Configuration of cntlm in Ubuntu

José Carlos Rodríguez Texidor
5 min readJun 19, 2023

--

Accessing the internet from a restricted network environment through a proxy server can be a cumbersome task, especially if the process requires authentication using a domain account. Many applications that require internet access have built-in proxy configuration options. However, not all of them support authentication, which means they don’t provide a way to specify the user for accessing the proxy. Additionally, the server, port, username, and password for the proxy connection may change periodically, making it tedious to update these values in each application.

One possible solution is to use an application that acts as a mediator between the applications and the proxy server. This way, changes need to be made in a single place.

Cntlm is one such application that can simplify the connection process. It is an NTLM/NTLMv2 authentication HTTP proxy that acts as an intermediary between applications and the designated proxy server.

Configuring cntlm

The cntlm configuration file is located by default at /etc/ctnlm.conf, and the most common configuration parameters are:

  • Domain: Specifies the network domain associated with the server.
  • Username: Specifies the username used for the domain.
  • Password: Specifies the password for the domain user.
  • Proxy: Specifies the IP address and port of the proxy server that cntlm will connect to.
  • Listen: Specifies the port on which cntlm listens for incoming requests. By default, cntlm listens on the address and port 127.0.0.1:3128.
  • NoProxy: Specifies a list of domains, network addresses, and subnets that should not be tunneled through cntlm. Requests for these destinations will be made directly without going through the proxy.
Example configuration in /etc/cntlm.conf

If you enter your password in plain text, it is recommended to keep the /etc/ctnlm.conf file readable only by the root user and inaccessible to other users.

For a better understanding of cntlm’s functionality and configuration, it is recommended to visit the website http://manpages.ubuntu.com/manpages/precise/man1/cntlm.1.html.

Configuring environment variables

In Linux, variables store data with a name and associated value, using the format <variable>=<value>. Linux variables are case-sensitive, treating <variable>=<value> and <VARIABLE>=<value> as distinct variables.

There are two common types of variables in Linux: inline variables and environment variables.

Inline variables are temporary and valid only within the current terminal session. They are created and accessed directly in the terminal, without affecting the broader environment. They are useful for quick, short-term assignments or one-time operations.

Environment variables persist throughout the user’s session until logout. Created using the export keyword, they are available to all processes in the session. These variables define the environment and behavior of the user's session and can be accessed with the env command or by prefixing them with a dollar sign ($).

Each user in Linux has their own set of environment variables, allowing for customization and different configurations. The ~/.bashrc file is where environment variables are declared to be accessible during user login. Updating the ~/.bashrc file with desired environment variables and executing source ~/.bashrc applies the changes immediately within the current session, making the variables available for use.

Inline variables are preferred in many cases due to their temporary nature and minimal impact on the environment.

For a better understanding of environment variables, it is recommended to visit the website https://linuxize.com/post/how-to-set-and-list-environment-variables-in-linux/.

This next code sets the proxy environment variables for the system. It assigns the value http://127.0.0.1:3128 to the http_proxy variable, and then uses this value to assign the same proxy settings to the https_proxy, ftp_proxy, and all_proxy variables.

Creating environment variables

Additionally, it sets the no_proxy variable to exclude specific addresses from proxying. In this example, it excludes localhost, 127.0.0.1, ::1, example.com, and example.org from being tunneled through the proxy. It's important to note that wildcards are not supported for exclusion, so complete IP addresses like 10.20.30.40 should be used instead.

Finally, the code exports the values of these variables with uppercase versions (HTTP_PROXY, HTTPS_PROXY, FTP_PROXY, ALL_PROXY, and NO_PROXY) for compatibility with certain applications that recognize these specific environment variable names.

Update Linux using cntlm

Update Linux using cntlm as the proxy, specifying the proxy settings and executing the apt update and apt upgrade commands with superuser privileges.

