Configuration of cntlm in Ubuntu
Accessing the internet from a restricted network environment through a proxy server can be a cumbersome task, especially if the process requires authentication using a domain account. Many applications that require internet access have built-in proxy configuration options. However, not all of them support authentication, which means they don’t provide a way to specify the user for accessing the proxy. Additionally, the server, port, username, and password for the proxy connection may change periodically, making it tedious to update these values in each application.
One possible solution is to use an application that acts as a mediator between the applications and the proxy server. This way, changes need to be made in a single place.
Cntlm is one such application that can simplify the connection process. It is an NTLM/NTLMv2 authentication HTTP proxy that acts as an intermediary between applications and the designated proxy server.
Configuring cntlm
The cntlm configuration file is located by default at /etc/ctnlm.conf
, and the most common configuration parameters are:
Domain
: Specifies the network domain associated with the server.Username
: Specifies the username used for the domain.Password
: Specifies the password for the domain user.Proxy
: Specifies the IP address and port of the proxy server that cntlm will connect to.Listen
: Specifies the port on which cntlm listens for incoming requests. By default, cntlm listens on the address and port127.0.0.1:3128
.NoProxy
: Specifies a list of domains, network addresses, and subnets that should not be tunneled through cntlm. Requests for these destinations will be made directly without going through the proxy.
If you enter your password in plain text, it is recommended to keep the
/etc/ctnlm.conf
file readable only by the root user and inaccessible to other users.
For a better understanding of cntlm’s functionality and configuration, it is recommended to visit the website http://manpages.ubuntu.com/manpages/precise/man1/cntlm.1.html.
Configuring environment variables
In Linux, variables store data with a name and associated value, using the format <variable>=<value>
. Linux variables are case-sensitive, treating <variable>=<value>
and <VARIABLE>=<value>
as distinct variables.
There are two common types of variables in Linux: inline variables and environment variables.
Inline variables are temporary and valid only within the current terminal session. They are created and accessed directly in the terminal, without affecting the broader environment. They are useful for quick, short-term assignments or one-time operations.
Environment variables persist throughout the user’s session until logout. Created using the export
keyword, they are available to all processes in the session. These variables define the environment and behavior of the user's session and can be accessed with the env
command or by prefixing them with a dollar sign ($
).
Each user in Linux has their own set of environment variables, allowing for customization and different configurations. The ~/.bashrc
file is where environment variables are declared to be accessible during user login. Updating the ~/.bashrc
file with desired environment variables and executing source ~/.bashrc
applies the changes immediately within the current session, making the variables available for use.
Inline variables are preferred in many cases due to their temporary nature and minimal impact on the environment.
For a better understanding of environment variables, it is recommended to visit the website https://linuxize.com/post/how-to-set-and-list-environment-variables-in-linux/.
This next code sets the proxy environment variables for the system. It assigns the value http://127.0.0.1:3128
to the http_proxy
variable, and then uses this value to assign the same proxy settings to the https_proxy
, ftp_proxy
, and all_proxy
variables.
Additionally, it sets the no_proxy
variable to exclude specific addresses from proxying. In this example, it excludes localhost
, 127.0.0.1
, ::1
, example.com
, and example.org
from being tunneled through the proxy. It's important to note that wildcards are not supported for exclusion, so complete IP addresses like 10.20.30.40
should be used instead.
Finally, the code exports the values of these variables with uppercase versions (HTTP_PROXY
, HTTPS_PROXY
, FTP_PROXY
, ALL_PROXY
, and NO_PROXY
) for compatibility with certain applications that recognize these specific environment variable names.
Update Linux using cntlm
Update Linux using cntlm as the proxy, specifying the proxy settings and executing the apt update
and apt upgrade
commands with superuser privileges.
or
Keep in mind that these configurations can also be used to install or update applications from the Linux repository through cntlm using the apt
package manager.
Configuring the proxy for GNOME utilities
Some system applications rely on the system proxy configuration for GNOME.
These commands configure the GNOME system proxy settings for various protocols such as HTTP, HTTPS, FTP, and SOCKS. They specify the proxy host, port, and authentication options, and define the list of hosts to ignore for proxy configuration.
Proxy configuration for other applications
Git
To configure proxy settings in Git using cntlm, you have multiple options to choose from based on your needs. Here are the recommended approaches:
- Inline Flags: Use inline flags when executing Git commands that require communication outside the restricted network. Keep in mind that you need to set these flags every time you run such commands.
Example:
2. Git Config: Utilize the git config
command to set proxy settings for Git. This provides a persistent configuration that applies to all Git commands.
Example:
You can specify the configuration level using the following flags:
--local
: Modify the local configuration file located at<project_folder>/.git/config
.--global
: Modify the global configuration file located at~/.git/config
.--system
: Modify the system configuration file located at/etc/.git/config
. If no level is specified,--local
is used by default.
3. Manual Configuration: Alternatively, you can manually modify the configuration file to set the proxy parameters. Edit the relevant file (~/.git/config
, <project_folder>/.git/config
, or /etc/.git/config
) and add the following lines:
Git follows a specific order when searching for proxy configuration:
- First, it checks for inline flags provided during command execution.
- Next, it looks for the project-specific configuration file.
- Then, it checks the user-specific configuration file.
- Lastly, it considers the system-wide configuration file.
Snap
Applications like Postman and Chromium Browser require the proxy to be configured using flags each time the application is launched in a shell.
To avoid memorizing the lengthy command, it is recommended to export it as an alias in the ~/.bashrc
file. This way, the alias can be used to simplify the command in any shell.
Postman
This code runs Postman with proxy server configuration, directing HTTPS and HTTP traffic through the specified proxy server while bypassing certain addresses and IP ranges.
/snap/bin/postman \
: Executes the Postman application. The backslash at the end of the line indicates a line continuation.
--proxy-server="https=$http_proxy;http=$http_proxy" \
: Sets the proxy server for both HTTPS and HTTP protocols. The value of the proxy server is specified using the http_proxy
environment variable. This line indicates that the same proxy server should be used for both HTTPS and HTTP connections.
--proxy-bypass-list='*.example.com,*.example.org,10.0.0.0/8,192.168.0.0/16,169.254.0.0/16'
: Specifies a list of addresses and networks that should bypass the proxy. In this example, addresses matching *.example.com
and *.example.org
will bypass the proxy, along with the IP ranges 10.0.0.0/8, 192.168.0.0/16, and 169.254.0.0/16.
Chromium Browser
This code creates an alias “chromium” to run Chromium browser with proxy server configuration. The browser will use the specified proxy server for HTTPS and HTTP traffic while bypassing specific addresses and IP ranges.
export alias chromium="/snap/bin/chromium \
: Defines an alias named "chromium" using the alias
command. This alias allows executing the Chromium browser.
Chromium, Postman, and Google Chrome share the same flags for configuring proxies and bypassing IP addresses. By using these common flags, you can ensure consistent proxy usage and IP bypassing across these applications.
Summary
In conclusion, navigating through restricted network environments with proxies can present challenges for users relying on domain accounts. However, cntlm offers a simplified solution for accessing internet-dependent applications that lack credential configuration options. Additionally, cntlm serves as a bridge, enabling centralized control over credentials and proxy access. With cntlm, users can streamline their internet connectivity while maintaining secure and efficient communication within restricted network environments.