How to use ntpdate behind a proxy?

proxy ntp ntpdate

79,731

Solution 1

This seems like a clear case for tlsdate.

 tlsdate: secure parasitic rdate replacement

  tlsdate sets the local clock by securely connecting with TLS to remote
  servers and extracting the remote time out of the secure handshake. Unlike
  ntpdate, tlsdate uses TCP, for instance connecting to a remote HTTPS or TLS
  enabled service, and provides some protection against adversaries that try
  to feed you malicious time information.

I do not think i have ever seen so many recommendations to use unsanitized data from internet as an argument to a sudo invocation.

Github: https://github.com/ioerror/tlsdate

Solution 2

Expanding on the answer by carveone:

sudo date -s "$(wget -S  "http://www.google.com/" 2>&1 | grep -E '^[[:space:]]*[dD]ate:' | sed 's/^[[:space:]]*[dD]ate:[[:space:]]*//' | head -1l | awk '{print $1, $3, $2,  $5 ,"GMT", $4 }' | sed 's/,//')"

Solution 3

One Liner

Assuming environment variable http_proxy is already set:

sudo date -s "$(curl -H'Cache-Control:no-cache' -sI google.com | grep '^Date:' | cut -d' ' -f3-6)Z"

we can verify the retrieved date/time first:

# local  date/time
date -d "$(curl -HCache-Control:no-cache -sI google.com | grep '^Date:' | cut -d' ' -f3-6)Z"

# or UTC date/time
date -ud "$(curl -HCache-Control:no-cache -sI google.com | grep '^Date:' | cut -d' ' -f3-6)"

Notes

Just in case, certain options might be needed for curl:

curl -x $proxy

to explicitly set the proxy server to use, when the http_proxy environment variable is not set, default to protocol http and port 1080 (manual).
curl -H 'Cache-Control: no-cache'

to explicitly disable caching, especially when used in a cron job and/or behind a proxy server.

Alternate form tested with RHEL 6 that uses the '-u' option to date instead of appending the "Z" to the output:

sudo date -u --set="$(curl -H 'Cache-Control: no-cache' -sD - http://google.com |grep '^Date:' |cut -d' ' -f3-6)"

BTW, google.com is preferred over www.google.com, because the former results in a 301 redirect response, which is much smaller (569 vs 20k+ characters) but still good to use.

Solution 4

NTP service is using UDP protocol to sync the time. So HTTP/TCP proxy may not work for it. Alternative to accepted answer, there is a good htpdate tool to sync time behind proxy.

A cron job example:

* 3 * * * /usr/bin/htpdate -s -P <PROXY_HOST>:<PROXY__PORT> www.linux.org www.freebsd.org

Solution 5

If it is purely an HTTP proxy, it is using port 80, so the basic answer is no to that specifically. NTP uses UDP port 123. If it is a more generic proxy server, serving all ports, then maybe.

There are some programs out there that do NTP over HTTP. I do not use Linux, but this one might do it:

http://www.rkeene.org/oss/htp/ (still not sure if this will do authentication either).

I could not find one for Windows, but I will post back if I do.

View more solutions

79,731

Ton van den Heuvel

I studied computer science at the Eindhoven University of Technology in the Netherlands. My interest is primarily in performance related problems and algorithm design. I am C++ programmer by trade, with occasional diversions into C, Python, LISP, Haskell, and Rust for fun.

Updated on September 18, 2022

Comments

Ton van den Heuvel over 1 year

Is it possible to use ntpdate behind an HTTP proxy with authentication? In case it is not possible, are there any good alternatives?
hicklypups almost 13 years

Again for Linux, so I cannot add much other than a link: mina86.com/2010/01/16/ntp-over-http There might also be something that one of these publishes: nist.gov/pml/div688/grp40/softwarelist.cfm
Ton van den Heuvel almost 13 years

The NTP over HTTP link is inspiring, thanks for that!
ryenus about 10 years

Caveat, this would create file 'index.html*' in the current directory.
Hansi about 10 years

Note that the short version should use www.google.com since google.com is redirecting to it via 301 now with the date "stuck"
SK23 about 10 years

Thanks for the tip, I got it even easier: sudo date -s "$(curl -s http://www.timeapi.org/utc/now)" You don't need to pay attention to the timezone if your OS is set correctly. Linux recognizes the timezone provided in the string and sets the system time appropriately.
Hansi almost 10 years

When I made the comment the response for that command returned a day four days out of date.
pabouk - Ukraine stay strong over 9 years

You should explain what is different in your solution in comparison to the answer by fiford_g.
huzeyfe over 9 years

@ryenus This is a great answer. It works perfectly fine. However I have a problem when I put this command in a crontab job. Date's time part is made 00:00:00 whenever this job run. I tried to run in a shell script. Same result.
ryenus over 9 years

@huzeyfe, would you please check if passing proxy to curl works?
ryenus over 9 years

sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"
ryenus over 9 years

^ above is the wget version, though I personally prefer using curl.
dfc over 9 years

Passing unsanitized data from internet as a variable to a sudo invocation? Is it 1999?
dfc over 9 years

yes, it works with proxies. I read the question too.
user3655103 about 9 years

zsh doesn't like the grep pattern without quotes around it; it results in (23) Failed writing body error. So when using zsh, use sudo date -s "$(curl -sD - google.com | grep '^Date:' | cut -d' ' -f3-6)Z" instead. There is probably a ZSH configuration modifier that changes this behavior, but I don't know what it is. Also, since we're talking about behind a proxy use, google.com seems to be cached by some proxies (being a 301 redirect) while www.google.com, being the live page, gets reloaded every time (and so its timestamp is accurate).
Pi Delport almost 9 years

This answer should really be at the top.
Hi-Angel almost 8 years

I didn't manage to get it work — with every combination it prints errors about false tickers. wget answer below does work.
Alfabravo over 5 years

Have been working it out on a Centos6.9 machine but no joy. This seems more healthy than other recommendations but it is not trivial to get it working...
Jay Taylor over 5 years

For a fully-working pre-baked implementation, see set_system_clock_from_google.sh.
artificerpi almost 5 years

Check my answer above.
wisbucky over 3 years

tlsdate worked really well behind a proxy. But for Ubuntu, the only available package is for Xenial 16.04. It seems to be a dead project since the last commit was in 2015. As an alternative, try htpdate superuser.com/questions/307158/…
Skippy le Grand Gourou about 2 years

It also has a -D (daemon) option.