Ubuntu20.04代理设置

相关环境变量
curl
git
1. git-config 手册摘录
wget
1. wget 手册摘录
  1. wget 识别的环境变量
  2. wget 命令和 proxy 相关的选项
apt-get
1. 摘录
ssh
1. 手册摘录

有时由于网络问题, 我们需要在命令行下设置代理. Ubuntu 上, 我常用需要联网的命令有 curl, git, apt-get, wget 等. 这些命令都会访问环境变量中的代理设置.

环境变量	curl	git	apt-get	wget
`http_proxy`	Y	Y	Y	Y
`https_proxy`	Y	Y	?	Y
`ftp_proxy`	Y	Y	Y	N
`all_proxy`	Y	Y	N	Y
`no_proxy`	Y	Y	N	Y

curl

下面的环境变量除 http_proxy 外使用大小写均可, 不过小写优先. 使用环境变量设置 proxy 的效果和选项 -x, --proxy 的效果相同.

http_proxy [protocol://]<host>[:port] 设置 HTTP 协议的 proxy.

HTTPS_PROXY [protocol://]<host>[:port] 设置 HTTPS 协议的 proxy.

[url-protocol]_PROXY [protocol://]<host>[:port] 为 [url-protocal] 设置 proxy, 这里的 url-protocol 为 curl 支持的协议, 如 FTP, FTPS, POP3, IMAP, SMTP, LDAP 等.

ALL_PROXY [protocol://]<host>[:port] 为没有明确设置 proxy 的协议设置 proxy.

NO_PROXY <comma-separated list of hosts> 不走代理的主机名列表 (comma-separated list of hosts). 如果仅设置为 `*`, 则匹配所有主机.

— 翻译自 Curl Manual, Version 7.58.0.

git

从 git-config 的手册中可以看出, git 可以和 curl 一样使用环境变量中定义的代理, 也可以通过 http.proxy 进行设置. 注意 git 并没有 https.proxy 这样的设置选项. http.proxy 的设置格式为

[protocol://][user[:password]@]proxyhost[:port]

该设置将覆盖环境变量设置.

上面的设置对于使用 https 协议的 url 有效, 若通过 ssh 访问相应的库, 需要通过 ssh 设置代理. 例如, 我们通过向文件 ~/.ssh/config 中添加以下内容 (该文件的读写权限应该为 644)

Host github.comUser gitProxyCommand nc -X connect -x 127.0.0.1:10809 %h %p

这里 -X connect 表示该代理为 http 代理.

如果 git 使用 ssh 且通过代理访问 github, 可按如下方式设置 http 代理. 如果是 socks5 代理，去掉参数 -X connect, 其他协议请参考 nc 的手册页.

