Linux - configuration of a proxy
Settings of a proxy on linux machines differs per distribution. On some user friendly distributions you can use a Graphical interface and on others, you do it in a configuration file.The easiest way to find it out for your distribution is to put a phrase like "Fedora 24 proxy configuration" into google, where you replace Fedora 24 with your distribution ;)
For example I use for my proxy configuration file /etc/profile.d/proxy.sh
And it looks almost like the first example file which you'll find via google.
MY_PROXY_URL="http://prox.srv.world:3128/" HTTP_PROXY=$MY_PROXY_URL HTTPS_PROXY=$MY_PROXY_URL FTP_PROXY=$MY_PROXY_URL http_proxy=$MY_PROXY_URL https_proxy=$MY_PROXY_URL ftp_proxy=$MY_PROXY_URL export HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy export no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com"Additionaly (in Fedora) you have to specify proxy for dnf in a separate file - /etc/dnf/dnf.conf
For those who don't know dnf is a package manager - similar to apt-get in debian-like distributions.
Downsides of basic proxy configuration
Configuration of a proxy via variables in .bashrc, .bash_profile etc. is quite simple until you need to do one of:
- provide authentication credentials
- temporary turn off the proxy
Regarding the authentication it's not a big deal if you don't care about security, you can simply specify your user name and password in the variable together with the proxy url and port. Well you have to specify it in two files because of dnf...
Little bit more anoying is turning off the proxy when you for example take your notebook into another room or if you just need to test something without proxy. You have to remove the variables and then depending on what file you use you have to restart something (browser, terminal, whole PC ...).
If you want to solve these things in a better way, then cntlm can be your friend.
What is CNTLM good for
Cntlm is simply a local proxy. Therefore if you install and configure it then instead of
Your PC <-> Company proxy <-> Internet
the internet connection will look like
Your PC <-> Your CNTLM proxy <-> Company proxy <-> Internet
And thanks to that, you can set those variables in .bashrc, ... and also in dnf.conf to use your local proxy and the good thing is that you can be sure that url of your your local cntlm proxy doesn't change (it will always be localhost ;) and also it doesn't require authentication, therefore you don't have to store password in those plain text files.
And then you will setup the cntlm configuration to use the company proxy. And if your company proxy requires authentiation, you are able to put your credentials into cntlm configuration in a secure way.
Now - if your credentials change, you can change it just on one place - cntml configuration. If you want to use different proxy - you can change it just on one place. If you want to disable proxy, you can do it in cntlm configuration, etc...
Fortunately there is a solution - when you google for "turn off cntlm temporarily" you can find few.
I'll publish mine which is based on this one from Mirko Weber.
The solution is bash script which changes NoProxy configuratio of CNTLM.
My script is called proxy_set and accepts parameters on or off. I have this script on $PATH therefore I can simply call it just via the name.
The reason is simple - it's because we have http proxy here and ping doesn't work over http protocol. It needs direct TCP/IP connection. Little more info about it is for example here.
If you want to check if domain is accessible via proxy you can use as an alternative for example curl. Here is an example of one existing domain and then one non-existing:
And then you will setup the cntlm configuration to use the company proxy. And if your company proxy requires authentiation, you are able to put your credentials into cntlm configuration in a secure way.
Now - if your credentials change, you can change it just on one place - cntml configuration. If you want to use different proxy - you can change it just on one place. If you want to disable proxy, you can do it in cntlm configuration, etc...
How to configure cntlm
For this part I will again refer to google because there are many good sources, e.g. this Stackoverflow question.
Turn off proxy (temporarily)
Unfortunately turning off the proxy via cntlm is not yet built-in (cntlm version 0.92.3) and if you simply turn off cntlm daemonn you will not be able to use the internet, because all your programs are configured to use proxy - your local proxy.Fortunately there is a solution - when you google for "turn off cntlm temporarily" you can find few.
I'll publish mine which is based on this one from Mirko Weber.
The solution is bash script which changes NoProxy configuratio of CNTLM.
My script is called proxy_set and accepts parameters on or off. I have this script on $PATH therefore I can simply call it just via the name.
#!/bin/sh
switch=$1
if [ -z "$switch" ]; then
echo "Please provide parameter on/off."
echo "Example: "
echo " proxy_set off"
echo ""
exit;
fi
case "$switch" in
off)
msg="- Set direct internet access (no proxy)"
echo "$msg"
NoProxy="NoProxy *"
;;
*)
# in all other cases will be proxy "turned on"
msg="- Set proxy usage"
echo $msg
NoProxy="NoProxy localhost, 127.0.0.*, laptop-tomor"
;;
esac
sudo sed "s/^NoProxy.*$/$NoProxy/g" -i /etc/cntlm.conf
echo ".. configuration in /etc/cntlm.conf changed"
echo ".. cntlm.service stop requested"
sudo systemctl kill cntlm.service --signal=SIGKILL
echo ".. cntlm.service stopped"
You can notice that I'm not simply restarting the cntlm service, but killing it. Why I'm doing it is explained in this article.Proxy and ping
Yes, you can't ping internet domains from behind proxy, it sucks and probably everybody who will stand behind corporate proxy for the first time will try it and will be wondering why "ping google.com" doesn't work ;)
The reason is simple - it's because we have http proxy here and ping doesn't work over http protocol. It needs direct TCP/IP connection. Little more info about it is for example here.
If you want to check if domain is accessible via proxy you can use as an alternative for example curl. Here is an example of one existing domain and then one non-existing:
tomor-lenovo :: ~ » curl -I http://google.com/ HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: http://www.google.de/?gfe_rd=cr&ei=mbQwWJTFHYvc8Afzo5fwAQ Content-Length: 258 Date: Sat, 19 Nov 2016 20:22:49 GMT tomor-lenovo :: ~ » curl -I http://non-existing-domain.com/ curl: (6) Could not resolve host: non-existing-domain.com
If you would like to test also for example time which is needed to get response from the server, you can use curl -w parameter. It's well described here.
There is simle curl example with time.
For this example you have to know that when domain doesn't exist the code is 000. Other codes mean that domain exists.
That's it for today ;)
There is simle curl example with time.
For this example you have to know that when domain doesn't exist the code is 000. Other codes mean that domain exists.
» curl -s http://google.com/ -o /dev/null -w "result: %{http_code}, time: %{time_total}"
result: 302, time: 0.128%
»
» curl -s http://non-existing-domain.com/ -o /dev/null -w "result: %{http_code}, time: %{time_total}"
result: 000, time: 0.028%
That's it for today ;)
No comments:
Post a Comment