Add proxy support

Signed-off-by: Bryan Frimin <bryan@getprobo.com>

Author: gearnode

CHANGELOG.md

@@ -8,6 +8,15 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+### Added
+
+- Add `--proxy` flag for explicit proxy configuration (supports HTTP, HTTPS,
+  and SOCKS5 schemes). Useful for routing traffic through TOR
+  (e.g. `socks5://127.0.0.1:9050`).
+- Add `proxy` configuration option in config file (both top-level and per-bin).
+- Proxy resolution priority: `--proxy` flag > config file > environment
+  variables (`HTTP_PROXY`, `HTTPS_PROXY`, `ALL_PROXY`).
+
 ## [2.1.1] - 2025-09-08
 
 ### Fixed

README.md

@@ -92,6 +92,10 @@ Display a paste:
 
     privatebin show https://privatebin.net/?420fc9597328c72f#EezApNVTTRUuEkt1jj7r9vSfewLBvUohDSXWuvPEs1bF
 
+Create a paste through a SOCKS5 proxy (e.g. TOR):
+
+    cat resume.txt | privatebin --proxy socks5://127.0.0.1:9050 create
+
 ## Documentation
 
 For detailed information on all CLI commands and features, check out

client.go

@@ -52,6 +52,7 @@ type (
 		customHTTPHeaderFields map[string]string
 		userAgent              string
 		tlsConfig              *tls.Config
+		proxyURL               *url.URL
 	}
 
 	Option func(c *Client)
@@ -173,6 +174,12 @@ func WithTLSConfig(tlsConfig *tls.Config) Option {
 	}
 }
 
+func WithProxyURL(proxyURL url.URL) Option {
+	return func(c *Client) {
+		c.proxyURL = &proxyURL
+	}
+}
+
 func NewClient(endpoint url.URL, options ...Option) *Client {
 	client := &Client{
 		endpoint:               endpoint,
@@ -183,7 +190,7 @@ func NewClient(endpoint url.URL, options ...Option) *Client {
 		option(client)
 	}
 
-	client.httpClient = defaultPooledClient(client.tlsConfig)
+	client.httpClient = defaultPooledClient(client.tlsConfig, client.proxyURL)
 
 	return client
 }

cmd/privatebin/cfg.go

@@ -37,6 +37,7 @@ type (
 		GZip              *bool             `json:"gzip"`
 		SkipTLSVerify     *bool             `json:"skip-tls-verify"`
 		Formatter         string            `json:"formatter"`
+		Proxy             string            `json:"proxy"`
 		ExtraHeaderFields map[string]string `json:"extra-header-fields"`
 	}
 
@@ -48,6 +49,7 @@ type (
 		GZip              bool              `json:"gzip"`
 		SkipTLSVerify     bool              `json:"skip-tls-verify"`
 		Formatter         string            `json:"formatter"`
+		Proxy             string            `json:"proxy"`
 		ExtraHeaderFields map[string]string `json:"extra-header-fields"`
 	}
 )
@@ -112,6 +114,10 @@ func loadCfgFile(path string) (*Cfg, error) {
 			binCfg.SkipTLSVerify = &cfg.SkipTLSVerify
 		}
 
+		if binCfg.Proxy == "" {
+			binCfg.Proxy = cfg.Proxy
+		}
+
 		if binCfg.ExtraHeaderFields == nil {
 			binCfg.ExtraHeaderFields = cfg.ExtraHeaderFields
 		}

cmd/privatebin/main.go

@@ -62,6 +62,7 @@ var (
 	insecure      bool
 	confirmBurn   bool
 	skipTLSVerify bool
+	proxy         string
 
 	rootCmd = &cobra.Command{
 		Use:     "privatebin",
@@ -136,6 +137,23 @@ var (
 				)
 			}
 
+			proxyAddr := binCfg.Proxy
+			if proxy != "" {
+				proxyAddr = proxy
+			}
+
+			if proxyAddr != "" {
+				proxyURL, err := url.Parse(proxyAddr)
+				if err != nil {
+					return fmt.Errorf("cannot parse proxy url %q: %w", proxyAddr, err)
+				}
+
+				clientOptions = append(
+					clientOptions,
+					privatebin.WithProxyURL(*proxyURL),
+				)
+			}
+
 			host, err := url.Parse(binCfg.Host)
 			if err != nil {
 				return fmt.Errorf("cannot parse %q bin %q host: %w", binCfg.Name, binCfg.Host, err)
@@ -306,6 +324,7 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&cfgPath, "config", "c", "", "the config file (default is $HOME/.config/privatebin/config.json)")
 	rootCmd.PersistentFlags().StringVarP(&binName, "bin", "b", "", "the name of the privatebin instance to use (default \"\")")
 	rootCmd.PersistentFlags().StringSliceVarP(&extraHeaderFields, "header", "H", []string{}, "extra HTTP header fields to include in the request sent")
+	rootCmd.PersistentFlags().StringVar(&proxy, "proxy", "", "proxy URL to use for requests (e.g. socks5://127.0.0.1:9050 for TOR)")
 
