Skip to content

curl

Send binary data to the server

curl -X PUT -H 'Content-Type: multipart/form-data' --form "avatar=@avatar.png;type=image/png" --user '<user>:<password>' 'https://teamcity.server.com/httpAuth/app/rest/avatars/username'

Dump headers, follow redirects, supply referrer header

curl -sSL -e 'source.site.com' -D - https://destination.site.com -o /dev/null

Curl authorization header

curl --silent --insecure -H 'Authorization: Bearer <ACCESS_TOKEN>' https://example.org/api/json/status | jq --raw-output '.data.cpu'

HTTP authentication

curl -u 'user:passsword' https://nexus.example.com/service/rest/v1/blobstores

Check web traffic with redirections and host headers

curl -L -I example.com

Using HTTPS proxy with authentication

curl --proxy-anyauth -U "user:password" --proxy https://proxy.company.com:3126  https://ifconfig.me

curl send SMPT email with authentication

echo "From: bogus@company.com
To: external@outlook.com
Subject: This is a test

This is body." | curl --insecure --verbose --ssl-reqd smtp://mailserver.company.com --mail-from username@company.com --mail-rcpt external@outlook.com --user 'username:password' --upload-file /dev/stdin
where:

  • From: bogus@company.com - message header from
  • To: external@outlook.com - message header to
  • smtp://mailserver.company.com - mail server that supports upgrading from clear-text to secure transfers
  • --mail-from username@company.com - envelope from
  • --mail-rcpt external@outlook.com - envelope to
  • --user 'username:password' - mail authentication

Golang download latest version

GOVER=$(curl --silent https://go.dev/dl/?mode=json | jq -r '.[0].version')
curl -LO --silent go.dev/dl/${GOVER}.linux-amd64.tar.gz
tar -C /usr/local -xzf ${GOVER}.linux-amd64.tar.gz
rm ${GOVER}.linux-amd64.tar.gz
ln -s /usr/local/go/bin/go /usr/local/bin/go

TLS Encrypted Client Hello (ECH)

ECH is encrypted SNI (site name). It is introduced in TLS1.3. It requires DNS HTTPS resource record type. It relies on DoH (DNS over HTTPS) for better security.

With ECH, the ClientHello message part is split into two separate messages: an inner part and an outer part. The outer part contains the non-sensitive information such as which ciphers to use and the TLS version and an “outer ClientHello”. The inner part is encrypted and contains an “inner ClientHello”.

The outer ClientHello contains a common name (SNI) that represents that a user is trying to visit an encrypted website on Cloudflare. We chose cloudflare-ech.com as the SNI that all websites will share on Cloudflare.

Check if website uses ECH:

  • https://dns.google/resolve?name=rutracker.org&type=HTTPS
  • dig +short https hidden.example.com
  • curl --http3 --ech true --doh-url https://1.0.0.1/dns-query https://www.cloudflare.com/cdn-cgi/trace # requires modified OpenSSL
  • curl --http3-only --ech grease --doh-url https://1.0.0.1/dns-query https://www.cloudflare.com/cdn-cgi/trace
  • curl --http3-only --curves X25519Kyber768Draft00 --ech true --doh-url https://1.1.1.1/dns-query https://cloudflare-ech.com/cdn-cgi/trace

If it has "ech=" - then ECH is enabled.

GREASE ECH

Both Firefox and Chrome have ECH support with GREASE. In the ECH context, this means that when a website is not ECH-enabled (there’s no ECHConfig in the HTTPS DNS records for the site), a dummy ECH extension is generated and used in the TLS handshake, with the real site name visible in outer SNI.

In this case, the server tries to decrypt the ECH extension, fails, and falls back to the outer SNI (which is the actual real site name in the GREASE ECH).

https://wiki.mozilla.org/Security/Encrypted_Client_Hello https://cujo.com/blog/set-up-ech-website/

curl timeout

curl --connect-timeout 5 --max-time 10 https://example.com