pxgo

#Usage

#Basic Proxy

Start pxgo: 

./pxgo

Configure applications to use 127.0.0.1:3128 as their HTTP and HTTPS proxy.

#Upstream Proxy

./pxgo --proxy=proxy.company.com:8080

Multiple upstream proxies can be comma-separated: 

./pxgo --proxy=proxy-a.company.com:8080,proxy-b.company.com:8080

pxgo tries the returned proxy list in order and falls back when a proxy fails.

#PAC File

./pxgo --pac=http://proxy.company.com/proxy.pac
./pxgo --pac=/path/to/proxy.pac

For non-UTF-8 PAC files: 

./pxgo --pac=/path/to/proxy.pac --pac-encoding=latin1

#Bypass Rules

--noproxy skips the upstream proxy for matching destinations: 

./pxgo --proxy=proxy.company.com:8080 --noproxy=localhost,example.com,10.0.*.*

Supported values include exact IPs, wildcard IPv4 globs, IPv4 ranges, CIDR ranges, and host/domain suffixes.

#Upstream Authentication

Set --auth to select upstream proxy authentication. Store the password interactively in the OS keyring first: 

./pxgo --username=0 --password

Then run the proxy: 

./pxgo \
  --proxy=proxy.company.com:8080 \
  --auth=NTLM \
  --username=0

Or supply the password via environment variable for non-interactive runs: 

PXGO_PASSWORD='secret' ./pxgo \
  --proxy=proxy.company.com:8080 \
  --auth=NTLM \
  --username=1

Supported auth selectors:

  • ANY: try NEGOTIATE, NTLM, DIGEST, then BASIC
  • ANYSAFE: try NEGOTIATE, NTLM, then DIGEST
  • NEGOTIATE, NTLM, DIGEST, BASIC: force one mode
  • NONE: pass proxy authentication through from the client
  • ONLYNTLM, NOBASIC, SAFENONTLM: selector forms matching the Python Px convention

#Kerberos

Kerberos ticket management is available on Linux and macOS: 

PXGO_PASSWORD='secret' ./pxgo --kerberos --username=user@REALM

pxgo creates a per-process credential cache, runs kinit, refreshes tickets with kinit -R when possible, and removes the cache on exit. The host still needs working Kerberos configuration such as /etc/krb5.conf.

#Client Authentication

By default local clients can use pxgo without authenticating. Require client auth: 

PXGO_CLIENT_PASSWORD='client-secret' ./pxgo \
  --client-auth=DIGEST \
  --client-username=client

Supported client auth modes are NEGOTIATE, NTLM, DIGEST, BASIC, ANY, ANYSAFE, and NONE.

#Remote Clients

Default mode listens only on 127.0.0.1.

Allow remote clients: 

./pxgo --gateway --allow=192.168.1.*

Allow only IP addresses assigned to local interfaces: 

./pxgo --hostonly

#Logging

pxgo supports four log destinations controlled by --log=N, PXGO_LOG=N, or settings:log=N in the config file: 

./pxgo --log=1        # log to script directory (alias: --debug)
./pxgo --log=2        # log to working directory
./pxgo --log=3        # log to working directory with unique filename (alias: --uniqlog)
./pxgo --log=4        # log to stdout, implies --foreground (alias: --verbose)

#Self-Test

./pxgo --test
./pxgo --test=https://example.com
./pxgo --test=all:https://httpbin.org

all mode checks several HTTP methods through the proxy.