[ BASICS.BASH.CNTLM.OPEN.PROXY.GIT ] 

[ BASICS.BASH.CNTLM.OPEN.PROXY.GIT ]


proxy behind a corporate proxy


Stops replay attacks


Open / Public / Online proxies to hide your IP

Forward proxy: server to web
Reverse proxy: web to server

HTTP Proxy Servers
SSL Proxy Servers
SOCKS Proxy Servers

Web Proxies
Transparent Proxies

CNTLM
Open source tool
adds NTLM authentication between requests and corporate proxy

PARENT PROXIES
 Configure Parent Proxy collection
 CNTLM routes traffic through each proxy to find a candidate route
 CNTLM then caches connections for speed

NTLM AUTHENTICATION

(1) HASH CREATION
  a. User logs into Client with Domain, Username, and Password
  b. Client creates cryptographic hash of Password
  c. Client deletes Password

(2) USERNAME SENT TO NTLM
  a. Client sends plaintext Username to NTLM server

(3) CHALLENGE CREATED AND SENT
  a. NTLM Server creates 16-byte random number challenge
  b. NTLM Server sends challenge to Client

(4) CLIENT RESPONSE
  a. Client encrypts Challenge with Username Password hash
  b. Client returns result to NTLM server

(5) NTLM Server sends 3 items to DC
  1. Username
  2. Challenge
  3. Response from client

(6) DC ENCRYPTS NONCE
  a. DC gets hash via username from 
    SAM - Security Account Manager DB
  b. DC encrypts Challenge with hash

(7) DC COMPARES NONCE TO RESPONSE
    If identical, authentication is successful

Creates authenticated communication from client to proxy
Stops replay attacks
Challenge provides origin authenicity with the NTLM server

Update /etc/cntlm.conf

To update your password to authenticate
Encrypt your password
Add keys into ~/.bash_profile
Some tools use ~/.bash_profile environment variables

Configuring the proxy independently
Add to ~/.bash_profile

# ==================================================================
# SET GIT CONFIG TO USE THE PROXY

~/.gitconfig

export http_proxy=http://localhost:3128
export https_proxy=http://localhost:3128

git config –global http.proxy http://localhost:3128
git config –global https.proxy http://localhost:3128





# TO TOGGLE THE PROXY ON/OFF



Set/unset the configuration for each CLI tool

#!/bin/bash
function getProxyPort() {
  PORT=0
  read -r -p "Set New Proxy Port: " PORT
  return "$PORT"
}
function enableProxy() {
  if ! getProxyPort ; then
    export PORT="${PORT}"
    sed -i -e "s/^.*Listen.*$/Listen ${PORT}/" "/usr/local/etc/cntlm.conf"


    
    #         set bash proxies          
   
    sed -i '' "s/^.*http_proxy.*$/export http_proxy=http:\/\/localhost:${PORT}/g" ~/.bash_profile
    sed -i '' "s/^.*https_proxy.*$/export https_proxy=http:\/\/localhost:${PORT}/g"   ~/.bash_profile
    sed -i '' "s/^.*HTTP_PROXY.*$/export HTTP_PROXY=http:\/\/localhost:${PORT}/g" ~/.bash_profile
    sed -i '' "s/^.*HTTPS_PROXY.*$/export HTTPS_PROXY=http:\/\/localhost:${PORT}/g" ~/.bash_profile
    sed -i '' "s/^.*ALL_PROXY.*$/export ALL_PROXY=http:\/\/localhost:${PORT}/g" ~/.bash_profile
   
    #          set npm proxies          
   
    npm config set proxy http://localhost:"$PORT"
    npm config set https-proxy http://localhost:"$PORT"
    yarn config set proxy http://localhost:"$PORT"
    yarn config set https-proxy http://localhost:"$PORT"
    
    #         set git proxies           
    
    git config --global http.proxy http://localhost:"$PORT"
    git config --global https.proxy http://localhost:"$PORT"
    
