Cntlm安裝和配置體驗

對於那些誰使用NTLM驗證網絡代理環境（即除了需要設置的代理主機和端口還需要提供一個域用戶名和密碼）供。通過代理上網頭疼。這主要是由於非常大的軟件不支持NTLM的代理（比方眼下的GIT就不能支持NTLM驗證，即使在代理中指定了域帳號和密碼，在連接過程中依舊報： Received HTTP code 407 from proxy after CONNECT ，說明驗證並未通過）。假設有這樣一種工具能封裝NTLM驗證然后對外提供普通的HTTP代理服務。那么第三方應用就能夠通過配置普通的代理訪問網絡了，這就是Cntlm (項目官網：http://cntlm.sourceforge.net/）所要解決的問題！ 由於Cntlm也有linux版本號，這意味着在linux系統上通過NTLM身份驗證的網絡代理也是可行的。本文原文出處: http://blog.csdn.net/bluishglc/article/details/37600773 嚴禁不論什么形式的轉載，否則將托付CSDN官方維護權益！

配置

下載安裝Cntlm之后。僅僅須要改動cntlm.ini文件，提供身份認證必要的信息，然后以服務的方式啟動cntlm就能夠了。

在cntlm.ini中有例如以下幾個重要的配置是可能須要改動的：

• Username - your domain/proxy account name

• Domain - the actual domain name

• Workstation - NetBIOS name of your workstation; Cntlm tries to autodetect it, but you might want to set it explicitly should dialect detection fail (see below)

• Proxy - IP address (or ping-able hostname) of your proxy; if you use several alternative proxies or know of backup ones, use this option multiple times; if one stops working, Cntlm will move on to the next

• Listen - local port number which Cntlm should bind to; the default is OK, but remember you can't have more than one application per port; you can use netstat to list used up ports (lines with LISTEN)

當中Listen配置項是cntlm將在本地打開的作為普通代理的端口。假如我的windows域是abc,帳號是laurence,密碼是123，代理server是192.168.0.1：80，則cntlm.ini應該例如以下配置：

#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#

Username	laurence
Domain		abc
Password	123
# NOTE: Use plaintext password only at your own risk
# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
# command sequence to get the right config for your environment.
# See cntlm man page
# Example secure config shown below.
# PassLM          1AD35398BE6565DDB5C4EF70C0593492
# PassNT          77B9081511704EE852F94227CF48A793
### Only for user 'testuser', domain 'corp-uk'
# PassNTLMv2      D5826E9C665C37C80B53397D5C07BBCB

# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
#
# Workstation	netbios_hostname

# List of parent proxies to use. More proxies can be defined
# one per line in format <proxy_ip>:<proxy_port>
#
Proxy		192.168.0.1:80

# List addresses you do not want to pass to parent proxies
# * and ?
 wildcards can be used
#
NoProxy		localhost, 127.0.0.*, 10.*, 192.168.*

# Specify the port cntlm will listen on
# You can bind cntlm to specific interface by specifying
# the appropriate IP address also in format <local_ip>:<local_port>
# Cntlm listens on 127.0.0.1:3128 by default
#
Listen		3128

# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
#
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#
#SOCKS5Proxy	8010
#SOCKS5User	dave:password

# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
#
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#
#Auth		LM
#Flags		0x06820000

# Enable to allow access from other computers
#
#Gateway	yes

# Useful in Gateway mode to allow/restrict certain IPs
# Specifiy individual IPs or subnets one rule per line.
#
#Allow		127.0.0.1
#Deny		0/0

# GFI WebMonitor-handling plugin parameters, disabled by default
#
#ISAScannerSize     1024
#ISAScannerAgent    Wget/
#ISAScannerAgent    APT-HTTP/
#ISAScannerAgent    Yum/

# Headers which should be replaced if present in the request
#
#Header		User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

# Tunnels mapping local port to a machine behind the proxy.
# The format is <local_port>:<remote_host>:<remote_port>
# 
#Tunnel		11443:remote.com:443

當中對於監聽端口使用默認的端口3128就能夠了。我們能夠通過命令來驗證配置是否正確：

cntlm -c /path/to/cntlm.ini -I -M http://www.baidu.com

假設能正常返回就表示各項配置都是正確的，接下就能夠啟動cntlm服務在后台執行了，使用命令：

net start cntlm

服務啟動之后，我們就能夠在第三方應用的代理配置上這樣設定了：代理server：127.0.0.1 （即本機），代理server端口：3128（即cntlm.ini文件里配置的Listen端口）

日志與常見錯誤

cntlm絕大多數錯誤表現為服務無法啟動。詳細原因有非常多，好在cntlm有較好的日志信息能夠幫助我們找到問題的根源，查看cntlm日志的方法是：Start -> Settings -> Control Panel -> Administrative Tools -> Event Viewer, 然后在左側面板的文件夾樹中選擇：Windows Logs -> Application, 再在右側面板中配置一下過慮項，將事件源設定為cntlm就能夠過濾出全部的cntlm日志了。

這里我們介紹兩種可能的錯誤：

1. cntlm: PID XXXX: Possible duplicate cygwin1.dll: /socat-1.7.2.1/cygwin1.dll.



相似這種錯誤是由於cygwin1.dll沖突引起的。有多種工具會攜帶自己的cygwin1.dll，假設版本號不兼容就會報如上的錯誤，最簡單的方是先移除它們。

2. cntlm: Parent proxy address missing



這是一個easy造成誤導的錯誤，假設多數情況下並非由於你在cntlm.ini中錯誤地制定了Proxy而是cntlm程序啟動時根本沒用找到cntlm.ini文件，造成這種問題的可能誘因之中的一個是在安裝cntlm時改動了默認的安裝文件夾，這應該是cntlm的一個bug。不知道在啟動cntlm服務的配置界面（Control Panel -> Administrative Tools -> Services）上指定-c參數是否有效。有有興趣的朋友可以試試，我按照默認配置重裝cntlm已解決。

版權聲明：本文博主原創文章，博客，未經同意不得轉載。