Stealth tunneling through HTTP(S) proxies
C Makefile C++
Pull request Compare This branch is 8 commits behind proxytunnel:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
contrib Fix one reference to documentation Apr 9, 2016
debian Move manual page from debian subdir to main dir Jul 30, 2007
.gitignore Ignore the proxytunnel binary Aug 29, 2016
.travis.yml Improve Travis CI configuration Aug 29, 2016
INSTALL Clarify INSTALL doc, add comment about bsd-functions in Makefile Feb 27, 2007
KNOWN_ISSUES Document some setproctitle behaviour Sep 2, 2006
LICENSE.txt Updated LICENSE.txt with OpenSSL linking clause Jan 23, 2012
Makefile SNI support Aug 7, 2016
README Update version number Mar 3, 2008
RELNOTES Fix typo Aug 9, 2008
TODO Update TODO file Aug 29, 2016 Cosmetic changes and vim improvements. Jan 27, 2008
basicauth.c Fix compiler warning wih gcc < 4. Jan 27, 2008
basicauth.h Changed basicauth interface. Jan 27, 2008
cmdline.h allow to specify own Host Header in CONNECT method via -o on commandline Feb 3, 2016
global.h Cosmetic changes and vim improvements. Jan 27, 2008
io.h Cosmetic changes and vim improvements. Jan 27, 2008
ntlm.c NTLMv2 fixes by Giulio Galante <> Jan 23, 2012
proxytunnel.c Initial import, unfinished. Aug 9, 2008
proxytunnel.h Added username in password prompt. Jan 27, 2008
readpassphrase.c fixed compiler warnings Feb 3, 2016
setproctitle.c Cosmetic changes and vim improvements. Jan 27, 2008



Author:		Jos Visser <>, Mark Janssen <>
Date: 		Mon Mar  3 22:49:43 CET 2008
Version:	1.9.0

Hi all,

This is proxytunnel, a program that connects stdin and stdout
to an origin server somewhere in the Internet through an industry
standard HTTPS proxy. I originally wrote this program to be used
as an extension to SSH, to be able to SSH to my box at home. In 
this file, I will describe the use with SSH. If you want to use it
with some other application, feel free, and let me know!


Proxytunnel is very easy to use, when running proxytunnel with the help
option it specifies it's command-line options.

$ ./proxytunnel --help
proxytunnel 1.9.0 (rev 224) Copyright 2001-2008 Proxytunnel Project
Usage: proxytunnel [OPTIONS]...
Build generic tunnels trough HTTPS proxy's, supports HTTP authorization

Standard options:
 -i, --inetd               Run from inetd (default=off)
 -a, --standalone=INT      Run as standalone daemon on specified port
 -p, --proxy=STRING        Local proxy host:port combination
 -r, --remproxy=STRING     Remote proxy host:port combination (using 2 proxies)
 -d, --dest=STRING         Destination host:port combination
 -e, --encrypt             SSL encrypt data between local proxy and destination
 -E, --encrypt-proxy       SSL encrypt data between client and local proxy
 -X, --encrypt-remproxy    Encrypt between 1st and 2nd proxy using SSL

Additional options for specific features:
 -F, --passfile=STRING     File with credentials for proxy authentication
 -P, --proxyauth=STRING    Proxy auth credentials user:pass combination
 -R, --remproxyauth=STRING Remote proxy auth credentials user:pass combination
 -N, --ntlm                Use NTLM based authentication
 -t, --domain=STRING       NTLM domain (default: autodetect)
 -H, --header=STRING       Add additional HTTP headers to send to proxy
 -x, --proctitle=STRING    Use a different process title

Miscellaneous options:
 -v, --verbose             Turn on verbosity
 -q, --quiet               Suppress messages
 -h, --help                Print help and exit
 -V, --version             Print version and exit

To use this program with OpenSSH to connect to a host somewhere, create
a $HOME/.ssh/config file with the following content:

Host foobar
	ProtocolKeepAlives 30
	ProxyCommand /path/to/proxytunnel -p proxy:8080 -P username


- foobar		The symbolic name of the host you want to connect to
- proxy         	The host name of the proxy you want to connect through
- 8080			The port number where the proxy software listens to
- username		Your proxy userid (password will be prompted)
-	The hostname of the box you want to connect to (ultimately)
- 443			The port number of the SSH daemon on

If your proxy doesn't require the username and password for using it,
you can skip these options. If you don't provide the password on the
command-line (which is recommended) you will be prompted for it by
proxytunnel. If you are on a trusted system you can also put the
password in an environment variable, and tell proxytunnel where to
find it with '-S'.

If you want to run proxytunnel from inetd add the '--inetd' option.

Most HTTPS proxies do not allow access to ports other than 443 (HTTPS)
and 563 (SNEWS), so some hacking is necessary to start the SSH daemon on
the required port. (On the server side add an extra Port statement in
the sshd_config file, or use a redirect rule in your firewall.)

When your proxy uses NTLM authentication (like Microsoft IIS proxy)
you need to specify -N to enable NTLM, and then specify your username
and password (and optionally domain, if autodetection fails).
The NT domain can be specified on the commandline if the
auto-detection doesn't work for you (which is usually doesn't)

If you want to have the first proxy connect to another http proxy (like
one you can control, specify -r proxy2:port. The first proxy will then
connect to this remote proxy, which will be asked to connect to the 
requested destination. Note that authentication doesn't (yet) work on
this remote proxy. For more information regarding this feature, check

If your proxy is more advanced, and does protocol inspection it will
detect that your connection is not a real HTTPS/SSL connection. You
can enable SSL encryption (using -e), which will work around this
problem, however, you need to setup stunnel4 on the other side, or
connect to a process that understands SSL itself.

When all this is in place, execute an "ssh foobar" and you're in business!

Environment Variables

Proxytunnel can make use of the following environment variables:
PROXYUSER		Username for the proxy-authentication
PROXYPASS		Password for the proxy-authentication
REMPROXYUSER	Username for remote proxy-authentication
REMPROXYPASS	Password for remote proxy-authentication
HTTP_PROXY		Primary proxy host and port information
				Format: HTTP_PROXY=http://<host>:<port>/

Authentication File

Proxytunnel can read authentication data from a file (-F/--passfile)
The format for this file is:
<field> = <value>
<field> = <value>

One entry per line, 1 space before and after the equal sign.
The accepted fields are:
 * proxy_user
 * proxy_passwd
 * remproxy_user
 * remproxy_passwd

Share and Enjoy!

Jos Visser <>
Mark Janssen <>