Using environment variables to specify the proxy settings and executing the apt

or

Modifying the /etc/apt/apt.conf file to specify the proxy settings and executing the apt

Keep in mind that these configurations can also be used to install or update applications from the Linux repository through cntlm using the apt package manager.

Configuring the proxy for GNOME utilities

Some system applications rely on the system proxy configuration for GNOME.

Configuring proxy for GNOME system

These commands configure the GNOME system proxy settings for various protocols such as HTTP, HTTPS, FTP, and SOCKS. They specify the proxy host, port, and authentication options, and define the list of hosts to ignore for proxy configuration.

Proxy configuration for other applications

Git

To configure proxy settings in Git using cntlm, you have multiple options to choose from based on your needs. Here are the recommended approaches:

  1. Inline Flags: Use inline flags when executing Git commands that require communication outside the restricted network. Keep in mind that you need to set these flags every time you run such commands.

Example:

2. Git Config: Utilize the git config command to set proxy settings for Git. This provides a persistent configuration that applies to all Git commands.

Example:

You can specify the configuration level using the following flags:

  • --local: Modify the local configuration file located at <project_folder>/.git/config.
  • --global: Modify the global configuration file located at ~/.git/config.
  • --system: Modify the system configuration file located at /etc/.git/config. If no level is specified, --local is used by default.

3. Manual Configuration: Alternatively, you can manually modify the configuration file to set the proxy parameters. Edit the relevant file (~/.git/config, <project_folder>/.git/config, or /etc/.git/config) and add the following lines:

Git follows a specific order when searching for proxy configuration:

  • First, it checks for inline flags provided during command execution.
  • Next, it looks for the project-specific configuration file.
  • Then, it checks the user-specific configuration file.
  • Lastly, it considers the system-wide configuration file.

Snap

Configuring proxy for Snap

Applications like Postman and Chromium Browser require the proxy to be configured using flags each time the application is launched in a shell.

To avoid memorizing the lengthy command, it is recommended to export it as an alias in the ~/.bashrc file. This way, the alias can be used to simplify the command in any shell.

Postman

This code runs Postman with proxy server configuration, directing HTTPS and HTTP traffic through the specified proxy server while bypassing certain addresses and IP ranges.

Executing the Postman application with proxy server settings

/snap/bin/postman \: Executes the Postman application. The backslash at the end of the line indicates a line continuation.

--proxy-server="https=$http_proxy;http=$http_proxy" \: Sets the proxy server for both HTTPS and HTTP protocols. The value of the proxy server is specified using the http_proxy environment variable. This line indicates that the same proxy server should be used for both HTTPS and HTTP connections.

--proxy-bypass-list='*.example.com,*.example.org,10.0.0.0/8,192.168.0.0/16,169.254.0.0/16': Specifies a list of addresses and networks that should bypass the proxy. In this example, addresses matching *.example.com and *.example.org will bypass the proxy, along with the IP ranges 10.0.0.0/8, 192.168.0.0/16, and 169.254.0.0/16.

Chromium Browser

This code creates an alias “chromium” to run Chromium browser with proxy server configuration. The browser will use the specified proxy server for HTTPS and HTTP traffic while bypassing specific addresses and IP ranges.

Creating an alias to run Chromium Browser through a proxy.

export alias chromium="/snap/bin/chromium \: Defines an alias named "chromium" using the alias command. This alias allows executing the Chromium browser.

Chromium, Postman, and Google Chrome share the same flags for configuring proxies and bypassing IP addresses. By using these common flags, you can ensure consistent proxy usage and IP bypassing across these applications.

Summary

In conclusion, navigating through restricted network environments with proxies can present challenges for users relying on domain accounts. However, cntlm offers a simplified solution for accessing internet-dependent applications that lack credential configuration options. Additionally, cntlm serves as a bridge, enabling centralized control over credentials and proxy access. With cntlm, users can streamline their internet connectivity while maintaining secure and efficient communication within restricted network environments.

--

--