macbook | 命令行使用代理 curl 等

尽管你可能配置了代理，但是，使用命令行的时候，其命令并没有走代理路线。

但是，有的时候，我们需要使用命令行来走代理路线，这个时候就要用到 proxychains。

ps: 这个最后貌似失败了，虽然明面上的代理可以用，但是，完全不会返回什么数据！

参考资料

• 命令行代理神器 proxychains
• 使用proxychains进行命令行proxy设置
• 试图不关闭 SIP 在 macOS Sierra 上使用 proxychains-ng
• macOS 下解决新安装 Dropbox 后无法设置代理的问题

环境说明

• macbook 10.14
• 代理 shadowsocks

安装

brew install proxychains-ng

配置文件

proxychains 的配置文件顺序是当前目录下的 ./proxychains.conf 然后是 $HOME/.proxychains/proxychains.conf 最后是系统目录下的 /etc/proxychains.conf

但是，我们使用 brew 安装的时候，并不会在 $HOME 下创建配置文件，所以，我们可以自己创建。

mkdir ~/.proxychains
vim ~/.proxychains/proxychains.conf

内容如下:

# proxychains.conf  VER 4.x
#
#        HTTP, SOCKS4a, SOCKS5 tunneling proxifier with DNS.


# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
dynamic_chain
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
#strict_chain
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#round_robin_chain
#
# Round Robin - Each connection will be done via chained proxies
# of chain_len length
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped).
# the start of the current proxy chain is the proxy after the last
# proxy in the previously invoked proxy chain.
# if the end of the proxy chain is reached while looking for proxies
# start at the beginning again.
# otherwise EINTR is returned to the app
# These semantics are not guaranteed in a multithreaded environment.
#
#random_chain
#
# Random - Each connection will be done via random proxy
# (or proxy chain, see  chain_len) from the list.
# this option is good to test your IDS :)

# Make sense only if random_chain or round_robin_chain
#chain_len = 2

# Quiet mode (no output from library)
#quiet_mode

# Proxy DNS requests - no leak for DNS data
#proxy_dns

# set the class A subnet number to use for the internal remote DNS mapping
# we use the reserved 224.x.x.x range by default,
# if the proxified app does a DNS request, we will return an IP from that range.
# on further accesses to this ip we will send the saved DNS name to the proxy.
# in case some control-freak app checks the returned ip, and denies to
# connect, you can use another subnet, e.g. 10.x.x.x or 127.x.x.x.
# of course you should make sure that the proxified app does not need
# *real* access to this subnet.
# i.e. dont use the same subnet then in the localnet section
#remote_dns_subnet 127
#remote_dns_subnet 10
#remote_dns_subnet 224

# Some timeouts in milliseconds
tcp_read_time_out 15000
tcp_connect_time_out 8000

### Examples for localnet exclusion
## localnet ranges will *not* use a proxy to connect.
## Exclude connections to 192.168.1.0/24 with port 80
# localnet 192.168.1.0:80/255.255.255.0

## Exclude connections to 192.168.100.0/24
# localnet 192.168.100.0/255.255.255.0

## Exclude connections to ANYwhere with port 80
# localnet 0.0.0.0:80/0.0.0.0

## RFC5735 Loopback address range
## if you enable this, you have to make sure remote_dns_subnet is not 127
## you'll need to enable it if you want to use an application that
## connects to localhost.
# localnet 127.0.0.0/255.0.0.0

## RFC1918 Private Address Ranges
# localnet 10.0.0.0/255.0.0.0
# localnet 172.16.0.0/255.240.0.0
# localnet 192.168.0.0/255.255.0.0

# ProxyList format
#       type  ip  port [user pass]
#       (values separated by'tab'or'blank')
#
#       only numeric ipv4 addresses are valid
#
#
#        Examples:
#
#        socks5  192.168.67.78    1080    lamer    secret
#        http    192.168.89.3     8080    justu    hidden
#        socks4  192.168.1.49     1080
#        http    192.168.39.93    8080
#
#
#       proxy types: http, socks4, socks5
#        ( auth types supported:"basic"-http"user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to"tor"
socks5 0.0.0.0 1086

有的教程最下面类似于是

socks5 127.0.0.1 6153
http 127.0.0.1 6152

但是，我使用上述的描写并不能进行代理。尤其是，我的并没有 http。

安装完之后的命令名为：proxychains4，而不是proxychains。

执行 whcih curl

如果出现

/bin/curl

那么当你使用

proxychains4 curl www.google.com

会出现

socket error or timeout!

这是因为苹果的 SIP 机制

SIP 机制

• proxychains-ng

中

• Mac OS X 10.11 (El Capitan) ships with a new security feature called SIP
  that prevents hooking of system apps.
  workarounds are to partially disable SIP by issuing
  csrutil enable –without debug in recovery mode,
  or to copy the system binary into the home directory and run it from there.
  see github issue #78 for details.

SIP 是苹果的保护机制，根据 根据苹果的 官方说明，以下路径受到保护：

/System
/usr (不包含 /usr/local)
/bin
/sbin
Apps that are pre-installed with OS X

苹果自身带有各种命令，比如 curl、wget 等，这些命令放在 bin 下，所以，这里面的路径受 SIP 的限制。

解决方案

很多教程都是关掉 SIP ，但是，这样做有两个缺点

• 需要重启，我觉得麻烦
• 不安全

其实，解决思路非常简单，只要讲命令不放在保护路径之下就可以了。所以，有两个解决方案。

通过 brew 重新安装

我们可以通过 brew 重新安装上面的命令，比如

brew install curl

由于，brew 安装的路径可以在

• macbook安装brew及用法

复制到其他路径

我使用的是这个。把那些二进制复制到不受保护的路径。

如果你使用

which curl

会出现

/bin/curl

首先在我的 ~/.bash_profile 中添加

export PATH=/Users/$(whoami)/usr/bin:$PATH

比如我的用户名是 licong ，所以，我可以在 /User/licong 下创建 /usr/bin 目录。

把 curl 复制到我的 bin 路径：

cp $(which curl) ~/usr/bin/curl

这个时候，你再使用 which curl 就会发现

/Users/licong/usr/bin

所以，你再使用

proxychains4 curl www.google.com

就可以了，我本地出现

[proxychains] config file found: /Users/licong/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.14/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Dynamic chain  ...  0.0.0.0:1086  ...  31.13.95.33:80  ...  OK
curl: (52) Empty reply from server

上面访问 google 什么的有问题，但是，访问 baidu 是好的，可能是 google 加了什么限制，以后要是想起来再解决吧。