git-config 手册摘录

core.gitProxyA "proxy command" to execute (as command host port) instead of establishing direct connection to the remote server when using the Git protocol for fetching. If the variable value is in the"COMMAND for DOMAIN" format, the command is applied only on hostnames ending with the specified domain string. This variable may be set multiple times and is matched in the given order; thefirst match wins.Can be overridden by the GIT_PROXY_COMMAND environment variable (which always applies universally, without the special "for" handling).The special string none can be used as the proxy command to specify that no proxy be used for a given domain pattern. This is useful for excluding servers inside a firewall from proxy use, whiledefaulting to a common proxy for external domains.http.proxyOverride the HTTP proxy, normally configured using the http_proxy, https_proxy, and all_proxy environment variables (see curl(1)). In addition to the syntax understood by curl, it is possible tospecify a proxy string with a user name but no password, in which case git will attempt to acquire one in the same way it does for other credentials. See gitcredentials(7) for more information.The syntax thus is [protocol://][user[:password]@]proxyhost[:port]. This can be overridden on a per-remote basis; see remote.<name>.proxyhttp.<url>.*Any of the http.* options above can be applied selectively to some URLs. For a config key to match a URL, each element of the config key is compared to that of the URL, in the following order:1. Scheme (e.g., https in https://example.com/). This field must match exactly between the config key and the URL.2. Host/domain name (e.g., example.com in https://example.com/). This field must match between the 3. config key and the URL. It is possible to specify a * as part of the host name to match allsubdomains at this level.  https://*.example.com/ for example would match https://foo.example.com/, but not https://foo.bar.example.com/.4. Port number (e.g., 8080 in http://example.com:8080/). This field must match exactly between 5. the config key and the URL. Omitted port numbers are automatically converted to the correctdefault for the scheme before matching.6. Path (e.g., repo.git in https://example.com/repo.git). The path field of the config key must 7. match the path field of the URL either exactly or as a prefix of slash-delimited path elements.This means a config key with path foo/ matches URL path foo/bar. A prefix can only match on aslash (/) boundary. Longer matches take precedence (so a config key with path foo/bar is abetter match to URL path foo/bar than a config key with just path foo/).8. User name (e.g., user in https://user@example.com/repo.git). If the config key has a user name 9.  it must match the user name in the URL exactly. If the config key does not have a user name,that config key will match a URL with any user name (including none), but at a lower precedencethan a config key with a user name.The list above is ordered by decreasing precedence; a URL that matches a config key’s path is preferred to one that matches its user name. For example, if the URL ishttps://user@example.com/foo/bar a config key match of https://example.com/foo will be preferred over a config key match of https://user@example.com.All URLs are normalized before attempting any matching (the password part, if embedded in the URL, is always ignored for matching purposes) so that equivalent URLs that are simply spelleddifferently will match properly. Environment variable settings always override any matches. The URLs that are matched against are those given directly to Git commands. This means any URLsvisited as a result of a redirection do not participate in matching.remote.<name>.proxyFor remotes that require curl (http, https and ftp), the URL to the proxy to use for that remote. Set to the empty string to disable proxying for that remote.

wget

wget 识别环境变量 http_proxy, https_proxy, ftp_proxy 和 no_proxy.

wget 手册摘录

wget 识别的环境变量

Wget supports proxies for both HTTP and FTP retrievals.  The standard way to specify proxy location,
which Wget recognizes, is using the following environment variables:http_proxy
https_proxyIf set, the http_proxy and https_proxy variables should contain the URLs of the proxies for HTTP and HTTPS connections respectively.ftp_proxyThis variable should contain the URL of the proxy for FTP connections.  It is quite common that http_proxy and ftp_proxy are set to the same URL.no_proxyThis variable should contain a comma-separated list of domain extensions proxy should not be used for.  For instance, if the value of no_proxy is .mit.edu, proxy will not be used to retrieve documents from MIT.

wget 命令和 proxy 相关的选项

--proxy-user=user
--proxy-password=passwordSpecify the username user and password password for authentication on a proxy server.  Wget will encode them using the "basic" authentication scheme.
--no-proxyDon't use proxies, even if the appropriate *_proxy environment variable is defined.

apt-get

通过下面摘录文档的内容看出, apt-get 识别 http_proxy 和 ftp_proxy, 但并没有提及 https_proxy.

摘录

APT.CONF(5) 摘录

THE ACQUIRE GROUPThe Acquire group of options controls the download of packages as well as the various "acquire methods"responsible for the download itself (see also sources.list(5)).http httpsThe options in these scopes configure APTs acquire transports for the protocols HTTP and HTTPS andare documented in the apt-transport-http(1) and apt-transport-https(1) manpages respectively.ftpftp::Proxy sets the default proxy to use for FTP URIs. It is in the standard form offtp://[[user][:pass]@]host[:port]/. Per host proxies can also be specified by using the formftp::Proxy::<host> with the special keyword DIRECT meaning to use no proxies. If no one of theabove settings is specified, ftp_proxy environment variable will be used. To use an FTP proxy youwill have to set the ftp::ProxyLogin script in the configuration file. This entry specifies thecommands to send to tell the proxy server what to connect to. Please see/usr/share/doc/apt/examples/configure-index.gz for an example of how to do this. The substitutionvariables representing the corresponding URI component are $(PROXY_USER), $(PROXY_PASS),$(SITE_USER), $(SITE_PASS), $(SITE) and $(SITE_PORT).The option timeout sets the timeout timer used by the method; this value applies to the connectionas well as the data timeout.Several settings are provided to control passive mode. Generally it is safe to leave passive modeon; it works in nearly every environment. However, some situations require that passive mode bedisabled and port mode FTP used instead. This can be done globally or for connections that gothrough a proxy or for a specific host (see the sample config file for examples).It is possible to proxy FTP over HTTP by setting the ftp_proxy environment variable to an HTTP URL- see the discussion of the http method above for syntax. You cannot set this in the configurationfile and it is not recommended to use FTP over HTTP due to its low efficiency.The setting ForceExtended controls the use of RFC2428 EPSV and EPRT commands. The default is false,which means these commands are only used if the control connection is IPv6. Setting this to trueforces their use even on IPv4 connections. Note that most FTP servers do not support RFC2428.

