Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
PROXYTUNNEL(1)							PROXYTUNNEL(1)

NAME
       proxytunnel - program to	tunnel a connection through a standard HTTPS
       proxy

SYNOPSIS
       proxytunnel [OPTION...] [host:port]

DESCRIPTION
       proxytunnel is a	program	to tunnel any connection through a standard
       HTTPS proxy, circumventing standard HTTP	filtering mechanisms. It's
       mostly used as a	backend	for OpenSSH's ProxyCommand, and	as a proxy
       backend for Putty. It can also be used for other	proxy-traversing
       purposes	like proxy bouncing.

OPTIONS
       -i, --inetd
	   Run from inetd (default: off).

       -a, --standalone=[address:]port
	   Run as standalone daemon on specified address and port.  address
	   may be a IPv4 address, a bracket-enclosed IPv6 address or a
	   bracket-enclosed combination	of IPv6	address, '%' and interface
	   name. The latter format is only required with link-local IPv6
	   addresses. The daemon listens on any	address	if address is not
	   given.

	   Examples
	       22, 123.45.67.89:22, [2001:db8::123:4567:89ab:cdef]:22,
	       [2001:db8::123:4567:89ab:cdef%eth0]:22

       -p, --proxy=host:port
	   Use host and	port as	the local proxy	to connect to, if not
	   specified the HTTP_PROXY environment	variable, if set, will be used
	   instead.

       -r, --remproxy=host:port
	   Use host and	port as	the remote (secondary) proxy to	connect	to.

       -d, --dest=host:port
	   Use host and	port as	the destination	for the	tunnel,	you can	also
	   specify them	as the argument	to the proxytunnel command.

       -e, --encrypt
	   SSL encrypt data between local proxy	and destination.

       -E, --encrypt-proxy
	   SSL encrypt data between client and local proxy.

       -X, --encrypt-remproxy
	   SSL encrypt data between local and remote (secondary) proxy.

ADDITIONAL OPTIONS
       -W, --wa-bug-29744
	   Workaround ASF Bugzilla 29744: If SSL is in use (by -e, -E, -X
	   options), stop using	it immediately after the CONNECT exchange to
	   workaround apache server bugs (This might not work on all setups).

       -B, --buggy-encrypt-proxy
	   Equivalent to -E -W (Provided for backwards compatibility).

       -z, --no-check-certificate
	   Do not verify server	SSL certificate	when establishing an SSL
	   connection. By default, the server SSL certificate is verified and
	   the target host name	is checked against the server certificate's
	   subject alternative names if	any are	present, or common name	if
	   there are no	subject	alternative names.

       -C, --cacert=filename/directory
	   Specify a CA	certificate file (or directory containing CA
	   certificate(s)) to trust when verifying a server SSL	certificate.
	   If a	directory is provided, it must be prepared with	OpenSSL's
	   c_rehash tool (default, unless changed at compile time using
	   DEFAULT_CA_FILE or DEFAULT_CA_DIR options: /etc/ssl/certs).

       -4, --ipv4
	   Enforce the use of IPv4 when	connecting to the local	proxy.

       -6, --ipv6
	   Enforce the use of IPv6 when	connecting to the local	proxy.

       -F, --passfile=filename
	   Use filename	for reading username and password for HTTPS proxy
	   authentication, the file uses the same format as .wgetrc and	can be
	   shared with wget. Use this option, or environment variables to hide
	   the password	from other users.

       -P, --proxyauth=username:password
	   Use username	and password as	credentials to authenticate against a
	   local HTTPS proxy, the username and password	can also be specified
	   in the PROXYUSER and	PROXYPASS environment variables	to hide	them
	   from	other users. If	the password is	omitted	and no PROXYPASS
	   environment variable	is set,	proxytunnel will prompt	for a
	   password.

       -R, --remproxyauth=username:password
	   Use username	and password as	credentials to authenticate against a
	   remote (secondary) HTTPS proxy, the username	and password can also
	   be specified	in the REMPROXYUSER and	REMPROXYPASS environment
	   variables to	hide them from other users. If the password is omitted
	   and no REMPROXYPASS environment variable is set, proxytunnel	will
	   prompt for a	password.

       -c, --cert=filename
	   Provide the name of the file	containing the SSL client certificate
	   to authenticate by client certificate against local proxy, remote
	   proxy or destination. The file must be in PEM format. On top	of
	   this	it may contain one or more intermediary	certificates missing
	   at the servers's end, effectively forming a certificate chain.
	   Requires specification of -k, --key in addition. Ignored if neither
	   -e, --encrypt nor -E, --encrypt-proxy nor -X, --encrypt-remproxy is
	   given.

       -k, --key=filename
	   Provide the name of the file	containing the SSL client key to
	   authenticate	by client certificate against local proxy, remote
	   proxy or destination. The file must be in PEM format. Requires
	   specification of -c,	--cert in addition. Ignored if neither -e,
	   --encrypt nor -E, --encrypt-proxy nor -X, --encrypt-remproxy	is
	   given.

