代理
舉例而言,通常我們可以這樣代理上網,賬號密碼是明文的,會有信息安全問題。
export http_proxy=http://username:[email protected]:8080
cntlm
cntlm 是一個HTTP二級代理軟件。 它主要的作用,是在能代理上網的前提下,給這個代理再做一個代理,提供給更多的下級用戶。 下級用戶不需要、也不可能知道代理的賬戶密碼,這樣既保障了安全、又實現了方便。
Cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy intended to help you break free from the chains of Microsoft proprietary world. You can use a free OS and honor our noble idea, but you can’t hide. Once you’re behind those cold steel bars of a corporate proxy server requiring NTLM authentication, you’re done with. The same even applies to 3rd party Windows applications, which don’t support NTLM natively.
cntlm 採用 NTLMv2 協議用於鑑權用戶身份。
Here comes Cntlm. It stands between your applications and the corporate proxy, adding NTLM authentication on-the-fly. You can specify several “parent” proxies and Cntlm will try one after another until one works. All auth’d connections are cached and reused to achieve high efficiency. Just point your apps proxy settings at Cntlm, fill in cntlm.conf (cntlm.ini) and you’re ready to do. This is useful on Windows, but essential for non-Microsoft OS’s.
在配置文件裏需要提供上游代理,cntlm 會逐個嘗試找到可用的代理,然後作爲一個二級代理,分發給需要的下游用戶。
There are many advanced features like NTLMv2 support, password protection, password hashing, completely mutliplatform code (running on just about every architecture and OS out there) and so much more. Cntlm eats up so little resources it can be used on embedded platforms as well - it’s written in plain C without any external dependencies.
安全、跨平臺、高效、資源佔用少
安裝
sudo apt install cntlm
下載地址
配置
安裝完後的默認配置文件爲 /etc/cntlm.conf
最簡配置如下
Username USERNAME
Domain COMPANY_DOMAIN
Password ********
Proxy proxy.company.com:8080
Proxy proxy2.company.com:8080
NoProxy localhost, 127.0.0.*, 10.*, 192.168.*, .company.com
Listen 3128
這個配置,僅能讓本機訪問。 如果要允許本機以外的機器訪問,則需要再添加 Gateway yes
。
其中的 Allow
,Deny
顧名思義,就是白名單和黑名單了。
爲了不顯示用戶密碼,使用 AUTH 校驗。
sudo cntlm -vc /etc/cntlm.conf -M http://baidu.com
section: global, Username = 'USERNAME'
section: global, Domain = 'COMPANY_DOMAIN'
section: global, Proxy = 'proxy.company.com:8080'
section: global, Proxy = 'proxy2.company.com:8080'
section: global, NoProxy = 'localhost, 127.0.0.*, 10.*, 192.168.*, .company.com'
section: global, Listen = '3128'
...
HEAD: HTTP/1.1 200 OK
OK (HTTP code: 200)
----------------------------[ Profile 1 ]------
Auth NTLM
PassNT 7FA051B4B85F0E7EEBB24D3CD73E52B0
PassLM 23A1E1A7276E84EA4846D4C9FF957C35
------------------------------------------------
cntlm: Terminating with 0 active threads
把下面的內容放到配置文件中即可。
Auth NTLM
PassNT 7FA051B4B85F0E7EEBB24D3CD73E52B9
PassLM 23A1E1A7276E84EA4846D4C9FF957C31
使用 cntlm -H
命令也可以生成祕鑰的哈希
Password:
PassLM 7F4BB72132BAA2A01FA94BD623A70D3B
PassNT 2C27BB146F74625D159413FC1F30745F
PassNTLMv2 D3972609581D8260868ED588303F0FF0 # Only for user 'testuser', domain 'contoso'
使用
在 .bashrc
或其他個人配置文件中加上,注意這裏的端口號就是配置文件設置的監聽端口號。
之後 source
配置文件生效環境變量的修改。
export http_proxy="http://127.0.0.1:3128"
export https_proxy="http://127.0.0.1:3128"
export ftp_proxy="http://127.0.0.1:3128"
// or
export http_proxy=http://127.0.0.1:3128
export https_proxy=${http_proxy}
export ftp_proxy=${http_proxy}
重啓服務
sudo systemctl reload cntlm
#關閉cntlm服務
sudo killall cntlm
#開啓cntlm服務
sudo cntlm