 	createCmd.Flags().StringVar(&expire, "expire", "", "the time to live of the paste")
 	createCmd.Flags().BoolVar(&openDiscussion, "open-discussion", false, "enable discussion on the paste")

doc/privatebin.1.md

@@ -11,7 +11,8 @@ section: 1
 # SYNOPSIS
 **privatebin** [-h | -\-help] [-v | -\-version] [-\-bin=\<name\>]\
 \ \ \ \ \ \ \ \ \ \ \ [-\-config=\<filename\>] [-\-header=\<key=value\>]\
-\ \ \ \ \ \ \ \ \ \ \ [-\-output=\<format\>] \<command\> [\<args\>]
+\ \ \ \ \ \ \ \ \ \ \ [-\-output=\<format\>] [-\-proxy=\<url\>]\
+\ \ \ \ \ \ \ \ \ \ \ \<command\> [\<args\>]
 
 # DESCRIPTION
 A minimalist, open source command line interface for **PrivateBin**
@@ -37,6 +38,12 @@ instances.
 **-o, -\-output** \<format\>
 : The output format can be \"\" or \"json\" (default \"\").
 
+**-\-proxy** \<url\>
+: Proxy URL to use for requests. Supports HTTP, HTTPS, and SOCKS5
+  schemes (e.g. socks5://127.0.0.1:9050 for TOR). This flag overrides
+  the proxy value from the configuration file and the **HTTP_PROXY**,
+  **HTTPS_PROXY**, and **ALL_PROXY** environment variables.
+
 # COMMANDS
 
 **privatebin-create(1)**
@@ -54,6 +61,20 @@ Create a paste on the default privatebin instance:
 
     $ cat example.txt | privatebin create
 
+Create a paste through a SOCKS5 proxy (e.g. TOR):
+
+    $ cat example.txt | privatebin --proxy socks5://127.0.0.1:9050 create
+
+# ENVIRONMENT
+
+**HTTP_PROXY**, **HTTPS_PROXY**, **ALL_PROXY**
+: When no **-\-proxy** flag is provided and no **proxy** configuration
+  value is set, the standard proxy environment variables are honored.
+
+**NO_PROXY**
+: A comma-separated list of host names or IP addresses for which the
+  proxy should not be used.
+
 # SEE ALSO
 **privatebin.conf**(5)
 

doc/privatebin.conf.5.md

@@ -37,6 +37,12 @@ instance configured in the **config.json**.
 **skip-tls-verify** _bool_ (default: false)
 : Skip TLS certificate verification when connecting to the privatebin instance.
 
+**proxy** _string_
+: Proxy URL to use for all requests. Supports HTTP, HTTPS, and SOCKS5
+  schemes (e.g. "socks5://127.0.0.1:9050" for TOR). When set, overrides
+  the **HTTP_PROXY**, **HTTPS_PROXY**, and **ALL_PROXY** environment
+  variables. Can be overridden per-bin or by the **-\-proxy** CLI flag.
+
 **extra-header-fields** _object<string, string>_
 : The extra HTTP header fields to include in the request sent.
 
@@ -72,6 +78,12 @@ instance configured in the **config.json**.
 **skip-tls-verify** _bool_
 : Skip TLS certificate verification when connecting to the privatebin instance.
 
+**proxy** _string_
+: Proxy URL to use for requests to this bin instance. Supports HTTP,
+  HTTPS, and SOCKS5 schemes. Overrides the top-level **proxy** value
+  and the proxy environment variables. Can be overridden by the
+  **-\-proxy** CLI flag.
+
 **extra-header-fields** _object<string, string>_
 : The extra HTTP header fields to include in the request sent.
 
@@ -121,6 +133,18 @@ A bit more complete configuration file:
         "burn-after-reading": true
     }
 
+Configuration using a SOCKS5 proxy (e.g. TOR):
+
+    {
+        "proxy": "socks5://127.0.0.1:9050",
+        "bin": [
+            {
+                "name": "",
+                "host": "https://privatebin.net"
+            }
+        ]
+    }
+
 # FILES
 
 _~/.config/privatebin/config.json_

utils.go

@@ -20,6 +20,7 @@ import (
 	"encoding/base64"
 	"net"
 	"net/http"
+	"net/url"
 	"runtime"
 	"time"
 )
@@ -52,15 +53,20 @@ func decode64(s string) ([]byte, error) {
 	return base64.RawStdEncoding.DecodeString(s)
 }
 
-func defaultPooledClient(tlsConfig *tls.Config) *http.Client {
+func defaultPooledClient(tlsConfig *tls.Config, proxyURL *url.URL) *http.Client {
 	dial := &net.Dialer{
 		Timeout:   30 * time.Second,
 		KeepAlive: 30 * time.Second,
 		DualStack: true,
 	}
 
+	proxyFunc := http.ProxyFromEnvironment
+	if proxyURL != nil {
+		proxyFunc = http.ProxyURL(proxyURL)
+	}
+
 	transport := &http.Transport{
-		Proxy:                 http.ProxyFromEnvironment,
+		Proxy:                 proxyFunc,
 		DialContext:           dial.DialContext,
 		MaxIdleConns:          100,
 		IdleConnTimeout:       90 * time.Second,