Differences
This shows you the differences between the selected revisions of the page.
| ui_login_proxy 2015-02-18 | ui_login_proxy 2023-05-24 (current) | ||
| Line 1: | Line 1: | ||
| - | ====== Proxy Page (Advanced Site Settings dialog) ====== | + | ====== The Proxy Page (Advanced Site Settings dialog) ====== |
| The //Proxy page// on the [[ui_login_advanced|Advanced Site Settings dialog]] allows you to configure WinSCP to use various types of proxy in order to make its network connections. | The //Proxy page// on the [[ui_login_advanced|Advanced Site Settings dialog]] allows you to configure WinSCP to use various types of proxy in order to make its network connections. | ||
| - | |||
| - | &recent_login_page | ||
| Note that unlike some software (such as web browsers), WinSCP does not attempt to automatically determine whether to use a proxy and (if so) which one to use for a given destination. If you need to use a proxy, it must always be explicitly configured.((&puttydoccite)) | Note that unlike some software (such as web browsers), WinSCP does not attempt to automatically determine whether to use a proxy and (if so) which one to use for a given destination. If you need to use a proxy, it must always be explicitly configured.((&puttydoccite)) | ||
| + | |||
| + | When using an [[tunneling|SSH tunneling]], the proxy settings are used for a tunnel session, not for a main session. | ||
| &screenshotpict(login_proxy) | &screenshotpict(login_proxy) | ||
| Line 10: | Line 10: | ||
| &toc_title_page_sections | &toc_title_page_sections | ||
| - | ===== Setting the Proxy Type ===== | + | ===== [[type]] Setting the Proxy Type ===== |
| First, select what type of proxy you want WinSCP to use for its network connections. The default setting is //None//. In this mode no proxy is used for the connection. | First, select what type of proxy you want WinSCP to use for its network connections. The default setting is //None//. In this mode no proxy is used for the connection. | ||
| Line 17: | Line 17: | ||
| Selecting //SOCKS4// or //SOCKS5// allows you to proxy your connections through a SOCKS server. | Selecting //SOCKS4// or //SOCKS5// allows you to proxy your connections through a SOCKS server. | ||
| - | Many firewalls implement a less formal type of proxy in which a user can make a Telnet connection directly to the firewall machine and enter a command such as ''connect myhost.com 22'' to connect through to an external host. Selecting //Telnet// allows you to tell WinSCP to use this type of proxy. This type of proxy is not supported for [[FTP]] and [[WebDAV]] protocols. | + | Many firewalls implement a less formal type of proxy in which a user can make a Telnet or TCP connection directly to the firewall machine and enter a command such as ''connect myhost.com 22'' to connect through to an external host. Selecting //Telnet// allows you to tell WinSCP to use this type of proxy, with the [[#command|precise command specified]]. This type of proxy is not supported for [[FTP]], [[WebDAV]] and [[S3]] protocols. |
| - | Selecting //Local// allows you to specify an arbitrary command on the local machine to act as a proxy. When the session is started, instead of creating a TCP connection, WinSCP runs the specified command, and uses its standard input and output streams. This type of proxy is not supported for [[FTP]] and [[WebDAV]] protocols. | + | Selecting //Local// allows you to specify an arbitrary command on the local machine to act as a proxy. When the session is started, instead of creating a TCP connection, WinSCP runs the specified command, and uses its standard input and output streams. This type of proxy is not supported for [[FTP]], [[WebDAV]] and [[S3]] protocols. |
| This could be used, for instance, to talk to some kind of network proxy that WinSCP does not natively support; or you could tunnel a connection over something other than TCP/IP entirely. | This could be used, for instance, to talk to some kind of network proxy that WinSCP does not natively support; or you could tunnel a connection over something other than TCP/IP entirely. | ||
| Line 28: | Line 28: | ||
| ===== [[username_password]] Username and Password ===== | ===== [[username_password]] Username and Password ===== | ||
| - | If your proxy requires authentication, you can enter a username and a password in the //Username// and //Password// boxes. | + | You can enter a username and a password in the //User name// and //Password// boxes, which will be used if your proxy requires authentication. |
| + | |||
| + | If WinSCP discovers that it needs a proxy username or password and you have not specified one here, WinSCP will prompt for it interactively in the terminal window. | ||
| Authentication is not fully supported for all forms of proxy: | Authentication is not fully supported for all forms of proxy: | ||
| * Username and password authentication is supported for HTTP proxies and SOCKS5 proxies. | * Username and password authentication is supported for HTTP proxies and SOCKS5 proxies. | ||
| * With SOCKS5, authentication is via CHAP if the proxy supports it, otherwise the password is sent to the proxy in plain text. | * With SOCKS5, authentication is via CHAP if the proxy supports it, otherwise the password is sent to the proxy in plain text. | ||
| - | * With HTTP proxying, the only currently supported authentication method is "basic", where the password is sent to the proxy in plain text. | + | * With HTTP proxying, authentication is via "HTTP Digest" if possible, or "HTTP Basic". In the latter case, the password is sent to the proxy in plain text. |
| - | * SOCKS4 can use the //Username// field, but does not support passwords. | + | * SOCKS4 can use the //User name// field, but does not support passwords. |
| - | * You can specify a way to include a username and password in the //Telnet/Local// proxy command. | + | * You can specify a way to include a username and password in the //Telnet/Local// proxy command. \\ If you do so, and don't also specify the actual username and/or password in the configuration, WinSCP will [[ui_authenticate#proxy|interactively prompt for them]]. |
