Proxy tools and configs to exist in corp land and at home

Preface

Let’s face it, having a corporate proxy with NTLM based authentication really sucks. The forced authentication to an AD backed directory makes sense but creates pain when you work in a terminal and unix/linux world. Thankfully over the past decade or so some amazing people have created some tooling to help navigate the NTLM proxy landscape. Among these tools, cntlm is a fantastic solution to this problem. While cntlm solves 90% of your problems, that last 10% involves turning proxy settings off easily when you are away from the office. There are some sophisticated ways to solve the in-office/out-of-office settings detection dilemma, but I have opted for a “simple” one which was inspired from a ServerFault post (http://serverfault.com/questions/506046/configure-cntlm-to-use-no-proxy-if-none-are-available).

The solution presented here assumes the following:

  • Stuck using Windows 7/10 as your host OS
    • Note: If you have the luxury of using Mac OSX as a host OS, then also try Fiddler
  • Stuck with a corporate NTLM authenticated proxy
  • Using Virtualbox for development and virtualization tooling
  • Using a Linux VM in Virtualbox
  • Desire to seamlessly move in and out of corp offices and home without the need to edit the cntlm.ini or autodetect network locations
  • You have local admin privileges

Solution Design

  • Cntlm configured with:
    1. Corp proxy
    2. Local squid proxy on alternative port
  • Linux VM bash profile configured to use the cntlm proxy

Functionality

  • When connected to the corp proxy, the connections will use it via the authentication creds configured in cntlm
  • When at home or away from the office, connections will first try the corp proxy, then failover to the 2nd local squid proxy which uses a direct internet connection
<INTERNET> <INTERNET>
| |
| |
corp proxy direct internet
| |
| |
---------------------
|
|
|
#################################
# HOST (Windows 7/10/etc) # ##############
# VirtualBox #----------------# VM (Linux) #
# cntlm (port 3128) # ############## .bash_profile (export proxy set to vbox nat default gateway)
# --proxy1 set to corp # (10.0.2.2:3128)
# --proxy2 set to squid #
# squid (port 3129) #
# --using no proxy #
#################################
view raw gistfile1.txt hosted with ❤ by GitHub

This makes things simple and you dont have to change all your proxy settings all the time. Just use the local cntlm proxy and it will provide seamless functionality for out of office non-proxy direct connections by failing over to the local squid proxy. There is a downside to having to install the squid proxy and do the extra configuration, but it works nicely once setup.

Components

  • Cntlm.ini file pre-configured, but you need to add your user account and password hash, domain, and proxy
  • Squid.conf pre-configured to bind to port 3129
  • Example .bash_profile relevant config parts
  • Example yum/apt/dnf config
  • Example wget config

Pre-requisites:
Cntlm
Squid for Windows)

Operations

  1. Launch Squid proxy (use Windows services or Squid systray tool)
  2. Start Cntlm from administrator enabled command prompt:  net start cntlm

