代理
举例而言,通常我们可以这样代理上网,账号密码是明文的,会有信息安全问题。
export http_proxy=http://username:[email protected]:8080
cntlm
cntlm 是一个HTTP二级代理软件。 它主要的作用,是在能代理上网的前提下,给这个代理再做一个代理,提供给更多的下级用户。 下级用户不需要、也不可能知道代理的账户密码,这样既保障了安全、又实现了方便。
Cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy intended to help you break free from the chains of Microsoft proprietary world. You can use a free OS and honor our noble idea, but you can’t hide. Once you’re behind those cold steel bars of a corporate proxy server requiring NTLM authentication, you’re done with. The same even applies to 3rd party Windows applications, which don’t support NTLM natively.
cntlm 采用 NTLMv2 协议用于鉴权用户身份。
Here comes Cntlm. It stands between your applications and the corporate proxy, adding NTLM authentication on-the-fly. You can specify several “parent” proxies and Cntlm will try one after another until one works. All auth’d connections are cached and reused to achieve high efficiency. Just point your apps proxy settings at Cntlm, fill in cntlm.conf (cntlm.ini) and you’re ready to do. This is useful on Windows, but essential for non-Microsoft OS’s.
在配置文件里需要提供上游代理,cntlm 会逐个尝试找到可用的代理,然后作为一个二级代理,分发给需要的下游用户。
There are many advanced features like NTLMv2 support, password protection, password hashing, completely mutliplatform code (running on just about every architecture and OS out there) and so much more. Cntlm eats up so little resources it can be used on embedded platforms as well - it’s written in plain C without any external dependencies.
安全、跨平台、高效、资源占用少
安装
sudo apt install cntlm
下载地址
配置
安装完后的默认配置文件为 /etc/cntlm.conf
最简配置如下
Username USERNAME
Domain COMPANY_DOMAIN
Password ********
Proxy proxy.company.com:8080
Proxy proxy2.company.com:8080
NoProxy localhost, 127.0.0.*, 10.*, 192.168.*, .company.com
Listen 3128
这个配置,仅能让本机访问。 如果要允许本机以外的机器访问,则需要再添加 Gateway yes
。
其中的 Allow
,Deny
顾名思义,就是白名单和黑名单了。
为了不显示用户密码,使用 AUTH 校验。
sudo cntlm -vc /etc/cntlm.conf -M http://baidu.com
section: global, Username = 'USERNAME'
section: global, Domain = 'COMPANY_DOMAIN'
section: global, Proxy = 'proxy.company.com:8080'
section: global, Proxy = 'proxy2.company.com:8080'
section: global, NoProxy = 'localhost, 127.0.0.*, 10.*, 192.168.*, .company.com'
section: global, Listen = '3128'
...
HEAD: HTTP/1.1 200 OK
OK (HTTP code: 200)
----------------------------[ Profile 1 ]------
Auth NTLM
PassNT 7FA051B4B85F0E7EEBB24D3CD73E52B0
PassLM 23A1E1A7276E84EA4846D4C9FF957C35
------------------------------------------------
cntlm: Terminating with 0 active threads
把下面的内容放到配置文件中即可。
Auth NTLM
PassNT 7FA051B4B85F0E7EEBB24D3CD73E52B9
PassLM 23A1E1A7276E84EA4846D4C9FF957C31
使用 cntlm -H
命令也可以生成秘钥的哈希
Password:
PassLM 7F4BB72132BAA2A01FA94BD623A70D3B
PassNT 2C27BB146F74625D159413FC1F30745F
PassNTLMv2 D3972609581D8260868ED588303F0FF0 # Only for user 'testuser', domain 'contoso'
使用
在 .bashrc
或其他个人配置文件中加上,注意这里的端口号就是配置文件设置的监听端口号。
之后 source
配置文件生效环境变量的修改。
export http_proxy="http://127.0.0.1:3128"
export https_proxy="http://127.0.0.1:3128"
export ftp_proxy="http://127.0.0.1:3128"
// or
export http_proxy=http://127.0.0.1:3128
export https_proxy=${http_proxy}
export ftp_proxy=${http_proxy}
重启服务
sudo systemctl reload cntlm
#关闭cntlm服务
sudo killall cntlm
#开启cntlm服务
sudo cntlm