Y | Y | -? | |
proxychain | ? | ? | ? | ? | - | - | - | Y | Y | Y | Requires an external proxy to bypass local proxy |
ssh | - | - | - | Y | - | - | Y | Y | - | Y | Using ssh-tunnel.pl |
ssh-tunnel | - | - | - | - | - | - | Y | Y | - | Y | ssh proxycommand. Send ssh client banner early to prevent time-out |
socat | - | - | - | - | - | - | Y | Y | Y | Y | |
tinyproxy | Y | Y | - | - | - | Y | - | Y | - | - | Patches to support SOCKS proxy fwding and NTLM auth |
Apache
- Apache can be used as an HTTP proxy using [1] module.
- It can also forward request to a parent proxy using command
ProxyRemote
- What about NTLM authentication to parent proxy? Could it be that this authentication can be done by the client, and forwarded as is to the parent proxy?
cntlm
- Authenticating FTP, HTTP, HTTPS, SOCKS proxy server (i.e. always forward connection to a remote proxy)
- Transparent TCP/IP port forwarding (tunneling)
- More efficient than ntlmaps
- Support NTLMv2, support hashed user/password, can auto-detect automatically most secure auth. mode to use with parent proxy (see -M)
- Gateway mode
- See also combination with tsocks
HTTHost+HTTPort
Windows only - HTTHost+HTTPort is a free HTTP Tunneling package, that supports both methods described above. HTTHost is the client software, and HTTPort is the software that can be used to setup a remote relaying server. Installation is quite straightforward.
! Privacy/confidentiality Issues! - In remote host mode, if no remote host is specified, HTTHost will then automatically try to connect to some public proxies. This means that all unencrypted data (including passwords) will be send to these public proxies. If that's an issue, then for maximum safety choose explicitly mode SSL/CONNECT, and don't use option auto.
Privoxy
See Privoxy.
Proxychains
Proxychains can be used to tunnel a given http traffic from some program (e.g. telnet) through a random chain of proxies.
socat
socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It is a very powerful utility that can be used to establish connection between various type of interfaces (TCP/Serial/...). See also page on socat.
For instance, the following command can be used to tunnel a connection on local port to remote host/port using proxy SSL/CONNECT' command:
# Using socat v2.0 BETA
/usr/local/bin/socat -ly 'TCP4-LISTEN:143,reuseaddr,fork' PROXY:imap.server:143|TCP:proxy.server:8080
Note that socat is not a proxy server in itself because the destination is always fixed. It can be used to bypass a proxy (using PROXY:
), but only to pre-defined location.
SSH
There are basically two ways to bypass a proxy using SSH:
- Port forwarding (option -L) and reverse-forwarding (option -R)
- SOCKS proxy (option -D)
Port forwarding
The principle is to establish an SSH connection through the proxy to a remote SSH Server host, and then to tunnel all connections made on some port on the local machine to a remote host that is accessible from the SSH Server. All communications through the proxy are encrypted, and so the proxy only sees a SSH connection. This method assumes that the proxy accepts SSL/CONNECT command to an external SSH port (port 22).
Port forwarding is a standard feature in SSH (command-line option -L). For example, to connect to remote IMAP and SMTP server, using SSH port forwarding:
ssh -f -N -L143:imap.server:143 -L25:smtp.server:25 ssh.server.org
Now, SSH must also be configured to proxy all connections to ssh.server.org through the proxy. This can be done with option ProxyCommand
. See page on [[[SSH]]]. See also this page for example of reverse-forwarding.
SOCKS proxy
SSH can also be configured to act as a SOCKS5 proxy. Using option -D, SSH will open a port on local machine, and client applications may request to connect to some remote host/port through that local port. Example (this example also assumes that SSH is configured to connect through proxy using command ProxyCommand
):
ssh -f -N -D1080 hostname
Client applications must be configured to connect through the opened SOCS5 proxy. Also they must be configured to not resolve DNS locally, but through the SOCKS5 proxy. For instance, in FireFox, this can be done using the extension FoxyProxy.
Tinyproxy
Tinyproxy is an HTTP non-caching Proxy Server. It does not support FTP proxy.
tsocks
Transparently intercept TCP connections and forward them through a specified SOCKS proxy. This is done by specifying tsocks library in environment variable LD_PRELOAD. See man pages.
- Frox
- FTP-Proxy