SOURCES.LIST(5) 摘录

URI SPECIFICATIONThe currently recognized URI types are:http (apt-transport-http(1))The http scheme specifies an HTTP server for an archive and is the most commonly used method. TheURI can directly include login information if the archive requires it, but the use ofapt_auth.conf(5) should be preferred. The method also supports SOCKS5 and HTTP(S) proxies eitherconfigured via apt-specific configuration or specified by the environment variable http_proxy inthe format (assuming an HTTP proxy requiring authentication) http://user:pass@server:port/. Theauthentication details for proxies can also be supplied via apt_auth.conf(5).Note that these forms of authentication are insecure as the whole communication with the remoteserver (or proxy) is not encrypted so a sufficiently capable attacker can observe and record loginas well as all other interactions. The attacker can not modify the communication through as APTsdata security model is independent of the chosen transport method. See apt-secure(8) for details.https (apt-transport-https(1))The https scheme specifies an HTTPS server for an archive and is very similar in use and availableoptions to the http scheme. The main difference is that the communication between apt and server(or proxy) is encrypted. Note that the encryption does not prevent an attacker from knowing whichserver (or proxy) apt is communicating with and deeper analyses can potentially still reveal whichdata was downloaded. If this is a concern the Tor-based schemes mentioned further below might be asuitable alternative.ftpThe ftp scheme specifies an FTP server for an archive. Use of FTP is on the decline in favour ofhttp and https and many archives either never offered or are retiring FTP access. If you still needthis method many configuration options for it are available in the Acquire::ftp scope and detailedin apt.conf(5).Please note that an FTP proxy can be specified by using the ftp_proxy environment variable. It ispossible to specify an HTTP proxy (HTTP proxy servers often understand FTP URLs) using thisenvironment variable and only this environment variable. Proxies using HTTP specified in theconfiguration file will be ignored.

ssh

ssh 并不能使用上面的环境变量, 如果 ssh 连接需要使用代理, 须单独设置:

通过命令行选型

通过用户配置文件 ~/.ssh/config, 该文件的读写权限应该为 644.

ProxyCommand /usr/bin/nc -X connect -x 127.0.0.1:8080 %h %p

Host github.comUser gitProxyCommand nc -X connect -x 127.0.0.1:10809 %h %p

通过系统配置文件 /etc/ssh/ssh_config.