| * Most FTP proxy methods do require authentication. | * Most FTP proxy methods do require authentication. | ||
| ===== [[command]] Telnet/Local Proxy Command ===== | ===== [[command]] Telnet/Local Proxy Command ===== | ||
| - | If you are using the //Telnet// proxy type, the usual command required by the firewall's Telnet server is ''connect'', followed by a host name and a port number. If your proxy needs a different command, you can enter an alternative here. | + | If you are using the //Telnet// proxy type, the usual command required by the firewall's Telnet server is ''connect'', followed by a host name and a port number. If your proxy needs a different command, you can enter an alternative in the //Telnet command// box. |
| - | If you are using the //Local// proxy type, the local command to run is specified here. | + | If you are using the //Local// proxy type, the local command to run is specified in the //Local Proxy Command//. |
| In this string, you can use ''\n'' to represent a new-line, ''\r'' to represent a carriage return, ''\t'' to represent a tab character, and ''\x'' followed by two hex digits to represent any other character. ''\\'' is used to encode the \ character itself. | In this string, you can use ''\n'' to represent a new-line, ''\r'' to represent a carriage return, ''\t'' to represent a tab character, and ''\x'' followed by two hex digits to represent any other character. ''\\'' is used to encode the \ character itself. | ||
| - | Also, the special strings ''%host'' and ''%port'' will be replaced by the host name and port number you want to connect to. The strings ''%user'' and ''%pass'' will be replaced by the proxy username and password you specify. To get a literal % sign, enter ''<nowiki>%%</nowiki>''. | + | Also, the special strings ''%host'' and ''%port'' will be replaced by the host name and port number you want to connect to. The strings ''%user'' and ''%pass'' will be replaced by the proxy username and password (which, if not specified in the configuration, will be prompted for). To get a literal ''%'' sign, enter ''<nowiki>%%</nowiki>''. |
| If a Telnet proxy server prompts for a username and password before commands can be sent, you can use a command such as: | If a Telnet proxy server prompts for a username and password before commands can be sent, you can use a command such as: | ||
| Line 51: | Line 53: | ||
| %user\n%pass\nconnect %host %port\n | %user\n%pass\nconnect %host %port\n | ||
| - | This will send your username and password as the first two lines to the proxy, followed by a command to connect to the desired host and port. Note that if you do not include the ''%user'' or ''%pass'' tokens in the Telnet command, then the //Username// and //Password// configuration fields will be ignored. | + | This will send your username and password as the first two lines to the proxy, followed by a command to connect to the desired host and port. Note that if you do not include the ''%user'' or ''%pass'' tokens in the //Telnet command//, then anything specified in //Username// and //Password// configuration fields will be ignored. |
| + | |||
| + | You can use PuTTY ''plink'' as local proxy command to implement [[guide_tunnel#tunnel_two|two hop tunnel]]. | ||
| These options are not available for [[ftp|FTP protocol]]. | These options are not available for [[ftp|FTP protocol]]. | ||
| Line 60: | Line 64: | ||
| The //Do DNS name lookup at proxy end// configuration option allows you to control this. If you set it to //No//, WinSCP will always do its own DNS, and will always pass an IP address to the proxy. If you set it to //Yes//, WinSCP will always pass host names straight to the proxy without trying to look them up first. | The //Do DNS name lookup at proxy end// configuration option allows you to control this. If you set it to //No//, WinSCP will always do its own DNS, and will always pass an IP address to the proxy. If you set it to //Yes//, WinSCP will always pass host names straight to the proxy without trying to look them up first. | ||
| - | If you set this option to //Auto// (the default), WinSCP will do something it considers appropriate for each type of proxy. Telnet, HTTP and SOCKS5 proxies will have host names passed straight to them; SOCKS4 proxies will not.· | + | If you set this option to //Auto// (the default), WinSCP will do something it considers appropriate for each type of proxy. Most types of proxy (HTTP, SOCK5, Telnet, and local) will have host names passed straight to them; SOCKS4 proxies will not. |
| The original SOCKS4 protocol does not support proxy-side DNS. There is a protocol extension (SOCKS4A) which does support it, but not all SOCKS4 servers provide this extension. If you enable proxy DNS and your SOCKS4 server cannot deal with it, this might be why. | The original SOCKS4 protocol does not support proxy-side DNS. There is a protocol extension (SOCKS4A) which does support it, but not all SOCKS4 servers provide this extension. If you enable proxy DNS and your SOCKS4 server cannot deal with it, this might be why. | ||
| + | |||
| + | If you want to avoid WinSCP making any DNS query related to your destination host name (for example, because your local DNS resolver is very slow to return a negative response in that situation), then as well as setting this control to //Yes//, you may also need to turn off [[ui_login_authentication#gssapi|GSSAPI authentication]] and [[ui_login_kex#gssapi|GSSAPI key exchange]] in SSH. This is because GSSAPI setup also involves a DNS query for the destination host name, and that query is performed by the separate GSSAPI library, so WinSCP can't override or reconfigure it. | ||
| These options are not available for [[ftp|FTP protocol]]. | These options are not available for [[ftp|FTP protocol]]. | ||