cntlm 的配置使用

代理

举例而言，通常我们可以这样代理上网，账号密码是明文的，会有信息安全问题。
export http_proxy=http://username:[email protected]:8080

cntlm

cntlm 是一个HTTP二级代理软件。 它主要的作用，是在能代理上网的前提下，给这个代理再做一个代理，提供给更多的下级用户。 下级用户不需要、也不可能知道代理的账户密码，这样既保障了安全、又实现了方便。

Cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy intended to help you break free from the chains of Microsoft proprietary world. You can use a free OS and honor our noble idea, but you can’t hide. Once you’re behind those cold steel bars of a corporate proxy server requiring NTLM authentication, you’re done with. The same even applies to 3rd party Windows applications, which don’t support NTLM natively.

cntlm 采用 NTLMv2 协议用于鉴权用户身份。

Here comes Cntlm. It stands between your applications and the corporate proxy, adding NTLM authentication on-the-fly. You can specify several “parent” proxies and Cntlm will try one after another until one works. All auth’d connections are cached and reused to achieve high efficiency. Just point your apps proxy settings at Cntlm, fill in cntlm.conf (cntlm.ini) and you’re ready to do. This is useful on Windows, but essential for non-Microsoft OS’s.

在配置文件里需要提供上游代理，cntlm 会逐个尝试找到可用的代理，然后作为一个二级代理，分发给需要的下游用户。

There are many advanced features like NTLMv2 support, password protection, password hashing, completely mutliplatform code (running on just about every architecture and OS out there) and so much more. Cntlm eats up so little resources it can be used on embedded platforms as well - it’s written in plain C without any external dependencies.

安全、跨平台、高效、资源占用少

安装

sudo apt install cntlm 下载地址

配置

安装完后的默认配置文件为 /etc/cntlm.conf

最简配置如下

Username    USERNAME
Domain      COMPANY_DOMAIN
Password    ********

Proxy       proxy.company.com:8080
Proxy       proxy2.company.com:8080

NoProxy     localhost, 127.0.0.*, 10.*, 192.168.*, .company.com

Listen      3128

这个配置，仅能让本机访问。 如果要允许本机以外的机器访问，则需要再添加 Gateway yes。
其中的 Allow，Deny 顾名思义，就是白名单和黑名单了。
为了不显示用户密码，使用 AUTH 校验。

sudo cntlm -vc /etc/cntlm.conf -M http://baidu.com
section: global, Username = 'USERNAME'
section: global, Domain = 'COMPANY_DOMAIN'
section: global, Proxy = 'proxy.company.com:8080'
section: global, Proxy = 'proxy2.company.com:8080'
section: global, NoProxy = 'localhost, 127.0.0.*, 10.*, 192.168.*, .company.com'
section: global, Listen = '3128'
...
HEAD: HTTP/1.1 200 OK
OK (HTTP code: 200)
----------------------------[ Profile  1 ]------
Auth            NTLM
PassNT          7FA051B4B85F0E7EEBB24D3CD73E52B0
PassLM          23A1E1A7276E84EA4846D4C9FF957C35
------------------------------------------------
cntlm: Terminating with 0 active threads

把下面的内容放到配置文件中即可。

Auth            NTLM
PassNT          7FA051B4B85F0E7EEBB24D3CD73E52B9
PassLM          23A1E1A7276E84EA4846D4C9FF957C31

使用 cntlm -H 命令也可以生成秘钥的哈希

Password:
PassLM          7F4BB72132BAA2A01FA94BD623A70D3B
PassNT          2C27BB146F74625D159413FC1F30745F
PassNTLMv2      D3972609581D8260868ED588303F0FF0    # Only for user 'testuser', domain 'contoso'

使用

在 .bashrc 或其他个人配置文件中加上，注意这里的端口号就是配置文件设置的监听端口号。
之后 source 配置文件生效环境变量的修改。

export http_proxy="http://127.0.0.1:3128"
export https_proxy="http://127.0.0.1:3128"
export ftp_proxy="http://127.0.0.1:3128"

// or
export http_proxy=http://127.0.0.1:3128
export https_proxy=${http_proxy}
export ftp_proxy=${http_proxy}

重启服务

sudo systemctl reload cntlm

#关闭cntlm服务
sudo killall cntlm 

#开启cntlm服务
sudo cntlm