在 linux 下使用 cntlm 設定 proxy

在某個環境需要 windows 系統設定帳號之後, 才能透過這樣的方式連線到外網, 其實就是要透過那個帳號/密碼給 proxy 認証。windows 很容易, 但 linux 就搞死人了。需要 cntlm 這個軟體, 來將這個帳號密碼轉成 proxy 的資訊送給那個 proxy。

設定 linux 系統 proxy

export http_proxy=http://username:password@"Proxy IP":port
export ftp_proxy=http://username:passord@"Proxy IP":port
http_proxy=http://1.2.3.4:8080/
ftp_proxy=ftp://1.2.3.4:8080/
all_proxy=socks://1.2.3.4:8080/
socks_proxy=socks://1.2.3.4:8080/
https_proxy=https://1.2.3.4:8080/
no_proxy=localhost,127.0.0.0/8,::1

其中如果proxy server不須要帳密，就只要打http://"Proxy IP":port即可
ref:

• Linux 透過proxy連外的設定方式
• 透過Cntlm穿越Proxy Server與AD身分驗證做APT套件下載 on Ubuntu

apt-get install cntlm
edit /etc/cntlm.conf

/etc/init.d/cntlm restart

cntlm.conf

 1 #
 2 # Cntlm Authentication Proxy Configuration
 3 #
 4 # NOTE: all values are parsed literally, do NOT escape spaces,
 5 # do not quote. Use 0600 perms if you use plaintext password.
 6 #
 7 
 8 Username myname
 9 Domain  yahoo.com
10 #Password password
11 # NOTE: Use plaintext password only at your own risk
12 # Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
13 # command sequence to get the right config for your environment.
14 # See cntlm man page
15 # Example secure config shown below.
16 # PassLM          1AD35398BE6565DDB5C4EF70C0593492
17 # PassNT          77B9081511704EE852F94227CF48A793
18 ### Only for user 'testuser', domain 'corp-uk'
19 ## cntlm -I -M http://tw.yahoo.com/
20 PassNTLMv2     12345 # 將密碼加密後的字串
21 
22 # Specify the netbios hostname cntlm will send to the parent
23 # proxies. Normally the value is auto-guessed.
24 #
25 # Workstation netbios_hostname
26 
27 # List of parent proxies to use. More proxies can be defined
28 # one per line in format <proxy_ip>:<proxy_port>
29 #
30 Proxy  1.2.3.4:9191
31 #Proxy  10.0.0.42:8080
32 
33 # List addresses you do not want to pass to parent proxies
34 # * and ? wildcards can be used
35 #
36 NoProxy  localhost, 127.0.0.*, 10.*, 192.168.*
37 
38 # Specify the port cntlm will listen on
39 # You can bind cntlm to specific interface by specifying
40 # the appropriate IP address also in format <local_ip>:<local_port>
41 # Cntlm listens on 127.0.0.1:3128 by default
42 #
43 Listen  3128
44 
45 # If you wish to use the SOCKS5 proxy feature as well, uncomment
46 # the following option. It can be used several times
47 # to have SOCKS5 on more than one port or on different network
48 # interfaces (specify explicit source address for that).
49 #
50 # WARNING: The service accepts all requests, unless you use
51 # SOCKS5User and make authentication mandatory. SOCKS5User
52 # can be used repeatedly for a whole bunch of individual accounts.
53 #
54 #SOCKS5Proxy 8010
55 #SOCKS5User dave:password
56 
57 # Use -M first to detect the best NTLM settings for your proxy.
58 # Default is to use the only secure hash, NTLMv2, but it is not
59 # as available as the older stuff.
60 #
61 # This example is the most universal setup known to man, but it
62 # uses the weakest hash ever. I won't have it's usage on my
63 # conscience. :) Really, try -M first.
64 #
65 #Auth  LM
66 Auth  NTLMv2
67 #Flags  0x06820000
68 
69 # Enable to allow access from other computers
70 # 讓別台電腦把這台當作 gateway, 開放此 proxy 給其他電腦
71 #Gateway yes
72 
73 # Useful in Gateway mode to allow/restrict certain IPs
74 # Specifiy individual IPs or subnets one rule per line.
75 #
76 #Allow  127.0.0.1
76.5Allow           192.168.1.0/24 # 讓 192.168.1.0/24 可以使用此台當 proxy/gateway L71 需開起
77 #Deny  0/0
78 
79 # GFI WebMonitor-handling plugin parameters, disabled by default
80 #
81 #ISAScannerSize     1024
82 #ISAScannerAgent    Wget/
83 #ISAScannerAgent    APT-HTTP/
84 #ISAScannerAgent    Yum/
85 
86 # Headers which should be replaced if present in the request
87 #
88 #Header  User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
89 
90 # Tunnels mapping local port to a machine behind the proxy.
91 # The format is <local_port>:<remote_host>:<remote_port>
92 # 
93 #Tunnel  11443:remote.com:443

L8, 9, 30, 66, 這些資訊都要自己去查, L20 的編碼種類要先知道 (很困難吧, 我怎麼會知道 mis 那邊的設定是用哪種編碼?), 編碼後的結果可用 L19 來得知。

root@debian64:/etc# cntlm -I -M http://tw.yahoo.com
Password:
Config profile 1/4... OK (HTTP code: 301)
----------------------------[ Profile 0 ]------
Auth NTLMv2
PassNTLMv2 xxzzyy

xxzzyy 就是要填入設定檔的密碼值。

L71 則是開放給其他電腦當 proxy 用。

如果你發現有這樣的現象:

root@debian32:/home/descent# cntlm -c /etc/cntlm.conf -I -M http://google.ro
Password: 
Config profile  1/4... Auth not required (HTTP code: 301)
Config profile  2/4... Auth not required (HTTP code: 301)
Config profile  3/4... Auth not required (HTTP code: 301)
Config profile  4/4... Auth not required (HTTP code: 301)

Your proxy is open, you don't need another proxy.

改用

cntlm -H

即可得到密碼編碼後的文字串。

這些資訊有些可能不好取得, 因此要設定正確其實並不容易。感謝同事 s 君的指導, 讓我得知這樣的解決方案。

ref:
How to fill proxy information in cntlm config file