Difference between revisions of "Proxy settings"

From ArchWiki
Jump to: navigation, search
(use https for links to archlinux.org)
m (Keep proxy through sudo: rectified minor typo)
 
(33 intermediate revisions by 18 users not shown)
Line 1: Line 1:
 
[[Category:Proxy servers]]
 
[[Category:Proxy servers]]
 +
[[Category:Network configuration]]
 
[[es:Proxy settings]]
 
[[es:Proxy settings]]
{{expansion}}
+
[[ja:プロキシ設定]]
==Introduction==
+
{{Related articles start}}
 +
{{Related|HTTP tunneling}}
 +
{{Related articles end}}
 
A proxy is "an interface for a service, especially for one that is remote, resource-intensive, or otherwise difficult to use directly". Source: [http://en.wiktionary.org/wiki/proxy Proxy - Wiktionary].
 
A proxy is "an interface for a service, especially for one that is remote, resource-intensive, or otherwise difficult to use directly". Source: [http://en.wiktionary.org/wiki/proxy Proxy - Wiktionary].
  
 
==Environment variables==
 
==Environment variables==
Some programs (like [[wget]]) use environment variables of the form "protocol_proxy" to determine the proxy for a given protocol (e.g. HTTP, FTP, ...).
+
Some programs, such as [[wget]] and (used by [[pacman]]) ''curl'', use environment variables of the form "protocol_proxy" to determine the proxy for a given protocol (e.g. HTTP, FTP, ...).
  
 
Below is an example on how to set these variables in a shell:
 
Below is an example on how to set these variables in a shell:
Line 12: Line 15:
 
  <nowiki>
 
  <nowiki>
 
  export http_proxy=http://10.203.0.1:5187/
 
  export http_proxy=http://10.203.0.1:5187/
  export https_proxy=http://10.203.0.1:5187/
+
  export https_proxy=$http_proxy
  export ftp_proxy=http://10.203.0.1:5187/
+
  export ftp_proxy=$http_proxy
 +
export rsync_proxy=$http_proxy
 
  export no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com"</nowiki>
 
  export no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com"</nowiki>
 
Some programs look for the all caps version of the environment variables.
 
Some programs look for the all caps version of the environment variables.
Line 19: Line 23:
 
If the proxy environment variables are to be made available to all users and all applications, the above mentioned export commands may be added to a script, say "proxy.sh" inside /etc/profile.d/. The script has to be then made executable. This method is helpful while using a Desktop Environment like [[Xfce]] which does not provide an option for proxy configuration. For example, [[Chromium]] browser will make use of the variables set using this method while running XFCE.  
 
If the proxy environment variables are to be made available to all users and all applications, the above mentioned export commands may be added to a script, say "proxy.sh" inside /etc/profile.d/. The script has to be then made executable. This method is helpful while using a Desktop Environment like [[Xfce]] which does not provide an option for proxy configuration. For example, [[Chromium]] browser will make use of the variables set using this method while running XFCE.  
 
   
 
   
Alternatively you can automate the toggling of the variables by adding a function to your .bashrc (thanks to Alan Pope)
+
Alternatively you can automate the toggling of the variables by adding a function to your .bashrc (thanks to Alan Pope for original script idea)
 
  <nowiki>
 
  <nowiki>
function proxy(){
+
function proxy_on() {
    echo -n "username:"
+
    export no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com"
    read -e username
+
 
    echo -n "password:"
+
    if (( $# > 0 )); then
    read -es password
+
        valid=$(echo $@ | sed -n 's/\([0-9]\{1,3\}.\)\{4\}:\([0-9]\+\)/&/p')
    export http_proxy="http://$username:$password@proxyserver:8080/"
+
        if [[ $valid != $@ ]]; then
    export https_proxy="http://$username:$password@proxyserver:8080/"
+
            >&2 echo "Invalid address"
    export ftp_proxy="http://$username:$password@proxyserver:8080/"
+
            return 1
    export no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com"
+
        fi
    echo -e "\nProxy environment variable set."
+
 
