Generally accepted is the use of HTTP_PROXY/HTTPS_PROXY environment variables to specify the use of a proxy server. Authentication can be included in this URL, e.g. HTTP_PROXY=http://user:pass@myproxy.mydomain.tld:3128/ . However, I am using Kerberos SSO to authenticate with the proxy. How do I configure that? So, suppose a Squid proxy server configuration as described here: https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos . It describes how Windows clients can use proxy authentication with negotiation, but there's no information how I can configure Linux/Unix clients. For cURL, the use of --proxy-negotiate -u : does the trick, e.g.: HTTPS_PROXY=http://myproxy.mydomain.tld:3128/ curl --proxy-negotiate -u : https://www.google.com How do I tell non-cURL applications to use this mechanism? E.g. Debian/Ubuntu APT with Acquire::http::Proxy "http://myproxy.mydomain.tld:3128/ ";? I found [cntlm](http://manpages.ubuntu.com/manpages/xenial/man1/cntlm.1.html) which acts as another locally running proxy in the middle, facilitating unauthenticated connections from localhost. However, this only works with NTLM, where I need Kerberos. Would Squid be able to connect as a client using Kerberos perhaps? It seems notoriously hard to find authentication capabilities on the *outgoing* connection of proxy servers. All seem to focus on authentication features on the *listening socket* instead.

I'm running into an issue connecting from a Cygwin terminal to my home Raspberry Pi with SSH from behind an HTTP proxy. It used-to-work™ and I don't know what changed since a few days ago (maybe the proxy filtering?). I can still connect from outside the proxy-ed network without corkscrew. Client-wise, my ssh-config is as follows: Host * ServerAliveInterval 60 ProxyCommand /bin/corkscrew http.proxy.here 80 %h %p And the connection attempt gives this: blx@proxyed-pc:~$ ssh blx@my.home.ip -v OpenSSH_7.9p1, OpenSSL 1.0.2p 14 Aug 2018 debug1: Reading configuration data /home/blx/.ssh/config debug1: /home/blx/.ssh/config line 1: Applying options for * debug1: Executing proxy command: exec /bin/corkscrew http.proxy.here 80 my.home.ip 22 debug1: identity file /home/blx/.ssh/id_rsa type -1 debug1: identity file /home/blx/.ssh/id_rsa-cert type -1 debug1: identity file /home/blx/.ssh/id_dsa type -1 debug1: identity file /home/blx/.ssh/id_dsa-cert type -1 debug1: identity file /home/blx/.ssh/id_ecdsa type 2 debug1: identity file /home/blx/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/blx/.ssh/id_ed25519 type -1 debug1: identity file /home/blx/.ssh/id_ed25519-cert type -1 debug1: identity file /home/blx/.ssh/id_xmss type -1 debug1: identity file /home/blx/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.9 ssh_exchange_identification: Connection closed by remote host Server-wise, /var/log/auth reports this: Nov 26 13: 39:36 raspi sshd: debug1: Forked child 19699. Nov 26 13: 39:36 raspi sshd: debug1: Set /proc/self/oom_score_adj to 0 Nov 26 13: 39:36 raspi sshd: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Nov 26 13: 39:36 raspi sshd: debug1: inetd sockets after dupping: 3, 3 Nov 26 13: 39:36 raspi sshd: debug1: getpeername failed: Transport endpoint is not connected Nov 26 13: 39:36 raspi sshd: debug1: ssh_remote_port failed So the TCP connection seems broken, but I don't seem to have this issue when I try to connect with corkscrew directly (i.e. $corkscrew http.proxy.here 80 my.home.ip 22): Nov 26 13: 39:32 raspi sshd: debug1: Forked child 19698. Nov 26 13: 39:32 raspi sshd: debug1: Set /proc/self/oom_score_adj to 0 Nov 26 13: 39:32 raspi sshd: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Nov 26 13: 39:32 raspi sshd: debug1: inetd sockets after dupping: 3, 3 Nov 26 13: 39:32 raspi sshd: Connection from http.proxy.here port 28220 on 192.168.0.11 port 22 Nov 26 13: 39:32 raspi sshd: Did not receive identification string from http.proxy.here port 28220 But then of course sshd doesn't know what to do of this... Any tip? Since I don't think I changed anything in my setup I suspect a sneaky update of the proxy filtering policy that puts me in this situation, but I have no way to be sure. I will try and update my router and Pi to use port 443 when I get home.

