Loading...

2023 cinhtau.de, All Rights Reserved.

By / 28 April 2016 / operations / est. 2 min read

Configure cntlm as git proxy

:heavy_exclamation_mark: This post is older than a year. Consider some information might not be accurate anymore. :heavy_exclamation_mark:

Every three months, security compliance requires to change the password. This also applies for the proxy authentication. If you have a bunch of tools, like Eclipse, IntelliJ or any other applications that needs proxy auth for updates and access, it can be a hassle to change the settings in all applications. For Windows, cntlm is a relief. It stands between your applications and the corporate proxy, adding NTLM authentication on-the-fly. So basically you change the auth data only for cntlm, and all other applications using it to bypass the proxy.

The git configuration for one example project before:

vinh@omega MINGW64 /c/dev/src/neframa (master)
$ git config -l
core.symlinks=false
core.autocrlf=input
core.fscache=true
color.diff=auto
color.status=auto
color.branch=auto
color.interactive=true
help.format=html
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
diff.astextplain.textconv=astextplain
rebase.autosquash=true
user.email=cinhtau@gmail.com
user.name=cinhtau
gui.encoding=utf-8
core.autocrlf=true
https.proxy=https://vinh:secret23@proxy.cinhtau.net:8080
http.proxy=http://vinh:secret23@proxy.cinhtau.net:8080
core.repositoryformatversion=0
core.filemode=false
core.bare=false
core.logallrefupdates=true
core.symlinks=false
core.ignorecase=true
core.hidedotfiles=dotGitOnly
..

As you can see there is still the proxy user, password and proxy server with respective port in the http(s).proxy setting. First we need to cleanup. Unset the settings

git config --global --unset http.proxy
git config --global --unset https.proxy

The authentication data goes to the cntlm.ini configuration:

#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#
Username	vinh
Domain		cinhtau.net
PassNTLMv2      6F8811AD2E996CGG8495B4870E23AD74
Proxy		proxy.cinhtau.net:8080
NoProxy		localhost, 127.0.0.*, 10.*, 192.168.*, *.cinhtau.net
Listen		3128
Auth		NTLMv2

Instead of

git config --global http.proxy http://proxyuser:proxypwd@proxy.server.com:8080

We use only this

git config --global http.proxy http://localhost:3128
git config --global https.proxy https://localhost:3128

Now if you work with cntlm, you will have some output like this

******* Round 2 C: 6, S: 7 (authok=0, noauth=0) *******
Reading headers (7)...
HEAD: HTTP/1.1 200 Connection established
Sending headers (6)...
Ok CONNECT response. Tunneling...
tunnel: select cli: 6, srv: 7
forward_request: palive=0, authok=1, ntlm=0, closed=0
Thread finished.
proxy_thread: request rc = 0xffffffff
forward_request: palive=0, authok=1, ntlm=0, closed=0
Thread finished.
proxy_thread: request rc = 0xffffffff
Joining thread 537209432; rc: 0
Joining thread 537141160; rc: 0
git windows

Author

author-portrait
Tan-Vinh Nguyen

The happiest people don't have the best of everything, they just make the best of everything they have.
Birth, Development, in Progress ...

Please remember the terms for blog comments.