cntlm 的配置使用

代理

舉例而言，通常我們可以這樣代理上網，賬號密碼是明文的，會有信息安全問題。
export http_proxy=http://username:[email protected]:8080

cntlm

cntlm 是一個HTTP二級代理軟件。 它主要的作用，是在能代理上網的前提下，給這個代理再做一個代理，提供給更多的下級用戶。 下級用戶不需要、也不可能知道代理的賬戶密碼，這樣既保障了安全、又實現了方便。

Cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy intended to help you break free from the chains of Microsoft proprietary world. You can use a free OS and honor our noble idea, but you can’t hide. Once you’re behind those cold steel bars of a corporate proxy server requiring NTLM authentication, you’re done with. The same even applies to 3rd party Windows applications, which don’t support NTLM natively.

cntlm 採用 NTLMv2 協議用於鑑權用戶身份。

Here comes Cntlm. It stands between your applications and the corporate proxy, adding NTLM authentication on-the-fly. You can specify several “parent” proxies and Cntlm will try one after another until one works. All auth’d connections are cached and reused to achieve high efficiency. Just point your apps proxy settings at Cntlm, fill in cntlm.conf (cntlm.ini) and you’re ready to do. This is useful on Windows, but essential for non-Microsoft OS’s.

在配置文件裏需要提供上游代理，cntlm 會逐個嘗試找到可用的代理，然後作爲一個二級代理，分發給需要的下游用戶。

There are many advanced features like NTLMv2 support, password protection, password hashing, completely mutliplatform code (running on just about every architecture and OS out there) and so much more. Cntlm eats up so little resources it can be used on embedded platforms as well - it’s written in plain C without any external dependencies.

安全、跨平臺、高效、資源佔用少

安裝

sudo apt install cntlm 下載地址

配置

安裝完後的默認配置文件爲 /etc/cntlm.conf

最簡配置如下

Username    USERNAME
Domain      COMPANY_DOMAIN
Password    ********

Proxy       proxy.company.com:8080
Proxy       proxy2.company.com:8080

NoProxy     localhost, 127.0.0.*, 10.*, 192.168.*, .company.com

Listen      3128

這個配置，僅能讓本機訪問。 如果要允許本機以外的機器訪問，則需要再添加 Gateway yes。
其中的 Allow，Deny 顧名思義，就是白名單和黑名單了。
爲了不顯示用戶密碼，使用 AUTH 校驗。

sudo cntlm -vc /etc/cntlm.conf -M http://baidu.com
section: global, Username = 'USERNAME'
section: global, Domain = 'COMPANY_DOMAIN'
section: global, Proxy = 'proxy.company.com:8080'
section: global, Proxy = 'proxy2.company.com:8080'
section: global, NoProxy = 'localhost, 127.0.0.*, 10.*, 192.168.*, .company.com'
section: global, Listen = '3128'
...
HEAD: HTTP/1.1 200 OK
OK (HTTP code: 200)
----------------------------[ Profile  1 ]------
Auth            NTLM
PassNT          7FA051B4B85F0E7EEBB24D3CD73E52B0
PassLM          23A1E1A7276E84EA4846D4C9FF957C35
------------------------------------------------
cntlm: Terminating with 0 active threads

把下面的內容放到配置文件中即可。

Auth            NTLM
PassNT          7FA051B4B85F0E7EEBB24D3CD73E52B9
PassLM          23A1E1A7276E84EA4846D4C9FF957C31

使用 cntlm -H 命令也可以生成祕鑰的哈希

Password:
PassLM          7F4BB72132BAA2A01FA94BD623A70D3B
PassNT          2C27BB146F74625D159413FC1F30745F
PassNTLMv2      D3972609581D8260868ED588303F0FF0    # Only for user 'testuser', domain 'contoso'

使用

在 .bashrc 或其他個人配置文件中加上，注意這裏的端口號就是配置文件設置的監聽端口號。
之後 source 配置文件生效環境變量的修改。

export http_proxy="http://127.0.0.1:3128"
export https_proxy="http://127.0.0.1:3128"
export ftp_proxy="http://127.0.0.1:3128"

// or
export http_proxy=http://127.0.0.1:3128
export https_proxy=${http_proxy}
export ftp_proxy=${http_proxy}

重啓服務

sudo systemctl reload cntlm

#關閉cntlm服務
sudo killall cntlm 

#開啓cntlm服務
sudo cntlm