I am using selektor, which is similar to vidalia tor bundle. The default settings, use safe socks with port number 9054. It is fine and when I set the firefox proxy to "use system proxy", I can access blocked website, e. g. www.torproject.org As I enter wget http://torproject.org , that will not use the vpn established. What can I do, in oder to make it work? I don't want to use a prefix such as foo wget www.torproject.org. Is there any way to define a socks_proxy variable? I see http_proxy which is not appropriate here. Any idea?

I have a squid instance (v4.6) on a public address A.B.C.D setup with basic_auth (ldap backend). This works over **unencrypted** port, say 8080, using http_port A.B.C.D:8080. I'm trying to fiugre out how to secure connections to my squid over the insecure Internet (only authenticated users should be allwed to use the proxy). I'm using PROXY in the current Firefox 75 to test the connection. I tried many things, including: https_port A.B.C.D:8443 tls-cert=/path/to/cert tls-key=/path/to/key SLL_ports 8443 When I enter this port to the Firefox PROXY settings, nothing happens, no basic_auth prompt, is shown, nothing. Logs say: 1587588731.539 0 F.G.H.I NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - Is it possible to secure basic_auth (using TLS) when using PROXY? Sending unencrypted passwords over the Internet is simply wrong. I started to think about putting nginx with TLS and basic_auth in front of squid, but I do not know yet if this is possible. Could someone help?

I have a linux machine and an external HTTP proxy. I couldn't figure out how can I transfer the whole traffic (udp also if possible) of my system using iptables.

sudo iptables -t nat -N PROXY_CHAIN
sudo iptables -t nat -A PROXY_CHAIN -d [proxy-ip] -p tcp --dport [proxy-port] -j ACCEPT
sudo iptables -t nat -A PROXY_CHAIN -p tcp -j REDIRECT --to-port [proxy-port]
sudo iptables -t nat -A OUTPUT -p tcp -j PROXY_CHAIN
sudo iptables -t nat -A OUTPUT -p tcp -j PROXY_CHAIN
sudo /sbin/iptables-save

These are the commands I ran, but it's not working.

I would like something that allows me to: 1. Inspect all HTTP(S) traffic between my computer and the Internet, including 127.0.0.1 2. Modify incoming or outgoing data 3. It would also be nice if it had a scripting subsystem for setting rules and events 4. I prefer it be a GUI application. Please do not answer with WireShark . I am aware of WireShark and I have used it many many times and it's a great app. I would like something that restricts it's captures to the application layer and HTTP(S) traffic only and ignores the other Internet Protocol Suite layers. Also, it doesn't have some of the features I listed above.

Is there a simple, one-line command to run a HTTP Proxy? There are several one-line commands “serve this directory over HTTP” (e.g. python -m SimpleHTTPServer). Is there any command, or one-liner, for launching a HTTP Proxy like that? I don't need to configure anything, this is just for short term, temporary use. It doesn't have to be efficient, or multithreaded, or performant. I want something FLOSS, and preferably just an apt-get install away on my Ubuntu Linux 18.04 desktop.

When configuring ssl.conf for Apache 2.2.4, I want to use some configuration like the below: SSLEngine on SSLCertificateFile /opt/alfresco/deploy/ssl/crt/testdns.com.crt SSLCertificateKeyFile /opt/alfresco/deploy/ssl/private/testdns.com.key SSLCertificateChainFile /opt/alfresco/deploy/ssl/crt/intermediate.crt SSLVerifyClient none SSLVerifyDepth 1 SSLOptions +StdEnvVars +StrictRequire SSLProtocol -ALL +TLSv1 SetEnv nokeepalive ssl-unclean-shutdown SSLProtocol +TLSv1 +TLSV1.2 When I use +TLSv1 only, it gives me some error like below for my API calls: javax.net.ssl.SSLException: Received fatal alert: protocol_version If I use both protocols SSLProtocol +TLSv1 +TLSv2, it gives a browser “Not secure” indicator.  How do I prevent it? Cases are as follows: - If I use only +TLSv1: My API calls are working fine. - If I use only +TLSv2: Browser shows secure icon, but API call fails and gives the above error. - If I use both, still browser shows “Not secure” icon. What is the solution for it?

