10

My corporate environment is setup with a proxy blocking external internet access and requiring NTLM authentication. Internal addresses will not be routed be the proxy and must be accessed directly.

I am trying to setup a Linux machine in this environment (which is normally exclusively Windows) and have command-line tools that need external internet access. I have found NTLMaps which has worked great for authenticating to the proxy - however the problem now is when I set Linux's HTTP_PROXY environment variable, which many program use to determine the proxy, they always use the proxy server. Instead, I need them to use proxy/DIRECT connections based on the PAC file.

The very, very manual solution is to clear out the HTTP_PROXY environment variable when I want to access the intranet, and fill it in when I want to access the internet - but that's a pain.

Anyone know a way to do this? (Linux global .pac setting, etc...)

Improve this question

2 Answers 2

Reset to default
11

Support for proxy autoconfiguration on Windows seems so "seamless" because it's implemented by the WinHTTP client, which is stored in a DLL accessible to all applications with a public API. Many applications use WinHTTP and get proxy-autoconfiguration "for free".

In the Linux world, each application is typically making its own socket calls and using its own implementation of the HTTP protocol. There are HTTP libraries out there, but it's much more likely, as compared to Windows, that applications are going to handle doing HTTP on their own and probably won't have a Javascript interpreter necessary to process a proxy autoconfiguration file.

You might consider running a local proxy server on the Linux machine, specifying itself as the HTTP_PROXY system-wide, and then configuring that local proxy server with the necessary rules to access some sites directly versus using the corporate proxy as a parent.

Squid could do what you want, but it's fairly heavyweight. I just found this interesting tinyproxy project, and it certainly looks promising (allows for selective use of an upstream proxy by domain, very lightweight, etc), but I've never used it personally and know nothing about it. (In theory, one could modify tinyproxy to actually parse the proxy autoconfiguration file. That'd be a really neat trick, though not something I have time to work on...)

Improve this answer
0

I am propagating the answer found here. The alpaca program can help.

The idea is to run alpaca as a local proxy. Alpaca will fetch the pac file from the network (or use a specified one), as well as your NT credentials. Other programs will use the local proxy and be transparently forwarded to the upstream proxy or a direct connection, as instructed by alpaca.

Example invocation:

$ export LISTEN_ADDRESS=localhost $ export LISTEN_PORT=3128 $ export NTLM_CREDENTIALS="myusername@MYDOMAIN:00000000000000000000000000000000" $ export PAC_URL="http://some.url/to/some-file.pac" $ alpaca Found credentials for MYDOMAIN\me in environment pacfetcher.go:100: Attempting to download PAC from http://some.url/to/some-file.pac main.go:115: Listening on tcp4 localhost:3128 main.go:115: Listening on tcp6 localhost:3128 proxyfinder.go:135: [1] GET http://google.com/ via "PROXY 11.12.13.14:80"

And once the proxy is running, instruct programs to use it via the appropriate environment variables

$ export http_proxy='http://localhost:3128' $ export https_proxy="$http_proxy" HTTPS_PROXY="$http_proxy" HTTP_PROXY="$http_proxy" $ curl google.com curl -v google.com * Uses proxy env variable http_proxy == 'http://localhost:3128' * Host localhost:3128 was resolved. * IPv6: ::1 * IPv4: 127.0.0.1 * Trying [::1]:3128... * Established connection to localhost (::1 port 3128) from ::1 port 58512 * using HTTP/1.x > GET http://google.com/ HTTP/1.1 [...]

The alpaca-proxy AUR package contains a systemd user unit file, which can be used to start the proxy service with an user session. It could also run as a system service, to be availabe system-wide on startup.

NTLM credentials can be obtained from alpaca:

$ alpaca -d MYDOMAIN -u myusername -H
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.