Curl
curl has native SOCKS5 proxy support and certificate trust flags, so no extra tooling is needed to route requests through the SSH tunnel.
Use socks5h:// (not socks5://) where the trailing h tells curl to resolve DNS through the proxy rather than locally, which prevents DNS leaks for internal hostnames.
Basic Usage
Start your SSH SOCKS tunnel first.
ssh -N example-network
Pass the proxy with every request.
curl --proxy socks5h://127.0.0.1:3456 https://internal.example.com
Self-Signed and Internal CA Certificates
Internal environments often serve TLS certificates signed by a private CA that curl does not trust by default. Pass the CA certificate bundle with --cacert.
curl --proxy socks5h://127.0.0.1:3456 \
--cacert /path/to/internal-ca.crt \
https://internal.example.com
If you have multiple CA files, concatenate them into a single bundle first.
cat corp-root.crt intermediate.crt > bundle.crt
curl --proxy socks5h://127.0.0.1:3456 --cacert bundle.crt https://internal.example.com
Do not use -k / --insecure as a shortcut, it silently disables all certificate validation and masks real connectivity or certificate problems.
Environment Variables
To avoid repeating flags on every command, export these in your shell profile or session.
export ALL_PROXY=socks5h://127.0.0.1:3456
export CURL_CA_BUNDLE=/path/to/internal-ca.crt
curl picks both up automatically, so plain invocations route through the tunnel with the correct CA trust.
curl https://internal.example.com
Notes
- Prefer
--cacertover-k. If the cert is genuinely untrusted, obtain the CA file from your network or security team and trust it explicitly. socks5h://is required for internal hostnames:socks5://resolves DNS locally first and will fail for names that only exist inside the network.- For tools that do not support proxy flags natively (e.g.
git,ssh, package managers), use Proxychains instead.