}
+
        export http_proxy="http://$1/"
function proxyoff(){
+
        export https_proxy=$http_proxy
    unset HTTP_PROXY
+
        export ftp_proxy=$http_proxy
    unset http_proxy
+
        export rsync_proxy=$http_proxy
    unset HTTPS_PROXY
+
        echo "Proxy environment variable set."
    unset https_proxy
+
        return 0
    unset FTP_PROXY
+
    fi
    unset ftp_proxy
+
 
    echo -e "\nProxy environment variable removed."
+
    echo -n "username: "; read username
} </nowiki>
+
    if [[ $username != "" ]]; then
 +
        echo -n "password: "
 +
        read -es password
 +
        local pre="$username:$password@"
 +
    fi
 +
 
 +
    echo -n "server: "; read server
 +
    echo -n "port: "; read port
 +
    export http_proxy="http://$pre$server:$port/"
 +
    export https_proxy=$http_proxy
 +
    export ftp_proxy=$http_proxy
 +
    export rsync_proxy=$http_proxy
 +
    export HTTP_PROXY=$http_proxy
 +
    export HTTPS_PROXY=$http_proxy
 +
    export FTP_PROXY=$http_proxy
 +
    export RSYNC_PROXY=$http_proxy
 +
}
 +
 
 +
function proxy_off(){
 +
    unset http_proxy
 +
    unset https_proxy
 +
    unset ftp_proxy
 +
    unset rsync_proxy
 +
    echo -e "Proxy environment variable removed."
 +
}
 +
</nowiki>
  
If you do not need a password then omit it.
+
Omit username or password if they are not needed.
  
As an alternative, you may want to use the following script. Add this script into your ".bashrc" and source the ".bashrc" file.
+
As an alternative, you may want to use the following script.
Note that, It is recommended to put these kind of scripts in a separete file like "functions" then source this file instead of putting everything under ".bashrc".
+
Change the strings "YourUserName", "ProxyServerAddress:Port", "LocalAddress" and "LocalDomain" to match your own data,
You just need to change the areas "YourUserName" and "ProxyServerAddress:Port" obviously.
+
then edit your {{ic|~/.bashrc}} to include the edited functions.
 +
Any new bash window will have the new functions. In existing bash windows, type {{ic|source ~/.bashrc}}.
 +
You may prefer to put function definitions in a separate file like {{ic|functions}} then add {{ic|source functions}} to {{ic|.bashrc}} instead of putting everything in {{ic|.bashrc}}.
 
You may also want to change the name "myProxy" into something short and easy to write.
 
You may also want to change the name "myProxy" into something short and easy to write.
  
Line 53: Line 84:
  
 
  assignProxy(){
 
  assignProxy(){
   PROXY_ENV="http_proxy ftp_proxy https_proxy all_proxy no_proxy HTTP_PROXY HTTPS_PROXY FTP_PROXY NO_PROXY ALL_PROXY"
+
   PROXY_ENV="http_proxy ftp_proxy https_proxy all_proxy HTTP_PROXY HTTPS_PROXY FTP_PROXY ALL_PROXY"
 
   for envar in $PROXY_ENV
 
   for envar in $PROXY_ENV
 
   do
 
   do
 
     export $envar=$1
 
     export $envar=$1
 +
  done
 +
  for envar in "no_proxy NO_PROXY"
 +
  do
 +
      export $envar=$2
 
   done
 
   done
 
  }
 
  }
Line 68: Line 103:
 
   read -p "Password: " -s pass &&  echo -e " "
 
   read -p "Password: " -s pass &&  echo -e " "
 
   proxy_value="http://$user:$pass@ProxyServerAddress:Port"
 
   proxy_value="http://$user:$pass@ProxyServerAddress:Port"
   assignProxy $proxy_value
+
  no_proxy_value="localhost,127.0.0.1,LocalAddress,LocalDomain.com"
 +
   assignProxy $proxy_value $no_proxy_value
 
  }
 
  }
 
  </nowiki>
 
  </nowiki>
 +
 +
===Keep proxy through sudo===
 +
 +
If the proxy environment variables are set for the user only (say, from manual commands or .bashrc) they will get lost when running commands with [[sudo]] (or when programs use sudo internally).
 +
 +
A way to prevent that is to add the following line to the sudo configuration file (accessible with visudo) :
 +
 +
<nowiki>Defaults env_keep += "http_proxy https_proxy ftp_proxy"</nowiki>
 +
 +
You may also add any other environment variable, like rsync_proxy, or no_proxy.
  
