1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-13 21:15:08 -05:00
curl/docs/libcurl/opts/CURLOPT_SOCKS_PROXY.3
Alex Rousskov cb4e2be7c6 proxy: Support HTTPS proxy and SOCKS+HTTP(s)
* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is established, the user agent
uses the proxy as usual, including sending CONNECT requests to instruct
the proxy to establish a [usually secure] TCP tunnel with an origin
server. HTTPS proxies protect nearly all aspects of user-proxy
communications as opposed to HTTP proxies that receive all requests
(including CONNECT requests) in vulnerable clear text.

With HTTPS proxies, it is possible to have two concurrent _nested_
SSL/TLS sessions: the "outer" one between the user agent and the proxy
and the "inner" one between the user agent and the origin server
(through the proxy). This change adds supports for such nested sessions
as well.

A secure connection with a proxy requires its own set of the usual SSL
options (their actual descriptions differ and need polishing, see TODO):

  --proxy-cacert FILE        CA certificate to verify peer against
  --proxy-capath DIR         CA directory to verify peer against
  --proxy-cert CERT[:PASSWD] Client certificate file and password
  --proxy-cert-type TYPE     Certificate file type (DER/PEM/ENG)
  --proxy-ciphers LIST       SSL ciphers to use
  --proxy-crlfile FILE       Get a CRL list in PEM format from the file
  --proxy-insecure           Allow connections to proxies with bad certs
  --proxy-key KEY            Private key file name
  --proxy-key-type TYPE      Private key file type (DER/PEM/ENG)
  --proxy-pass PASS          Pass phrase for the private key
  --proxy-ssl-allow-beast    Allow security flaw to improve interop
  --proxy-sslv2              Use SSLv2
  --proxy-sslv3              Use SSLv3
  --proxy-tlsv1              Use TLSv1
  --proxy-tlsuser USER       TLS username
  --proxy-tlspassword STRING TLS password
  --proxy-tlsauthtype STRING TLS authentication type (default SRP)

All --proxy-foo options are independent from their --foo counterparts,
except --proxy-crlfile which defaults to --crlfile and --proxy-capath
which defaults to --capath.

Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
similar to the existing %{ssl_verify_result} variable.

Supported backends: OpenSSL, GnuTLS, and NSS.

* A SOCKS proxy + HTTP/HTTPS proxy combination:

If both --socks* and --proxy options are given, Curl first connects to
the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy.

TODO: Update documentation for the new APIs and --proxy-* options.
Look for "Added in 7.XXX" marks.
2016-11-24 23:41:44 +01:00

89 lines
4.0 KiB
Groff

.\" **************************************************************************
.\" * _ _ ____ _
.\" * Project ___| | | | _ \| |
.\" * / __| | | | |_) | |
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
.\" * are also available at https://curl.haxx.se/docs/copyright.html.
.\" *
.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
.\" * copies of the Software, and permit persons to whom the Software is
.\" * furnished to do so, under the terms of the COPYING file.
.\" *
.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
.\" * KIND, either express or implied.
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_SOCKS_PROXY 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.SH NAME
CURLOPT_SOCKS_PROXY \- set socks proxy to use
.SH SYNOPSIS
#include <curl/curl.h>
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SOCKS_PROXY, char *proxy);
.SH DESCRIPTION
TODO: Make this text specific to HTTPS proxy. (Added in 7.XXX)
Set the \fIproxy\fP to use for the upcoming request. The parameter should be a
char * to a zero terminated string holding the host name or dotted numerical
IP address. A numerical IPv6 address must be written within [brackets].
To specify port number in this string, append :[port] to the end of the host
name. The proxy's port number may optionally be specified with the separate
option \fICURLOPT_PROXYPORT(3)\fP. If not specified, libcurl will default to
using port 1080 for proxies.
The proxy string may be prefixed with [scheme]:// to specify which kind of
proxy is used. Use socks4://, socks4a://, socks5:// or socks5h:// (the last
one to enable socks5 and asking the proxy to do the resolving, also known as
\fICURLPROXY_SOCKS5_HOSTNAME\fP type) to request the specific SOCKS version to
be used. No scheme specified or http://, will be treated as HTTP proxies.
Without a scheme prefix, \fICURLOPT_PROXYTYPE(3)\fP can be used to specify
which kind of proxy the string identifies.
When you tell the library to use a HTTP proxy, libcurl will transparently
convert operations to HTTP even if you specify an FTP URL etc. This may have
an impact on what other features of the library you can use, such as
\fICURLOPT_QUOTE(3)\fP and similar FTP specifics that don't work unless you
tunnel through the HTTP proxy. Such tunneling is activated with
\fICURLOPT_HTTPPROXYTUNNEL(3)\fP.
libcurl respects the environment variables \fBhttp_proxy\fP, \fBftp_proxy\fP,
\fBall_proxy\fP etc, if any of those are set. The \fICURLOPT_PROXY(3)\fP
option does however override any possibly set environment variables.
Setting the proxy string to "" (an empty string) will explicitly disable the
use of a proxy, even if there is an environment variable set for it.
A proxy host string can also include protocol scheme (http://) and embedded
user + password.
.SH DEFAULT
Default is NULL, meaning no proxy is used.
When you set a host name to use, do not assume that there's any particular
single port number used widely for proxies. Specify it!
.SH PROTOCOLS
All except file://. Note that some protocols don't do very well over proxy.
.SH EXAMPLE
TODO
.SH AVAILABILITY
Since 7.14.1 the proxy environment variable names can include the protocol
scheme.
Since 7.21.7 the proxy string supports the socks protocols as "schemes".
Since 7.50.2, unsupported schemes in proxy strings cause libcurl to return
error.
.SH RETURN VALUE
Returns CURLE_OK if proxies are supported, CURLE_UNKNOWN_OPTION if not, or
CURLE_OUT_OF_MEMORY if there was insufficient heap space.
.SH "SEE ALSO"
.BR CURLOPT_PROXYPORT "(3), " CURLOPT_HTTPPROXYTUNNEL "(3), "
.BR CURLOPT_PROXYTYPE "(3)"