手册摘录

SSH_CONFIG(5) 摘录

-J [user@]host[:port]Connect to the target host by first making a ssh connection to the jump host and then establish‐ing a TCP forwarding to the ultimate destination from there.  Multiple jump hops may be specifiedseparated by comma characters.  This is a shortcut to specify a ProxyJump configuration direc‐tive.-L [bind_address:]port:host:hostport
-L [bind_address:]port:remote_socket
-L local_socket:host:hostport
-L local_socket:remote_socketSpecifies that connections to the given TCP port or Unix socket on the local (client) host are tobe forwarded to the given host and port, or Unix socket, on the remote side.  This works by allo‐cating a socket to listen to either a TCP port on the local side, optionally bound to the speci‐fied bind_address, or to a Unix socket.  Whenever a connection is made to the local port orsocket, the connection is forwarded over the secure channel, and a connection is made to eitherhost port hostport, or the Unix socket remote_socket, from the remote machine.Port forwardings can also be specified in the configuration file.  Only the superuser can forwardprivileged ports.  IPv6 addresses can be specified by enclosing the address in square brackets.By default, the local port is bound in accordance with the GatewayPorts setting.  However, anexplicit bind_address may be used to bind the connection to a specific address.  The bind_addressof “localhost” indicates that the listening port be bound for local use only, while an emptyaddress or ‘*’ indicates that the port should be available from all interfaces.-R [bind_address:]port:host:hostport-R [bind_address:]port:local_socket-R remote_socket:host:hostport-R remote_socket:local_socket-R [bind_address:]portSpecifies that connections to the given TCP port or Unix socket on the remote (server) host areto be forwarded to the local side.This works by allocating a socket to listen to either a TCP port or to a Unix socket on theremote side.  Whenever a connection is made to this port or Unix socket, the connection is for‐warded over the secure channel, and a connection is made from the local machine to either anexplicit destination specified by host port hostport, or local_socket, or, if no explicit desti‐nation was specified, ssh will act as a SOCKS 4/5 proxy and forward connections to the destina‐tions requested by the remote SOCKS client.Port forwardings can also be specified in the configuration file.  Privileged ports can be for‐warded only when logging in as root on the remote machine.  IPv6 addresses can be specified byenclosing the address in square brackets.By default, TCP listening sockets on the server will be bound to the loopback interface only.This may be overridden by specifying a bind_address.  An empty bind_address, or the address ‘*’,indicates that the remote socket should listen on all interfaces.  Specifying a remotebind_address will only succeed if the server's GatewayPorts option is enabled (seesshd_config(5)).If the port argument is ‘0’, the listen port will be dynamically allocated on the server andreported to the client at run time.  When used together with -O forward the allocated port willbe printed to the standard output.

SSH_CONFIG(5) 摘录

ssh(1) obtains configuration data from the following sources in the following order:1.   command-line options2.   user's configuration file (~/.ssh/config)3.   system-wide configuration file (/etc/ssh/ssh_config)For each parameter, the first obtained value will be used.  The configuration files contain sections sep‐
arated by Host specifications, and that section is only applied for hosts that match one of the patterns
given in the specification.  The matched host name is usually the one given on the command line (see the
CanonicalizeHostname option for exceptions).Since the first obtained value for each parameter is used, more host-specific declarations should be
given near the beginning of the file, and general defaults at the end.The file contains keyword-argument pairs, one per line.  Lines starting with ‘#’ and empty lines are
interpreted as comments.  Arguments may optionally be enclosed in double quotes (") in order to represent
arguments containing spaces.  Configuration options may be separated by whitespace or optional whitespace
and exactly one ‘=’; the latter format is useful to avoid the need to quote whitespace when specifying
configuration options using the ssh, scp, and sftp -o option.The possible keywords and their meanings are as follows (note that keywords are case-insensitive and
arguments are case-sensitive):ProxyCommandSpecifies the command to use to connect to the server.  The command string extends to the end ofthe line, and is executed using the user's shell ‘exec’ directive to avoid a lingering shellprocess.Arguments to ProxyCommand accept the tokens described in the TOKENS section.  The command can bebasically anything, and should read from its standard input and write to its standard output.  Itshould eventually connect an sshd(8) server running on some machine, or execute sshd -i some‐where.  Host key management will be done using the HostName of the host being connected (default‐ing to the name typed by the user).  Setting the command to none disables this option entirely.Note that CheckHostIP is not available for connects with a proxy command.This directive is useful in conjunction with nc(1) and its proxy support.  For example, the fol‐lowing directive would connect via an HTTP proxy at 192.0.2.0:ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %pProxyJumpSpecifies one or more jump proxies as [user@]host[:port].  Multiple proxies may be separated bycomma characters and will be visited sequentially.  Setting this option will cause ssh(1) to con‐nect to the target host by first making a ssh(1) connection to the specified ProxyJump host andthen establishing a TCP forwarding to the ultimate target from there.Note that this option will compete with the ProxyCommand option - whichever is specified firstwill prevent later instances of the other from taking effect.ProxyUseFdpassSpecifies that ProxyCommand will pass a connected file descriptor back to ssh(1) instead of con‐tinuing to execute and pass data.  The default is no.ProxyCommand accepts the tokens %%, %h, %p, and %r.%%    A literal ‘%’.%C    Shorthand for %l%h%p%r.%d    Local user's home directory.%h    The remote hostname.%i    The local user ID.%L    The local hostname.%l    The local hostname, including the domain name.%n    The original remote hostname, as given on the command line.%p    The remote port.%r    The remote username.%u    The local username.