    #       set gradle proxies          
    
    ./gradlew -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort="$PORT" -        Dhttps.proxyHost=127.0.0.1 -Dhttps.proxyPort="$PORT"
    echo "New Proxy Port: ${PORT}"
  else
    echo "No New CNTLM Port Set"
  fi
   echo -n "IP Address: "
  ifconfig | grep "inet " | grep -Fv 127.0.0.1 | awk '{print $2}'
  echo ""



  # ==================================================================
  #               CNTLM               
  
  . ~/.bash_profile
  cntlm -g -f
  }
  function disableProxy() {
  
  #       unset bash proxies          
  
  sed -i '' "s/^.*http_proxy.*$/http_proxy=\"\"/g" ~/.bash_profile
  sed -i '' "s/^.*https_proxy.*$/https_proxy=\"\"/g" ~/.bash_profile
  sed -i '' "s/^.*HTTP_PROXY.*$/HTTP_PROXY=\"\"/g" ~/.bash_profile
  sed -i '' "s/^.*HTTPS_PROXY.*$/HTTPS_PROXY=\"\"/g" ~/.bash_profile
  sed -i '' "s/^.*ALL_PROXY.*$/ALL_PROXY=\"\"/g" ~/.bash_profile
  
  #         unset npm proxies         
  
  npm config rm proxy
  npm config rm https-proxy
  yarn config delete proxy
  yarn config delete https-proxy
  
  #        unset git proxies          
  
  git config --global --unset http.proxy
  git config --global --unset https.proxy
  
  #       set gradle proxies          
  
  ./gradelw -Dhttp.proxyHost
  
  #               CNTLM              
  
  kill -9 "$(ps aux | grep '[c]ntlm' | awk '{print $2}')"
  . ~/.bash_profile
  echo "Proxy disabled"
  }
  read -r -p "Enable Proxy? (Y/N): " ENABLE
  case "$ENABLE" in
  y|Y ) enableProxy;;
  n|N ) disableProxy;;
  * ) echo "Expected Y/N";;
  esac






  # ==================================================================

Solution: Proxy configuration tool



At this point it was clear, I wanted to create a simple CLI tool that could toggle proxy configuration — Perfect!

The final product was an open source CLI tool written in Golang.
View the open source repository HERE

This project is a CLI for managing proxy configuring on a local dev machine. To configure CTNLM and other dev tools can be troublesome and time consuming.
This tool will be able to dynamically set proxy configuration within CNTLM and other supported tools that have tool specific proxy support.
To install the proxy CLI is simple.
If you have a Mac you can use brew.
Add the homebrew tap to our repository with the following command:
brew tap xUnholy/homebrew-proxy
Now you’ve added our custom tap, you can download with the following command:
brew install proxy
And Done!
Note: Linux and Windows are supported however to download the binary you can obtain them HERE.
Once installed starting CNTLM and setting the appropriate configuration can be as easy as the following.
1a. Run CNTLM with the start command:

proxy start

1b. Either open a new terminal OR execute the following in the current terminal. Sourcing the ~/.proxyrc file will set the environment variables in the current terminal.

source ~/.proxyrc

2. Set the proxy configuration for GIT dynamically with the correct details by running the set command:

proxy set git

Done. Without needing to know individual CLI tools and how to configure them we’ve set up our CNTLM to run locally and configured GIT to route through it. There are a lot of optional flags that can be used with each command, I would suggest checking what commands and flags can be used to see the wider range of options available that may also compliment your specific use case.
Remember earlier how difficult it was to have to update passwords?

You would have to
encrypt it
update your cntln.conf file
then restart CNTLM

This is now as simple as running the following command:

proxy set password

This will prompt you for your password, encrypt it without storing the password in memory unencrypted and update the file for you with little to no effort. Below is a screenshot of the code snippet:

Conclusion: Don’t give in to the proxy


If you like our open source proxy configuration tool, feel free to contribute, especially if you have use cases that aren’t available currently! Again the repository can be found HERE.

The Must-Read Publication for Aspiring Developers & DevOps Enthusiasts
Follow
134
Git
Proxy
Proxy Server
Golang
Golang Tools
134 claps

Michael Fornaro
















































No comments:















Post a Comment


















        

      









Subscribe to:
Posts (Atom)







Blog Archive