2019獨角獸企業重金招聘Python工程師標準>>>

對于那些使用NTLM進行身份驗證的網絡代理環境（即設置上除需要代理主機和端口之外還需要提供域用戶和密碼）來說，通過代理上網是一件頭痛的事情，這主要是因為很多軟件不支持NTLM驗證的代理（比如目前的GIT就不能支持NTLM驗證，即使在代理中指定了域帳號和密碼，在連接過程中依然報： Received HTTP code 407 from proxy after CONNECT ，說明驗證并未通過），如果有這樣一種工具能封裝NTLM驗證然后對外提供普通的HTTP代理服務，那么第三方應用就可以通過配置普通的代理訪問網絡了，這就是Cntlm (項目官網：http://cntlm.sourceforge.net/）所要解決的問題！ 由于Cntlm也有linux版本，這意味著在linux系統上通過NTLM身份驗證的網絡代理也是可行的。本文原文出處:?http://blog.csdn.net/bluishglc/article/details/37600773 嚴禁任何形式的轉載，否則將委托CSDN官方維護權益！

配置

下載安裝Cntlm之后，只需要修改cntlm.ini文件，提供身份認證必要的信息，然后以服務的方式啟動cntlm就可以了。在cntlm.ini中有如下幾個重要的配置是可能需要修改的：

• Username - your domain/proxy account name

• Domain - the actual domain name

• Workstation - NetBIOS name of your workstation; Cntlm tries to autodetect it, but you might want to set it explicitly should dialect detection fail (see below)

• Proxy - IP address (or ping-able hostname) of your proxy; if you use several alternative proxies or know of backup ones, use this option multiple times; if one stops working, Cntlm will move on to the next

• Listen - local port number which Cntlm should bind to; the default is OK, but remember you can't have more than one application per port; you can use netstat to list used up ports (lines with LISTEN)

其中Listen配置項是cntlm將在本地打開的作為普通代理的端口，假如我的windows域是abc,帳號是laurence,密碼是123，代理服務器是192.168.0.1：80，則cntlm.ini應該如下配置：

# # Cntlm Authentication Proxy Configuration # # NOTE: all values are parsed literally, do NOT escape spaces, # do not quote. Use 0600 perms if you use plaintext password. #Username laurence Domain abc Password 123 # NOTE: Use plaintext password only at your own risk # Use hashes instead. You can use a "cntlm -M" and "cntlm -H" # command sequence to get the right config for your environment. # See cntlm man page # Example secure config shown below. # PassLM 1AD35398BE6565DDB5C4EF70C0593492 # PassNT 77B9081511704EE852F94227CF48A793 ### Only for user 'testuser', domain 'corp-uk' # PassNTLMv2 D5826E9C665C37C80B53397D5C07BBCB# Specify the netbios hostname cntlm will send to the parent # proxies. Normally the value is auto-guessed. # # Workstation netbios_hostname# List of parent proxies to use. More proxies can be defined # one per line in format <proxy_ip>:<proxy_port> # Proxy 192.168.0.1:80# List addresses you do not want to pass to parent proxies # * and ? wildcards can be used # NoProxy localhost, 127.0.0.*, 10.*, 192.168.*# Specify the port cntlm will listen on # You can bind cntlm to specific interface by specifying # the appropriate IP address also in format <local_ip>:<local_port> # Cntlm listens on 127.0.0.1:3128 by default # Listen 3128# If you wish to use the SOCKS5 proxy feature as well, uncomment # the following option. It can be used several times # to have SOCKS5 on more than one port or on different network # interfaces (specify explicit source address for that). # # WARNING: The service accepts all requests, unless you use # SOCKS5User and make authentication mandatory. SOCKS5User # can be used repeatedly for a whole bunch of individual accounts. # #SOCKS5Proxy 8010 #SOCKS5User dave:password# Use -M first to detect the best NTLM settings for your proxy. # Default is to use the only secure hash, NTLMv2, but it is not # as available as the older stuff. # # This example is the most universal setup known to man, but it # uses the weakest hash ever. I won't have it's usage on my # conscience. :) Really, try -M first. # #Auth LM #Flags 0x06820000# Enable to allow access from other computers # #Gateway yes# Useful in Gateway mode to allow/restrict certain IPs # Specifiy individual IPs or subnets one rule per line. # #Allow 127.0.0.1 #Deny 0/0# GFI WebMonitor-handling plugin parameters, disabled by default # #ISAScannerSize 1024 #ISAScannerAgent Wget/ #ISAScannerAgent APT-HTTP/ #ISAScannerAgent Yum/# Headers which should be replaced if present in the request # #Header User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)# Tunnels mapping local port to a machine behind the proxy. # The format is <local_port>:<remote_host>:<remote_port> # #Tunnel 11443:remote.com:443

其中對于監聽端口使用默認的端口3128就可以了。我們可以通過命令來驗證配置是否正確：

cntlm -c /path/to/cntlm.ini -I -M http://www.baidu.com

如果能正常返回就表示各項配置都是正確的，接下就可以啟動cntlm服務在后臺運行了，使用命令：

net start cntlm

服務啟動之后，我們就可以在第三方應用的代理配置上這樣設定了：代理服務器：127.0.0.1 （即本機），代理服務器端口：3128（即cntlm.ini文件中配置的Listen端口）

日志與常見錯誤

cntlm絕大多數錯誤表現為服務無法啟動，具體原因有很多，好在cntlm有較好的日志信息可以幫助我們找到問題的根源，查看cntlm日志的方法是：Start -> Settings -> Control Panel -> Administrative Tools -> Event Viewer, 然后在左側面板的目錄樹中選擇：Windows Logs -> Application, 再在右側面板中配置一下過慮項，將事件源設定為cntlm就可以過濾出所有的cntlm日志了。

這里我們介紹兩種可能的錯誤：

1. cntlm: PID XXXX: Possible duplicate cygwin1.dll: /socat-1.7.2.1/cygwin1.dll.



類似這樣的錯誤是由于cygwin1.dll沖突引起的，有多種工具會攜帶自己的cygwin1.dll，如果版本不兼容就會報如上的錯誤，最簡單的方是先移除它們。

2. cntlm: Parent proxy address missing



這是一個容易造成誤導的錯誤，如果多數情況下并不是因為你在cntlm.ini中錯誤地制定了Proxy而是cntlm程序啟動時根本沒用找到cntlm.ini文件，造成這種問題的可能誘因之一是在安裝cntlm時修改了默認的安裝目錄，這應該是cntlm的一個bug。不知道在啟動cntlm服務的配置界面（Control Panel -> Administrative Tools -> Services）上指定-c參數是否有效，有興趣的朋友可以嘗試一下，我是按默認配置重裝了cntlm解決的問題。

轉載于:https://my.oschina.net/pangzhuzhu/blog/327160

總結

以上是生活随笔為你收集整理的Cntlm安装和配置心得的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。