I configured a proxypass rule in order to redirect requests from the port 443 to a JBoss server running on port 8080. All works fine except some 503 errors in the Apache log, around 10 per day: In the error log: > [error] (111)Connection refused: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed In the access log, I've a corresponding 503 error. Nothing in my JBoss log. For each error, coincide a packet flagged as invalid in the kernel log. I performed a tcpdump and for each invalid packet, it was a tcp SYN from the proxy to the JBoss server. Why these packets are flagged as invalid ? Is that a serious problem ? Can I accept all invalid packets from 127.0.0.1 to dport 8080 ?

I've encountered both http_proxy and HTTP_PROXY. Are both forms equivalent? Does one of them take precedence over the other?

Would a Netgate 1100 with pfSense Plus Software support SquidGuard? I'd like to be able to do web filtering using that software / hardware combination. P.S. Apologies if I have posted this in an incorrect StackExchange, if so please move the question to the appropriate StackExchange.

On a Linux server I have 2 NICs: eth0 and eth1. The server has the IPs: 192.168.2.200/24 on eth0 192.168.3.200/24 on eth1 Both the networks have the default subnet mask (255.255.255.0) and the default gateway is 192.168.x.254. On the server is running tinyproxy with the following configuration. Listen 192.168.2.200 Bind 192.168.3.200 The idea is to expose publicly on Internet a proxy where the traffic coming from eth0 should reach the required resources on Internet via the other interface eth1. It works in LAN only if I put 192.168.3.0 as default route with a lower metric. But then I can't forward ports anymore from the router on eth0, so I can only use the proxy inside my LAN but it's not accessible from outside. Instead if I put 192.168.2.0 as default route with a lower metric I can access the proxy from the Internet but it's not able to retrieve the resources via the eth1 interface. Maybe I need help with routing. What am I doing wrong? Thanks in avance.

If I want to have GNOME applications (as well as Firefox and Chrome) access the network through a proxy, I need only use **gnome-network-properties** (a nice and simple GUI I must say). For other apps (e.g. APT, Transmission, XChat), I have to use their specific ways of doing it. Is there a way to avoid this, something I can turn on and off when in a network that requires a proxy (hostname:port)?

I have a situation: - A computer with debian (K) is connected to the router (A), which distributes the network 192.168.1.0/24. - There is another router (B) (it has a “white” ip), which distributes the network 172.16.1.0/30, on which the pptp server is running, on which NAT is enabled. - The pptp client is installed on the "K", which creates the ppp1 interface with ip 172.16.1.2 (but the mask for some reason / 32 is also on the keenetic ("B") route from / 32 - apparently "to the node"). - The Connection passes, and the ping goes. The problem is the "triangular" route (well, I still think it is). - When I connect to "K" (SSH, for example) from network "A", then everything works (eth0 - network "A" - default route). - On the router "B" there is nat, forwarding connections from the Internet (to certain ports) to "K". - Only in the packages "source" does not change to the one that the router has. - However, this would not solve the problem entirely, because "K" has http-proxy, whose task is to send traffic from eth0 to ppp1. - In the proxy settings (3proxy) I specified the "input" and "output" ip. Should work, probably, but does not work. The default route to change is not an option, since access to the Internet via eth0 is faster 7 times + another openvpn server is planned on the same computer that will accept connections from ppp1, and create connections via eth0 itself.
**ifconfig:** eth0: flags=4163 mtu 1500 inet 192.168.1.20 netmask 255.255.255.0 broadcast 192.168.1.255 ether 02:02:20:02:47:8f txqueuelen 1000 (Ethernet) RX packets 5248 bytes 343827 (335.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 512 bytes 54725 (53.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 37 ppp1: flags=4305 mtu 1350 inet 172.16.1.2 netmask 255.255.255.255 destination 172.16.1.1 ppp txqueuelen 3 (Point-to-Point Protocol) RX packets 8 bytes 118 (118.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8 bytes 99 (99.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
**/etc/3proxy/3proxy.cfg:** setgid 115 setuid 109 #nserver 192.168.1.1 nserver 172.16.1.1 nscache 65536 timeouts 1 5 30 60 180 1800 15 60 #In theory, from this point on, traffic should go through the ppp1 interface. external 172.16.1.2 internal 192.168.1.20 users $/etc/3proxy/.proxyauth daemon log /var/log/3proxy/3proxy.log D logformat "- +_L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T" auth cache strong proxy -n -p8080 -a
And more: DNS traffic sent by 3proxy goes freely (goes and returns) via ppp1 (watched with tcpdump).

