Geekly Articles each Day
📜 ⬆️ ⬇️

Setup of FreeBSD for work of the Internet through Proxy server

Introduction


I decided to start learning about an obscure OS - FreeBSD. Because free time during non-working hours is too small, a test server was raised at work! But the main problem was that in all normal offices the Internet is distributed through a proxy or NAT, in my case through a proxy. The main proxy server is also raised on Freebsd with NTLM authentication. I will also consider setting up freebsd with basic authentication on a proxy server.

Test FreeBSD does not have any additional software, so I have at my disposal the terminal and the csh shell.

So basic authentication.

Everything is simple, edit 2 files.
1) /.cshrc or / home / % username% /.cshrc (your user folder)
setenv HTTP_PROXY login:pass@server:port
setenv FTP_PROXY login:pass@server:port
setenv http_proxy login:pass@server:port
setenv ftp_proxy login:pass@server:port

2) /etc/make.conf
FETCH_ENV=HTTP_PROXY=http://login:pass@server:port
FETCH_ENV=FTP_PROXY=http://login:pass@server:port
FETCH_ENV=http_proxy=http://login:pass@server:port
FETCH_ENV=ftp_proxy=http://login:pass@server:port

Let us log in and now all programs will know about the presence of a proxy server, if there is no authentication on the proxy server at all, then it is not necessary to write the login and password:
setenv HTTP_PROXY server:port

There are some subtleties with the .cshrc file, it is generally best to edit the file from the user directory under which you work, for example, for root it will be /root/.cshrc

NTLM authentication.

Personally, in my example, the above settings somehow allowed us to work through an office proxy server that uses NTLM authentication, I just registered the domain login password of the user, but everything did not work properly! It was possible to download only from ftp servers, I don’t know, this is a jamb of a specifically configured server or it’s normal, but the point is that I could download the necessary packages without any special problems, if ftp was covered, then it would be a bit more problematic to download and install the necessary additional packages ...
')
Standard FreeBSD tools will not pass ntlm authentication, additional software will be required. I personally used the cntlm program to set it up and consider it.

Installing the program in any way possible, my way is simple ...
# whereis cntlm
# cd /usr/ports/www/cntlm
# make install
1) Edit the file /usr/local/etc/cntlm.conf
Username<------>MyUserName( Windows)
Domain<><------>MyDomain( Windows)
Password<------>MyPassword( Windows)
Proxy<-><------>ServerProxy:port( )
Listen<><------>3128( )
Auth<--><------>NTLM( proxy)
Flags<-><------>0x07820000( )
2) Add lines to /etc/rc.conf
cntlm_enable="YES"
cntlm_config="/usr/local/etc/cntlm.conf"
3) Run the daemon:
/usr/local/etc/rc.d/cntlm start

cntlm starts a local proxy server (relay) with a port that you specify in the config, in the future all system settings will need to be configured to this local server (daemon) as we did in the first version:
/.cshrc
setenv HTTP_PROXY 127.0.0.1:3128

setenv ftp_proxy 127.0.0.1:3128
/etc/make.conf
FETCH_ENV=HTTP_PROXY=http://127.0.0.1:3128

FETCH_ENV=ftp_proxy=http://127.0.0.1:3128

And everything is supposed to work!

Bug work

But it didn’t work for me ... so I’ll describe some additional settings that I had to do for cntlm
To begin with, we will specify the authentication parameters on the proxy server, for this we execute the command:
# cntlm -M google.ru
The program will produce something like this:
Config profile 1/11... OK (HTTP code: 301)
----------------------------[ Profile 0 ]------
Auth NTLMv2
PassNTLMv2 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

It turned out that I had NTLMv2 authentication, edit cntlm.conf :
Auth<-><------>NTLMv2
PassNTLMv2<-><------>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

You can have NT or LM authentication, if so, then change the Auth and Flags strings, respectively:
Auth--------Flags
NT<-><------>0x05820000
LM<-><------>0x06820000
NTLM<-><------>0x07820000

I also had a problem running the daemon:
# /usr/local/etc/rc.d/cntlm start
And in response we get:
Starting cntlm.
Exitting with error. Check daemon logs or run with -v.
/usr/local/etc/rc.d/cntlm: WARNING: failed to start cntlm

The log says this:
cntlm: Cannot access specified config file: %%{PREFIX
root: /usr/local/etc/rc.d/cntlm: WARNING: failed to start cntlm
Googl'om I really did not find anything on this topic, so I decided to describe my solution to this problem.
You need to edit the cntlm executable file in the /usr/local/etc/rc.d/ folder
We change:
: $ {cntlm_config = "%% {PREFIX} /cntlm.conf"}
on
: $ {cntlm_config = "/ usr / local / etc / cntlm.conf"}

After these additions, everything began to work as it should.

Source: https://habr.com/ru/post/112329/

More articles:


All Articles