How to use ntpdate behind a proxy?
Solution 1
This seems like a clear case for tlsdate.
tlsdate: secure parasitic rdate replacement
tlsdate sets the local clock by securely connecting with TLS to remote
servers and extracting the remote time out of the secure handshake. Unlike
ntpdate, tlsdate uses TCP, for instance connecting to a remote HTTPS or TLS
enabled service, and provides some protection against adversaries that try
to feed you malicious time information.
I do not think i have ever seen so many recommendations to use unsanitized data from internet as an argument to a sudo invocation.
Github: https://github.com/ioerror/tlsdate
Solution 2
Expanding on the answer by carveone:
sudo date -s "$(wget -S "http://www.google.com/" 2>&1 | grep -E '^[[:space:]]*[dD]ate:' | sed 's/^[[:space:]]*[dD]ate:[[:space:]]*//' | head -1l | awk '{print $1, $3, $2, $5 ,"GMT", $4 }' | sed 's/,//')"
Solution 3
One Liner
Assuming environment variable http_proxy
is already set:
sudo date -s "$(curl -H'Cache-Control:no-cache' -sI google.com | grep '^Date:' | cut -d' ' -f3-6)Z"
we can verify the retrieved date/time first:
# local date/time
date -d "$(curl -HCache-Control:no-cache -sI google.com | grep '^Date:' | cut -d' ' -f3-6)Z"
# or UTC date/time
date -ud "$(curl -HCache-Control:no-cache -sI google.com | grep '^Date:' | cut -d' ' -f3-6)"
Notes
Just in case, certain options might be needed for curl
:
-
curl -x $proxy
to explicitly set the proxy server to use, when the
http_proxy
environment variable is not set, default to protocolhttp
and port1080
(manual). -
curl -H 'Cache-Control: no-cache'
to explicitly disable caching, especially when used in a cron job and/or behind a proxy server.
Alternate form tested with RHEL 6 that uses the '-u' option to date instead of appending the "Z" to the output:
sudo date -u --set="$(curl -H 'Cache-Control: no-cache' -sD - http://google.com |grep '^Date:' |cut -d' ' -f3-6)"
BTW, google.com
is preferred over www.google.com
, because the former results in a 301
redirect response, which is much smaller (569
vs 20k+
characters) but still good to use.
Solution 4
NTP service is using UDP protocol to sync the time. So HTTP/TCP proxy may not work for it. Alternative to accepted answer, there is a good htpdate tool to sync time behind proxy.
A cron job example:
* 3 * * * /usr/bin/htpdate -s -P <PROXY_HOST>:<PROXY__PORT> www.linux.org www.freebsd.org
Solution 5
If it is purely an HTTP proxy, it is using port 80, so the basic answer is no to that specifically. NTP uses UDP port 123. If it is a more generic proxy server, serving all ports, then maybe.
There are some programs out there that do NTP over HTTP. I do not use Linux, but this one might do it:
http://www.rkeene.org/oss/htp/ (still not sure if this will do authentication either).
I could not find one for Windows, but I will post back if I do.
Related videos on Youtube
Ton van den Heuvel
I studied computer science at the Eindhoven University of Technology in the Netherlands. My interest is primarily in performance related problems and algorithm design. I am C++ programmer by trade, with occasional diversions into C, Python, LISP, Haskell, and Rust for fun.
Updated on September 18, 2022Comments
-
Ton van den Heuvel over 1 year
Is it possible to use ntpdate behind an HTTP proxy with authentication? In case it is not possible, are there any good alternatives?
-
hicklypups almost 13 yearsAgain for Linux, so I cannot add much other than a link: mina86.com/2010/01/16/ntp-over-http There might also be something that one of these publishes: nist.gov/pml/div688/grp40/softwarelist.cfm
-
Ton van den Heuvel almost 13 yearsThe NTP over HTTP link is inspiring, thanks for that!
-
ryenus about 10 yearsCaveat, this would create file 'index.html*' in the current directory.
-
Hansi about 10 yearsNote that the short version should use www.google.com since google.com is redirecting to it via 301 now with the date "stuck"
-
SK23 about 10 yearsThanks for the tip, I got it even easier:
sudo date -s "$(curl -s http://www.timeapi.org/utc/now)"
You don't need to pay attention to the timezone if your OS is set correctly. Linux recognizes the timezone provided in the string and sets the system time appropriately. -
Hansi almost 10 yearsWhen I made the comment the response for that command returned a day four days out of date.
-
pabouk - Ukraine stay strong over 9 yearsYou should explain what is different in your solution in comparison to the answer by fiford_g.
-
huzeyfe over 9 years@ryenus This is a great answer. It works perfectly fine. However I have a problem when I put this command in a crontab job. Date's time part is made 00:00:00 whenever this job run. I tried to run in a shell script. Same result.
-
ryenus over 9 years@huzeyfe, would you please check if passing proxy to curl works?
-
ryenus over 9 years
sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"
-
ryenus over 9 years^ above is the
wget
version, though I personally prefer usingcurl
. -
dfc over 9 yearsPassing unsanitized data from internet as a variable to a sudo invocation? Is it 1999?
-
dfc over 9 yearsyes, it works with proxies. I read the question too.
-
user3655103 about 9 yearszsh doesn't like the grep pattern without quotes around it; it results in
(23) Failed writing body
error. So when using zsh, usesudo date -s "$(curl -sD - google.com | grep '^Date:' | cut -d' ' -f3-6)Z"
instead. There is probably a ZSH configuration modifier that changes this behavior, but I don't know what it is. Also, since we're talking about behind a proxy use,google.com
seems to be cached by some proxies (being a 301 redirect) whilewww.google.com
, being the live page, gets reloaded every time (and so its timestamp is accurate). -
Pi Delport almost 9 yearsThis answer should really be at the top.
-
Hi-Angel almost 8 yearsI didn't manage to get it work — with every combination it prints errors about false tickers. wget answer below does work.
-
Alfabravo over 5 yearsHave been working it out on a Centos6.9 machine but no joy. This seems more healthy than other recommendations but it is not trivial to get it working...
-
Jay Taylor over 5 yearsFor a fully-working pre-baked implementation, see set_system_clock_from_google.sh.
-
artificerpi almost 5 yearsCheck my answer above.
-
wisbucky over 3 years
tlsdate
worked really well behind a proxy. But for Ubuntu, the only available package is for Xenial 16.04. It seems to be a dead project since the last commit was in 2015. As an alternative, tryhtpdate
superuser.com/questions/307158/… -
Skippy le Grand Gourou about 2 yearsIt also has a
-D
(daemon) option.