       -N, --ntlm
	   Use NTLM based authentication.

       -t, --domain=STRING
	   Specify NTLM	domain (default: autodetect).

       -H, --header=STRING
	   Add additional HTTP headers to send to proxy.

       -o, --host=host[:port]
	   Send	a custom Host header. With SSL connections host	is also	sent
	   as SNI.

       -x, --proctitle=STRING
	   Use a different process title.

MISCELLANEOUS OPTIONS
       -v, --verbose
	   Turn	on verbosity.

       -q, --quiet
	   Suppress messages.

       -h, --help
	   Print help and exit.

       -V, --version
	   Print version and exit.

ARGUMENTS
       host:port is the	destination hostname and port number combination.

	   Note

	   Specifying the destination as arguments is exactly the same as
	   specifying them using the -d	or --dest option.

USAGE
       Depending on your situation you might want to do	any of the following
       things:

          Connect through a local proxy to your home system on	port 22

	       $ proxytunnel -v	-p proxy.company.com:8080 -d system.home.nl:22

          Connect through a local proxy (with authentication) to your home
	   system

	       $ proxytunnel -v	-p proxy.company.com:8080 -P username:password -d system.home.nl:22

          Connect through a local proxy (with authentication) hiding your
	   password

	       $ export	PROXYPASS=password
	       $ proxytunnel -v	-p proxy.company.com:8080 -P username -d system.home.nl:22

          Connect through a local proxy to a remote proxy and bounce to any
	   system

	       $ proxytunnel -v	-p proxy.company.com:8080 -r proxy.athome.nl:443 -d system.friend.nl:22

          Connect using SSL through a local proxy to your home	system

	       $ proxytunnel -v	-E -p proxy.company.com:8080 -d	system.home.nl:22

OPENSSH	CONFIGURATION
       To use this program with	OpenSSH	to connect to a	host somewhere,	create
       a ~/.ssh/config file with the following content:

	   Host	system.athome.nl
	       ProxyCommand proxytunnel	-p proxy.company.com:8080 -d %h:%p
	       ServerAliveInterval 30

	   Note

	   The ServerAliveInterval directive makes sure	that idle connections
	   are not being dropped by intermediate firewalls that	remove active
	   sessions aggressively. If you see your connection dropping out, try
	   to lower the	value even more.

       To use the dynamic (SOCKS) portforwarding capability of the SSH client,
       you can specify the DynamicForward directive in your ssh_config file
       like:

	   Host	system.athome.nl
	       DynamicForward 1080
	       ProxyCommand proxytunnel	-p proxy.company.com:8080 -d %h:%p
	       ServerAliveInterval 30

NOTES
	   Important

	   Most	HTTPS proxies do not allow access to ports other than HTTPS
	   (tcp/443) and SNEWS (tcp/563). In this case you need	to make	sure
	   the SSH daemon or remote proxy on the destination system is
	   listening on	either tcp/443 or tcp/563 to get through.

ENVIRONMENT
       Proxytunnel can be influenced by	setting	one of the following
       environment variables:

       HTTP_PROXY
	   If this environment variable	is set,	proxytunnel will use it	as the
	   local proxy if -p or	--proxy	is not provided.

       PROXYUSER
	   If this environment variable	is set,	proxytunnel will use it	as the
	   username for	proxy authentication, unless specified using the -P or
	   --proxyauth option.

       PROXYPASS
	   If this environment variable	is set,	proxytunnel will use it	as the
	   password for	proxy authentication, unless specified using the -P or
	   --proxyauth option.

       REMPROXYUSER
	   If this environment variable	is set,	proxytunnel will use it	as the
	   username for	remote (secondary) proxy authentication, unless
	   specified using the -R or --remproxyauth option.

       REMPROXYPASS
	   If this environment variable	is set,	proxytunnel will use it	as the
	   password for	remote (secondary) proxy authentication, unless
	   specified using the -R or --remproxyauth option.

SEE ALSO
	   ssh(1), ssh_config(8)

BUGS
       This software is	bug-free, at least we'd	like to	think so. If you do
       not agree with us, please provide the proof with	your friendly report
       at https://github.com/proxytunnel/proxytunnel/issues :)

AUTHOR
       This manpage was	initially written by Loc Le Guyader
       <loic.leguyader@laposte.net[1]> for the Debian GNU/Linux	system,
       revamped	in asciidoc by Dag Wiers <dag@wieers.com[2]> and is now
       maintained by the Proxytunnel developers.

       Homepages at https://proxytunnel.sourceforge.io and
       https://github.com/proxytunnel/proxytunnel

NOTES
	1. loic.leguyader@laposte.net
	   mailto:loic.leguyader@laposte.net

	2. dag@wieers.com
	   mailto:dag@wieers.com

  1.12.3			  2025-03-07			PROXYTUNNEL(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=proxytunnel&sektion=1&manpath=FreeBSD+Ports+15.0>

home | help