Get Configs

https://github.com/jbpadgett/proxy_tools

  • Cntlm.ini file
    • #
      # Cntlm Authentication Proxy Configuration
      #
      # NOTE: all values are parsed literally, do NOT escape spaces,
      # do not quote. Use 0600 perms if you use plaintext password.
      #
      # NOTE: Use plaintext password only at your own risk
      # Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
      # command sequence to get the right config for your environment.
      # See cntlm man page
      Username MYUSERNAME
      Domain MYCORPDOMAIN
      #Password clear_text_password_not_recommended_use_hash
      #Construct hash as follows: cntlm -H -a NTLMv2 -d MYCORPDOMAIN -u MYUSERNAME
      Auth NTLMv2
      PassLM 1AD35398BE6565DDB5C4EF70C0593492
      PassNT 77B9081511704EE852F94227CF48A793
      PassNTLMv2 D5826E9C665C37C80B53397D5C07BBCB # Only for user 'MYUSERNAME', domain 'MYCORPDOMAIN'
      # Specify the netbios hostname cntlm will send to the parent
      # proxies. Normally the value is auto-guessed.
      #
      # Workstation netbios_hostname
      # List of parent proxies to use. More proxies can be defined
      # one per line in format <proxy_ip>:<proxy_port>
      #
      #Proxy 10.0.0.41:8080
      #Proxy 10.0.0.42:8080
      Proxy myproxy.corp.com:80
      #Added a failover local squid proxy that use direct internet to allow for seamless access outside corp offices
      Proxy localhost:3129
      # List addresses you do not want to pass to parent proxies
      # * and ? wildcards can be used
      #
      #NoProxy localhost, 127.0.0.*, 10.*, 192.168.*
      #Use NoProxy * for the equivalent of direct internet for all with no proxies, but this setting is not dynamic and must be edited and services restarted each time
      #NoProxy *
      # Specify the port cntlm will listen on
      # You can bind cntlm to specific interface by specifying
      # the appropriate IP address also in format <local_ip>:<local_port>
      # Cntlm listens on 127.0.0.1:3128 by default
      #
      Listen 3128
      # If you wish to use the SOCKS5 proxy feature as well, uncomment
      # the following option. It can be used several times
      # to have SOCKS5 on more than one port or on different network
      # interfaces (specify explicit source address for that).
      #
      # WARNING: The service accepts all requests, unless you use
      # SOCKS5User and make authentication mandatory. SOCKS5User
      # can be used repeatedly for a whole bunch of individual accounts.
      #
      #SOCKS5Proxy 8010
      #SOCKS5User dave:password
      # Use -M first to detect the best NTLM settings for your proxy.
      # Default is to use the only secure hash, NTLMv2, but it is not
      # as available as the older stuff.
      #
      # This example is the most universal setup known to man, but it
      # uses the weakest hash ever. I won't have it's usage on my
      # conscience. 🙂 Really, try -M first.
      #
      #Auth LM
      #Flags 0x06820000
      # Enable to allow access from other computers
      #
      Gateway yes
      # Useful in Gateway mode to allow/restrict certain IPs
      # Specifiy individual IPs or subnets one rule per line.
      #
      #Allow 127.0.0.1
      #Deny 0/0
      # GFI WebMonitor-handling plugin parameters, disabled by default
      #
      #ISAScannerSize 1024
      #ISAScannerAgent Wget/
      #ISAScannerAgent APT-HTTP/
      #ISAScannerAgent Yum/
      # Headers which should be replaced if present in the request
      #
      #Header User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
      # Tunnels mapping local port to a machine behind the proxy.
      # The format is <local_port>:<remote_host>:<remote_port>
      #
      #Tunnel 11443:remote.com:443
      view raw gistfile1.txt hosted with ❤ by GitHub
  • Squid.conf pre-configured to bind to port 3129
    • #
      # Recommended minimum configuration:
      #
      # Example rule allowing access from your local networks.
      # Adapt to list your (internal) IP networks from where browsing
      # should be allowed
      acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
      acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
      acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
      acl localnet src fc00::/7 # RFC 4193 local private network range
      acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
      acl SSL_ports port 443
      acl Safe_ports port 80 # http
      acl Safe_ports port 21 # ftp
      acl Safe_ports port 443 # https
      acl Safe_ports port 70 # gopher
      acl Safe_ports port 210 # wais
      acl Safe_ports port 1025-65535 # unregistered ports
      acl Safe_ports port 280 # http-mgmt
      acl Safe_ports port 488 # gss-http
      acl Safe_ports port 591 # filemaker
      acl Safe_ports port 777 # multiling http
      acl CONNECT method CONNECT
      #
      # Recommended minimum Access Permission configuration:
      #
      # Only allow cachemgr access from localhost
      http_access allow localhost manager
      http_access deny manager
      # Deny requests to certain unsafe ports
      http_access deny !Safe_ports
      # Deny CONNECT to other than secure SSL ports
      http_access deny CONNECT !SSL_ports
      # We strongly recommend the following be uncommented to protect innocent
      # web applications running on the proxy server who think the only
      # one who can access services on "localhost" is a local user
      #http_access deny to_localhost
      #
      # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
      #
      # Example rule allowing access from your local networks.
      # Adapt localnet in the ACL section to list your (internal) IP networks
      # from where browsing should be allowed
      http_access allow localnet
      http_access allow localhost
      # And finally deny all other access to this proxy
      http_access deny all
      # Squid normally listens to port 3128
      # CHANGE THE PORT TO COEXIST WITH CNTLM
      #http_port 3128
      http_port 3129
      # Uncomment the line below to enable disk caching - path format is /cygdrive/<full path to cache folder>, i.e.
      #cache_dir aufs /cygdrive/d/squid/cache 3000 16 256
      # Leave coredumps in the first cache dir
      coredump_dir /var/cache/squid
      # Add any of your own refresh_pattern entries above these.
      refresh_pattern ^ftp: 1440 20% 10080
      refresh_pattern ^gopher: 1440 0% 1440
      refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
      refresh_pattern . 0 20% 4320
      dns_nameservers 8.8.8.8 208.67.222.222
      max_filedescriptors 3200
      view raw gistfile1.txt hosted with ❤ by GitHub
  • Example .bash_profile relevant config parts
    • #################
      # .BASH_PROFILE
      # On a Windows machine using Cygwin, use this:
      # PROXIES
      export http_proxy="localhost:3128"
      # On a Linux VM from Virtualbox with NAT, use the default Vbox gateway this:
      # PROXIES
      export http_proxy="10.0.2.2:3128"
      view raw gistfile1.txt hosted with ❤ by GitHub
  • Example yum/apt/dnf config
    • #CentOS yum proxy setup
      #Edit (as sudo or root) the /etc/yum.conf or /etc/dnf/dnf.conf file to make use of cntlm proxy from VirtualBox Linux VM using NAT
      proxy=http://10.0.2.2:3128
      view raw gistfile1.txt hosted with ❤ by GitHub
    • #Ubuntu Apt proxy setup
      #Create (as sudo or root) the /etc/apt/apt.conf file to make use of cntlm proxy from VirtualBox Linux VM using NAT
      Acquire::http::Proxy "http://10.0.2.2:3128&quot;;
      Acquire::ftp::Proxy "http://10.0.2.2:3128&quot;;
      view raw gistfile1.txt hosted with ❤ by GitHub
  • Example wget config