How to force Git to use socks proxy over its ssh connection?

There are 2 types to clone git: HTTP, and ssh. There are 2 common types of proxy: HTTP, and socks.

Here's the method dealing with 2 * 2 conditions:

# Method 1. git http + proxy http
git config --global http.proxy "http://127.0.0.1:1080"
git config --global https.proxy "http://127.0.0.1:1080"

# Method 2. git http + proxy shocks
git config --global http.proxy "socks5://127.0.0.1:1080"
git config --global https.proxy "socks5://127.0.0.1:1080"

# to unset
git config --global --unset http.proxy
git config --global --unset https.proxy

# Method 3. git ssh + proxy http
vim ~/.ssh/config
Host github.com
HostName github.com
User git
ProxyCommand socat - PROXY:127.0.0.1:%h:%p,proxyport=1087

# Method 4. git ssh + proxy socks
vim ~/.ssh/config
Host github.com
HostName github.com
User git
ProxyCommand nc -v -x 127.0.0.1:1080 %h %p

The previous answers may work but I find them overly complex.

The most common case should be to access a corporate git server over a SOCKS5 proxy. In this example:

• Git server: git.evilcorp.com
• SOCKS5 proxy: localhost:11080

The easiest way to configure git in this case is to have a nice SSH config for the git server (~/.ssh/config):

Host git.evilcorp.com
  # Identity file specifies wich SSH key used to access the git server.
  Identityfile ~/.ssh/id_rsa
  # ProxyCommand does the magic to access the proxy server.
  ProxyCommand /bin/nc -X 5 -x 127.0.0.1:11080 %h %p

Cool detail: The DNS resolution is done by the proxy, so your machine doesn't need to know about the corp DNS servers.

git's own git --config 'http.proxy=socks5://127.0.0.1:4444' or ssh_config's proxycommand using socat and nc techniques successfully reroute git commands over the SOCKS proxy.

The problem could be, however, that the DNS lookup fails due to the lookup being done locally rather than remotely over over the SOCKS proxy. For example, in the case of an intranet, the servers may not have domain names on the internet (only known to intranet DNS).

There are two ways to solve this. The first one I've seen recommended several times, but it makes the ambitious assumption that you control the remote server.

1. Reroute local 53 traffic (DNS) to port X, forward that to the server at port Y, forward port Y to 53 on the server. Usually X=Y for simplicity.

2. Intercept local system calls that retrieve ip addresses for names.

I would argue that 2. is better, because it catches the problem at the source and only assumes that you control your local machine, which is a more likely case than controlling the remote server.

proxychains-ng intecepts the getaddrinfo system call before it accesses your local nss.

Steps

Open a SOCKS5 port

ssh -v -NT -D 127.0.0.1:4444 intranethost

Setup proxychains to use that port.

~/.proxychains/proxychains.conf

strict_chain
proxy_dns
tcp_read_time_out 150000
tcp_connect_time_out 80000

[ProxyList]
socks5 127.0.0.1 4444

Use proxychains to encapsulate git.

alias gitproxy='proxychains git'
gitproxy clone intranethost:path/to/repo.git

The beauty of taking this route is that this is all transparent to git and its remotes.

You need to define the GIT_SSH_COMMAND environment variable first

In it, you can redefine the ssh command, in order to use your socks proxy setting

ssh -D $port_number $hostname
# or
ssh -D $port_number $username@$hostname

Or using a proxycommand nc (or ncat on Windows)

The point is: once ssh is working with your socks5 proxy, you can define the same syntax in GIT_SSH_COMMAND, and Git will use the right ssh command.

You can also test it with a local configuration:

git -c core.sshCommand='ssh -D 9998 [email protected]' git pull
git -c core.sshCommand='ssh -D 9999 127.0.0.1' git pull

Git 2.46 (Q3 2024), rc0 batch 2 adds on the topic:

See commit 70405ac, commit 804ecbc, commit c98f78b, commit 2101341 (09 Jul 2024) by brian m. carlson (bk2204).
^{(Merged by Junio C Hamano -- gitster -- in commit d6c8636, 16 Jul 2024)}

gitfaq: add documentation on proxies

^{Signed-off-by: brian m. carlson}

Many corporate environments and local systems have proxies in use.
Note the situations in which proxies can be used and how to configure them.
At the same time, note what standards a proxy must follow to work with Git.
Explicitly call out certain classes that are known to routinely have problems reported various places online, including in the Git for Windows issue tracker and on Stack Overflow, and recommend against the use of such software, noting that they are associated with myriad security problems (including, for example, breaking sandboxing and image integrity (chromium issue 40285192), and, for TLS middleboxes, the use of insecure protocols and ciphers and lack of certificate verification (PDF)).
Don't mention the specific nature of these security problems in the FAQ entry because they are extremely numerous and varied and we wish to keep the FAQ entry relatively brief.

gitfaq now includes in its man page:

Can I use a proxy with Git?

Yes, Git supports the use of proxies. Git honors the standard http_proxy, https_proxy, and no_proxy environment variables commonly used on Unix, and it also can be configured with http.proxy and similar options for HTTPS (see git config).
The http.proxy and related options can be customized on a per-URL pattern basis.
In addition, Git can in theory function normally with transparent proxies that exist on the network.

For SSH, Git can support a proxy using OpenSSH's ProxyCommand. Commonly used tools include netcat and socat. However, they must be configured not to exit when seeing EOF on standard input, which usually means that netcat will require -q and socat will require a timeout with something like -t 10.
This is required because the way the Git SSH server knows that no more requests will be made is an EOF on standard input, but when that happens, the server may not have yet processed the final request, so dropping the connection at that point would interrupt that request.

An example configuration entry in ~/.ssh/config with an HTTP proxy might look like this:

Host git.example.org
User git
ProxyCommand socat -t 10 - PROXY:proxy.example.org:%h:%p,proxyport=8080

Note that in all cases, for Git to work properly, the proxy must be completely transparent.
The proxy cannot modify, tamper with, or buffer the connection in any way, or Git will almost certainly fail to work.

Note that many proxies, including many TLS middleboxes, Windows antivirus and firewall programs other than Windows Defender and Windows Firewall, and filtering proxies fail to meet this standard, and as a result end up breaking Git.
Because of the many reports of problems and their poor security history, we recommend against the use of these classes of software and devices.