 
===Automation with network managers===
 
===Automation with network managers===
 
*[[NetworkManager]] cannot change the environment variables.
 
*[[NetworkManager]] cannot change the environment variables.
*[[netcfg]] could set-up these environment variables but they would not be seen by other applications as they are not child of netcfg.
+
*[[netctl]] could set-up these environment variables but they would not be seen by other applications as they are not child of netctl.
  
 
==About libproxy==
 
==About libproxy==
 
[http://code.google.com/p/libproxy/ libproxy] (which is available in the extra repository) is an abstraction library which should be used by all applications that want to access a network resource. It still is in development but could lead to a unified and automated handling of proxies in GNU/Linux if widely adopted.
 
[http://code.google.com/p/libproxy/ libproxy] (which is available in the extra repository) is an abstraction library which should be used by all applications that want to access a network resource. It still is in development but could lead to a unified and automated handling of proxies in GNU/Linux if widely adopted.
  
The role of libproxy is to read the proxy settings form different sources and make them available to applications which use the library. The interesting part with libproxy is that it offers an implementation of the [http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol Web Proxy Autodiscovery Protocol] and an implementation of [http://en.wikipedia.org/wiki/Proxy_auto-config Proxy Auto-Config] that goes with it.
+
The role of libproxy is to read the proxy settings form different sources and make them available to applications which use the library. The interesting part with libproxy is that it offers an implementation of the [[wikipedia:Web_Proxy_Autodiscovery_Protocol|Web Proxy Autodiscovery Protocol]] and an implementation of [[wikipedia:Proxy_auto-config|Proxy Auto-Config]] that goes with it.
  
 
The {{Ic|/usr/bin/proxy}} binary takes URL(s) as argument(s) and returns the proxy/proxies that could be used to fetch this/these network resource(s).
 
The {{Ic|/usr/bin/proxy}} binary takes URL(s) as argument(s) and returns the proxy/proxies that could be used to fetch this/these network resource(s).
{{Note|the 0.2.3-1 version does not work for me.}}
+
{{Note|1=the version 0.4.11 does not support http_proxy='wpad:' because {{ic|1={ pkg-config 'mozjs185 >= 1.8.5'; } }} fails .}}
  
As of 06/04/2009 libproxy is required by libsoup. It is then indirectly used by the [https://www.archlinux.org/packages/extra/i686/midori/ Midori] browser.
+
As of 06/04/2009 libproxy is required by libsoup. It is then indirectly used by the {{Pkg|midori}} browser.
  
 
== Web Proxy Options ==
 
== Web Proxy Options ==
Line 98: Line 144:
 
==Using a SOCKS proxy==
 
==Using a SOCKS proxy==
 
There are two cases:
 
There are two cases:
*the application you want to use handles SOCKS proxies (for example Firefox) then you just have to configure it to use the proxy
+
*the application you want to use handles [[Wikipedia:SOCKS#SOCKS5|SOCKS5]] proxies (for example [[Firefox]]), then you just have to configure it to use the proxy.
*the application you want to use does not handle SOCKS proxies then you can try to use [http://tsocks.sourceforge.net/ tsocks] (available in extra)
+
*the application you want to use does not handle SOCKS proxies, then you can try to use {{Pkg|tsocks}} or {{Pkg|proxychains-ng}}.
 +
 
 +
In Firefox, you can use the SOCKS proxy in the menu Preferences > Network > Settings. Choose "Manual Proxy Configuration", and set the SOCKS Host (and only this one, make sure the other fields, such as HTTP Proxy or SSL Proxy are left empty). For example, if a SOCKS5 proxy is running on localhost port 8080, put "127.0.0.1" in the SOCKS Host field, "8080" in the Port field, and validate.
 +
 
