Home
|
FAQ
|
Feedback
|
Licence
|
Updates
|
Mirrors
|
Keys
|
Links
|
Team
Download:
Stable
·
Snapshot
|
Docs
|
Privacy
|
Changes
|
Wishlist
PuTTY's proxy configuration system is centralised, and applies to every network connection it makes. This is not always what people want.
A typical case that causes confusion happens when a user
foobar by just typing in
its name in the hostname box, so that the rest of the
configuration comes from Default Settings.PuTTY consults its proxy configuration and finds that to ssh
to bar it must start by sshing to foo. But
then when it comes to make the connection to foo,
it also consults the proxy configuration from Default
Settings, and that makes it decide that it must begin that
by also sshing to foo, because there was no exception
configured to say you shouldn't use the proxy to connect to itself.
So each attempt to connect to the proxy recursively spawns another
attempt to connect to the same proxy, and nothing ever gets
anywhere.
(This happens regardless of whether the SSH proxy configuration
uses the older method of running plink %proxyhost -nc
%host:%port as a subprocess, or the newer built-in method.
The only difference is that in the Plink case you can see a chain of
Plinks spawning each other in Task Manager or ps,
whereas with the newer system the confusion is all within one
process.)
This confusion is avoided if you make a dedicated saved session for
connecting to host bar, and enter the details of proxy
host foo in that session, rather than in
Default Settings. Then the connection to foo uses a
separate configuration (either Default Settings or another dedicated
saved session) which doesn't mention using a proxy server at all, so
the recursion stops after one level, which is what you wanted. But
it should be a matter of personal preference which of these
configuration structures you use. So it's still a bad thing to have
this footgun in the Default Settings method.
The proxy configuration is also consulted for other kinds of subsidiary connection. In particular, outgoing connections made as part of port forwarding or X11 forwarding are subject to the proxy configuration. Again this might not be what a user wants (though it also might be).
It would be nice to have an option that avoided this problem. Similar to the existing configuration setting "Consider proxying local host connections", it could be called "Consider proxying subsidiary connections". Then, only the main connection (e.g. to the SSH server itself) would be proxied, and all other network connections made by that instance of PuTTY would be made directly.
(Perhaps, once the option existed, it could also be made the default. But changing defaults is a separate question; the first step is to provide the option at all.)
As part of work on connection-hook,
ccd3d3715f3d6ec8eb89b9fbd20f743a00551269
introduced an internal function new_main_connection(),
which is called for the main connection of the process and not for
subsidiary connections. In that context, its purpose is to run the
pre-connection command (e.g. a port knocker). But now that the code
distinguishes main from subsidiary connections, perhaps that could
also be used to inhibit proxying for the latter?
However, I've marked this entry as "tricky" because it's not quite as simple as that. Currently, any SSH connection qualifies as "main" for this purpose – even if it's an SSH connection being used as a proxy. So if I implemented the feature in the way that seems obvious from the above description, it would prevent accidental recursive use of any other kind of proxy, such as SOCKS or HTTP, but an SSH proxy would still be capable of recursing.
For the newer in-process SSH proxy system, that could be fixed by
some extra data plumbing: PuTTY knows whether a given SSH connection
is being made because of a need to proxy something else, and it
could pass through a flag saying "don't
call new_main_connection for this one". But that leaves
two more problems:
So there's still some design work to be done before this becomes just a matter of programming.