Skip to main content

Connecting To Hosts Via Proxies

You can choose to route management connections via your existing SOCKS proxy servers to accommodate for existing firewall configurations and network-traffic policies. To achieve this, you can configure Key Manager to connect to certain addresses, or even to entire networks, via SOCKS-proxy servers.

note

Key Manager uses SOCKS v5.

Proxy-connection rules are specified on the Settings→General page, under the Backend settings section, in the Socks Proxies field. Specify each proxy-connection rule on its own line. Use the following format to specify individual proxy-connection rules:

IP[/bits] Proxy[:port]

When specifying proxy-connection rules, specify one connection rule per line. For each connection rule, you must specify the IP address of the host or network that is to be connected to via a proxy. You must also specify the address of the proxy, along with an optional proxy port that is used for connections. The port defaults to 1080 if it is unspecified. The target IP and the proxy address are to be separated with a space.

An example of a minimal proxy-connection rule. In the following example, management connections to host address 10.11.2.168 are routed via the proxy server at example.proxy.com:

10.11.2.168 example.proxy.com

An example of a proxy-connection rule with optional information. In this example, all connections to the network 10.11.2.0/24 (hosts at addresses 10.11.1.0 to 10.11.1.255) are routed via the example.proxy.com. Port 1080 is used for connecting to the proxy:

10.11.2.0/24 example.proxy.com:1080

Proxy settings for specific Key Manager back ends can be set via the command-line client as well, using the command set-mgmt-server-settings (described in set-mgmt-server-setting):

$ ssh-mgr-client set-mgmt-server-setting -I "fqdn=backend.example.com" \
-d category=backend,name=socks_proxy,value="\
{'rules': [{'to': '192.0.2.0/24'\, 'via': 'proxy.example.com:1080'}]}"

Proxy connections can also be used with nmap-ncat.

$ ssh -o "ProxyCommand nc --proxy 192.0.2.1:22 192.0.2.2 22" 192.0.2.2

The location of the ncat version you use can be specified in localsettings.py, using the setting:

NETCAT_COMMAND="/usr/bin/nc"
note

Ensure you use nmap-ncat instead of netcat for proxy connections.