 +
If using ''proxychains-ng'', the configuration takes place in {{ic|/etc/proxychains.conf}}. You may have to uncomment the last line (set by default to use [[Tor]]), and replace it with the parameters of the SOCKS proxy. For example, if you are using the same SOCKS5 proxy as above, you will have to replace the last line by:
 +
socks5 127.0.0.1 8080
 +
 
 +
Then, ''proxychains-ng'' can be launched with
 +
proxychains <program>
 +
Where <program> can be any program already installed on your system (e.g. xterm, gnome-terminal, etc).
 +
 
 +
If using ''tsocks'', the configuration takes place in {{ic|/etc/tsocks.conf}}. See {{ic|man 5 tsocks.conf}} for the options. An example minimum configuration looks like this:
 +
{{hc|/etc/tsocks.conf|2=
 +
server = 127.0.0.1
 +
server_port = 8080
 +
server_type = 5}}
  
 
==Proxy settings on GNOME3==
 
==Proxy settings on GNOME3==
Line 114: Line 175:
  
 
This configuration can also be set to automatically execute when [[NetworkManager#Proxy_settings|Network Manager]] connects to specific networks , by using the package {{AUR|proxydriver}} from the [[AUR]]
 
This configuration can also be set to automatically execute when [[NetworkManager#Proxy_settings|Network Manager]] connects to specific networks , by using the package {{AUR|proxydriver}} from the [[AUR]]
 +
 +
== Microsoft NTLM proxy ==
 +
 +
In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols which provides authentication, integrity, and confidentiality to users. 
 +
 +
{{AUR|cntlm}} from the [[AUR]] stands between your applications and the NTLM proxy, adding NTLM authentication on-the-fly. You can specify several "parent" proxies and Cntlm will try one after another until one works. All authenticated connections are cached and reused to achieve high efficiency.
 +
 +
(NTLM PROXY IP:PORT + CREDENTIALS + OTHER INFO) -----> '''(127.0.0.1:PORT)'''
 +
 +
=== Configuration ===
 +
 +
Change settings in {{ic|/etc/cntlm.conf}} as needed, except for the password. Then run:
 +
 +
$ cntlm -H
 +
 +
This will generate encrypted password hashes according to your proxy hostname, username and password.
 +
 +
{{Warning|{{Pkg|ettercap}} can easily sniff your password over LAN when using plain-text passwords instead of encrypted hashes.}}
 +
 +
Edit {{ic|/etc/cntlm.conf}} again and include all three generated hashes, then [[enable]] {{ic|cntlm.service}}.
 +
 +
To test settings, run:
 +
 +
$ cntlm -v
 +
 +
=== Usage ===
 +
 +
Use {{ic|127.0.0.1:<port>}} or {{ic|localhost:<port>}} as a proxy adress. {{ic|<port>}} matches the {{ic|Listen}} parameter in {{ic|/etc/cntlm.conf}}, which by default is {{ic|3128}}.

Latest revision as of 02:05, 8 June 2016

Related articles

A proxy is "an interface for a service, especially for one that is remote, resource-intensive, or otherwise difficult to use directly". Source: Proxy - Wiktionary.

Environment variables

Some programs, such as wget and (used by pacman) curl, use environment variables of the form "protocol_proxy" to determine the proxy for a given protocol (e.g. HTTP, FTP, ...).

Below is an example on how to set these variables in a shell:

 export http_proxy=http://10.203.0.1:5187/
 export https_proxy=$http_proxy
 export ftp_proxy=$http_proxy
 export rsync_proxy=$http_proxy
 export no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com"

Some programs look for the all caps version of the environment variables.

If the proxy environment variables are to be made available to all users and all applications, the above mentioned export commands may be added to a script, say "proxy.sh" inside /etc/profile.d/. The script has to be then made executable. This method is helpful while using a Desktop Environment like Xfce which does not provide an option for proxy configuration. For example, Chromium browser will make use of the variables set using this method while running XFCE.