I have this on my machine:

$ cat /etc/profile.d/proxy.sh 
export http_proxy=http://192.168.1.30:3128 
export https_proxy=https://192.168.1.30:3128 

That works great, until I need to use an HTTP interface with an application on the localhost.

$ wget localhost
--2023-03-02 06:54:52--  http://localhost/
Connecting to 192.168.1.30:3128... connected.
Proxy request sent, awaiting response... 503 Service Unavailable
2023-03-02 06:54:52 ERROR 503: Service Unavailable.

$ wget 127.0.0.1
--2023-03-02 06:55:20--  http://127.0.0.1/ 
Connecting to 192.168.1.30:3128... connected.
Proxy request sent, awaiting response... 403 Forbidden
2023-03-02 06:55:20 ERROR 403: Forbidden.

Is there a way to prevent localhost and 127.0.0.1 requests from being forwarded to the proxy? --- Details: This machine isn't connected directly to the internet. It has no gateway or default route. But it is on a LAN with a proxy machine (192.168.1.30) that has a proxy server installed (port 3128) and has an internet connection.

$ ip addr
1: lo: ...
    inet 127.0.0.1/8 scope host lo
2: eno1: ...
    altname enp24s0f0
    inet 192.168.1.100/24 brd 192.168.1.255 scope global eno1

$ ip route
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.100

$ cat /etc/hosts
127.0.0.1   localhost

$ cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto eno1
iface eno1 inet static
    address 192.168.1.100
    netmask 255.255.255.0

I am trying to tunnel ssh via HTTP. My apache virtual host config looks as follows: ServerName proxy.example.org ProxyRequests On AllowCONNECT 22 Require all denied Require all granted Proxytunnel outputs the following: proxytunnel -E -p proxy.example.org:443 -d ssh-container:22 -> Via proxy.example.org:443 -> ssh-container:22 HTTP return code: 404 Not Found ssh-container is a docker container in the same network of the apache httpd container. ssh ssh-container is successful from inside the apache container. If I now change ssh-container to something which is reachable from the client requesting the tunnel via proxy.example.org to the sshd (e.g. ssh.example.org:22) it works. So why is that? I am assuming that if I tunnel via HTTP CONNECT that only the proxy has to be able to reach the target. I suspected some DNS issues (e.g. client has to resolve DNS), but even connecting via the proxy with the container IP as the target does not work.

How to define HTTP_PROXY uppercase as http_proxy lowercase in macos? Is there a way to set HTTP_PROXY to work similarly as http_proxy?

I have two squid proxy servers. They both have same squid.conf file. One is allowing http traffic but other is not allowing http traffic. https traffic is working via both squid proxies squid config is below acl localnet src 172.22.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl allowedlist dstdomain "/etc/squid/allowedlist" http_access allow CONNECT localnet allowedlist http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet manager http_access deny manager http_access allow localnet http_access deny all http_port 4128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 I get this on site2 server --2022-09-16 09:55:09-- http://google.com/ Connecting to squidproxysite2:4128... connected. Proxy request sent, awaiting response.. . on site1 its working wget www.google.com --2022-09-16 09:56:43-- http://www.google.com/ Connecting to squidproxysite1:4128... connected. Proxy request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html’ [ ] 15,368 --.-K/s in 0.01s 2022-09-16 09:56:43 (1.20 MB/s) - ‘index.html’ saved Can anyone please advise what could be the issue? Regards

Is there a tool that'll let me programatically inspect and edit http requests being emitted from my box on the fly? I'm hoping to create the ability to access mirrors of commonly downloaded files when the primary url is down. (Bonus points to solutions that can also work on MacOS and Windows) More concretely, here's exactly what I'm hoping to achieve: 1. Process FOO on my machine attempts to make an https request to download a file some external service: https://someserver.com/fileA 2. The interceptor tool notices the request being made and takes over. It proceeds to make the original request to https://someserver.com/fileA 3. If the request is successful, the bits are returned to process FOO 4. But if the request fails with some error code (perhaps someserver.com is down) then the interceptor tool instead makes a request to some other url (e.g. to https://backupserver.com/fileA) 5. The interceptor tool returns the value returned by the backup url to process FOO (This will primarily be running on an Ubuntu box, but I'll eventually need something similar for Windows and MacOS as well)

I want to ask you if there is a possibility to configure NginX as http proxy and stream proxy on the same NginX server? Or should it be splited on two machines, one as http proxy, another as stream proxy? Do you have experience with that kind configuration? Thanks in advance for any suggestions.