Alternatively you can automate the toggling of the variables by adding a function to your .bashrc (thanks to Alan Pope for original script idea)

function proxy_on() {
    export no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com"

    if (( $# > 0 )); then
        valid=$(echo $@ | sed -n 's/\([0-9]\{1,3\}.\)\{4\}:\([0-9]\+\)/&/p')
        if [[ $valid != $@ ]]; then
            >&2 echo "Invalid address"
            return 1
        fi

        export http_proxy="http://$1/"
        export https_proxy=$http_proxy
        export ftp_proxy=$http_proxy
        export rsync_proxy=$http_proxy
        echo "Proxy environment variable set."
        return 0
    fi

    echo -n "username: "; read username
    if [[ $username != "" ]]; then
        echo -n "password: "
        read -es password
        local pre="$username:$password@"
    fi

    echo -n "server: "; read server
    echo -n "port: "; read port
    export http_proxy="http://$pre$server:$port/"
    export https_proxy=$http_proxy
    export ftp_proxy=$http_proxy
    export rsync_proxy=$http_proxy
    export HTTP_PROXY=$http_proxy
    export HTTPS_PROXY=$http_proxy
    export FTP_PROXY=$http_proxy
    export RSYNC_PROXY=$http_proxy
}

function proxy_off(){
    unset http_proxy
    unset https_proxy
    unset ftp_proxy
    unset rsync_proxy
    echo -e "Proxy environment variable removed."
}

Omit username or password if they are not needed.

As an alternative, you may want to use the following script. Change the strings "YourUserName", "ProxyServerAddress:Port", "LocalAddress" and "LocalDomain" to match your own data, then edit your ~/.bashrc to include the edited functions. Any new bash window will have the new functions. In existing bash windows, type source ~/.bashrc. You may prefer to put function definitions in a separate file like functions then add source functions to .bashrc instead of putting everything in .bashrc. You may also want to change the name "myProxy" into something short and easy to write.

 #!/bin/bash

 assignProxy(){
   PROXY_ENV="http_proxy ftp_proxy https_proxy all_proxy HTTP_PROXY HTTPS_PROXY FTP_PROXY ALL_PROXY"
   for envar in $PROXY_ENV
   do
     export $envar=$1
   done
   for envar in "no_proxy NO_PROXY"
   do
      export $envar=$2
   done
 }

 clrProxy(){
   assignProxy "" # This is what 'unset' does.
 }

 myProxy(){
   user=YourUserName
   read -p "Password: " -s pass &&  echo -e " "
   proxy_value="http://$user:$pass@ProxyServerAddress:Port"
   no_proxy_value="localhost,127.0.0.1,LocalAddress,LocalDomain.com"
   assignProxy $proxy_value $no_proxy_value
 }
 

Keep proxy through sudo

If the proxy environment variables are set for the user only (say, from manual commands or .bashrc) they will get lost when running commands with sudo (or when programs use sudo internally).

A way to prevent that is to add the following line to the sudo configuration file (accessible with visudo) :

Defaults env_keep += "http_proxy https_proxy ftp_proxy"

You may also add any other environment variable, like rsync_proxy, or no_proxy.

Automation with network managers

  • NetworkManager cannot change the environment variables.
  • netctl could set-up these environment variables but they would not be seen by other applications as they are not child of netctl.

About libproxy

libproxy (which is available in the extra repository) is an abstraction library which should be used by all applications that want to access a network resource. It still is in development but could lead to a unified and automated handling of proxies in GNU/Linux if widely adopted.

The role of libproxy is to read the proxy settings form different sources and make them available to applications which use the library. The interesting part with libproxy is that it offers an implementation of the Web Proxy Autodiscovery Protocol and an implementation of Proxy Auto-Config that goes with it.

The /usr/bin/proxy binary takes URL(s) as argument(s) and returns the proxy/proxies that could be used to fetch this/these network resource(s).

Note: the version 0.4.11 does not support http_proxy='wpad:' because { pkg-config 'mozjs185 >= 1.8.5'; } fails .

As of 06/04/2009 libproxy is required by libsoup. It is then indirectly used by the midori browser.

Web Proxy Options

  • Squid is a very popular caching/optimizing proxy
  • Privoxy is an anonymizing and ad-blocking proxy
  • For a simple proxy, ssh with port forwarding can be used

Simple Proxy with SSH

Connect to a server (HOST) on which you have an account (USER) as follows

ssh -D PORT USER@HOST

For PORT, choose some number which is not an IANA registered port. This specifies that traffic on the local PORT will be forwarded to the remote HOST. ssh will act as a SOCKS server. Software supporting SOCKS proxy servers can simply be configured to connect to PORT on localhost.

Using a SOCKS proxy

There are two cases:

  • the application you want to use handles SOCKS5 proxies (for example Firefox), then you just have to configure it to use the proxy.
  • the application you want to use does not handle SOCKS proxies, then you can try to use tsocks or proxychains-ng.

In Firefox, you can use the SOCKS proxy in the menu Preferences > Network > Settings. Choose "Manual Proxy Configuration", and set the SOCKS Host (and only this one, make sure the other fields, such as HTTP Proxy or SSL Proxy are left empty). For example, if a SOCKS5 proxy is running on localhost port 8080, put "127.0.0.1" in the SOCKS Host field, "8080" in the Port field, and validate.

If using proxychains-ng, the configuration takes place in /etc/proxychains.conf. You may have to uncomment the last line (set by default to use Tor), and replace it with the parameters of the SOCKS proxy. For example, if you are using the same SOCKS5 proxy as above, you will have to replace the last line by:

socks5 127.0.0.1 8080

Then, proxychains-ng can be launched with

proxychains <program>

Where <program> can be any program already installed on your system (e.g. xterm, gnome-terminal, etc).

If using tsocks, the configuration takes place in /etc/tsocks.conf. See man 5 tsocks.conf for the options. An example minimum configuration looks like this:

/etc/tsocks.conf
server = 127.0.0.1
server_port = 8080
server_type = 5

Proxy settings on GNOME3

Some programs like Chromium prefer to use the settings stored by gnome. These settings can be modified through the gnome-control-center front end and also through gsettings.

gsettings set org.gnome.system.proxy mode 'manual' 
gsettings set org.gnome.system.proxy.http host 'proxy.localdomain.com'
gsettings set org.gnome.system.proxy.http port 8080
gsettings set org.gnome.system.proxy.ftp host 'proxy.localdomain.com'
gsettings set org.gnome.system.proxy.ftp port 8080
gsettings set org.gnome.system.proxy.https host 'proxy.localdomain.com'
gsettings set org.gnome.system.proxy.https port 8080
gsettings set org.gnome.system.proxy ignore-hosts "['localhost', '127.0.0.0/8', '10.0.0.0/8', '192.168.0.0/16', '172.16.0.0/12' , '*.localdomain.com' ]"

This configuration can also be set to automatically execute when Network Manager connects to specific networks , by using the package proxydriverAUR from the AUR

Microsoft NTLM proxy

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols which provides authentication, integrity, and confidentiality to users.

cntlmAUR from the AUR stands between your applications and the NTLM proxy, adding NTLM authentication on-the-fly. You can specify several "parent" proxies and Cntlm will try one after another until one works. All authenticated connections are cached and reused to achieve high efficiency.

(NTLM PROXY IP:PORT + CREDENTIALS + OTHER INFO) -----> (127.0.0.1:PORT)

Configuration

Change settings in /etc/cntlm.conf as needed, except for the password. Then run:

$ cntlm -H

This will generate encrypted password hashes according to your proxy hostname, username and password.

Warning: ettercap can easily sniff your password over LAN when using plain-text passwords instead of encrypted hashes.

Edit /etc/cntlm.conf again and include all three generated hashes, then enable cntlm.service.

To test settings, run:

$ cntlm -v

Usage

Use 127.0.0.1:<port> or localhost:<port> as a proxy adress. <port> matches the Listen parameter in /etc/cntlm.conf, which by default is 3128.