Use ISA (Proxynet) Proxies

UCT’s Campusnet proxies (running ISA) require NTLM Authentication, so that they can count usage against the right students’ quotas. NTLM Authentication is relatively non-standard, and rarely implemented in clients.

There are a few Linux applications which can connect to NTLM proxies directly, but most applications cannot. The solution is to use an “NTLM Proxy” which listens for requests from programs on your machine, and forwards them to the UCT servers with NTLM authentication done automatically. CNTLM is the preferred proxy.

OSX Users can use Authoxy for this. Setting it up isn’t described on this page, but you should be able to work it out from these instructions.

Cntlm in recent versions of Ubuntu

Cntlm is a proxy which performs the NTLM authentication for you, and passes on the requests to proxynet, correctly authorised. It is the new implemented-in-C replacement for ntlmaps (described below). It is available as “cntlm” in Debian and Ubuntu.

  1. Install the package

    $ sudo apt-get install cntlm
  2. Obtain the password hash of your domain password (you can put your raw password in your configuration file instead, but this is a little more secure). Your domain may be wf.uct.ac.za or WF — check which one works for you:

    $ /usr/sbin/cntlm -u *YOUR_STUDENT_NUMBER* -d *YOUR_DOMAIN* -f -H
  3. Copy the PassLM, PassNT and PassNTLMv2 lines from the output of that command (tip: use Shift-Control-C to copy selected text from a terminal)

  4. Edit the cntlm configuration file ‘/etc/cntlm.conf’

    $ sudo nano /etc/cntlm.conf
  5. Paste the PassLM, PassNT and PassNTLMv2 lines command into the configuration file (tip: use Shift-Control-V to paste into a terminal), and edit it so that it looks like this:

Username        *YOUR_STUDENT_NUMBER*
Domain          *YOUR_DOMAIN*
#Password       password
PassLM          *LONG_RANDOM_PASSWORD_HASH*
PassNT          *LONG_RANDOM_PASSWORD_HASH*
PassNTLMv2      *LONG_RANDOM_PASSWORD_HASH*    # Only for user 'YOUR_STUDENT_NUMBER', domain 'YOUR_DOMAIN'
#Proxy          10.0.0.41:8080
#Proxy          10.0.0.42:8080
Proxy           proxynet.uct.ac.za:8080
NoProxy         localhost, 127.0.0.*, 10.*, 192.168.*, 137.158.*
Listen          3128
  1. Save the configuration file and exit the editor, now test it:

    $ sudo cntlm -M http://google.com/

    Enter your domain password and you should see something like this:

    Config profile  1/4... OK (HTTP code: 301)
    ----------------------------[ Profile  0 ]------
    Auth            NTLMv2
    PassNTLMv2      *LONG_RANDOM_PASSWORD_HASH*
    ------------------------------------------------

    If you see a screenful of errors, something is wrong, check your config (and see the debugging help below below).

  2. Restart cntlm to apply the new configuration:

    $ sudo service cntlm restart

Debugging CNTLM

CNTLM is quite fussy, it needs the hostname of your machine to match the hostname the proxy sees. You can get around this by telling it what hostname the proxy is expecting with the Workstation option in cntlm.conf. You can see the hostname the outside world sees, by running host 137.158.1.1 or dig -x 137.158.1.1 where 137.158.1.1 is your IP address.

Try putting the config snippet that the -M test gives you in your configuration file.

Configuring your system to use CNTLM (for GUI applications)

Now that cntlm is configured and running, we need to tell our applications to use it (alternatively, you can use the transparent setup described below; then programs won’t need to be told about the proxy). Open the Network applet in System Settings, or simply click on the Home button and start typing ‘network’.

Open the Network applet

Change the method to ‘Manual’ and configure network proxy settings for HTTP, HTTPS and FTP (not Socks) to 127.0.0.1 port 3128.

Configure the proxy settings

Click on the ‘Apply system wide’ button. If you take your computer off campus, change the method to ‘None’ and click ‘Apply system wide’. When you return to campus, change the method back to “Manual’ and click ‘Apply system wide’, you don’t have to configure the proxy settings every time.

Go to Firefox’s connection settings and select ‘Use system proxy settings’. Google Chrome uses the system proxy settings by default.

Configure Firefox

There appears to be a bug in recent versions of Firefox which prevents the browser from detecting the system proxy settings correctly. If you think that you are affected, try entering the proxy settings into Firefox manually. This does mean that you will have to change them in an additional place whenever you leave campus or come back.

Configuring environment variables (for command-line applications)

If you want command-line applications like wget or pip to use the proxy, you need to set some environment variables in your shell. These instructions assume that you are using bash (which is the default on Ubuntu); you should be able to adapt them to other shells.

Editing .bashrc

Add these lines to your .bashrc file (replace 3128 with whatever port your proxy listens on):

export http_proxy=http://localhost:3128
export ftp_proxy=http://localhost:3128
export https_proxy=http://localhost:3128

You can also use the no_proxy environment variable to specify some domains for which you don’t want to use a proxy.

Note that editing this file will not affect your currently running shells — either close your terminals and re-open them, or set the variables manually in those terminals (by pasting in the lines above). You can test whether a terminal has the variables set like this:

echo $http_proxy

If this prints the proxy value, you’re good to go. If you get a blank line, something is wrong. You should be able to download a test file using wget:

wget www.google.com

Using the proxy with sudo

Now you have set up the environment variables for your user, but there is one more thing that you have to do so that you can use the proxy while using sudo — for example, if you need to install things from the internet through the proxy (Warning: installing everything through the proxy can eat through your quota fast — read the section about apt below for more information).

By default, when you use sudo none of your environment variables are preserved. You need to edit your sudoers file to make an exception for the proxy variables. You should never edit the sudoers file except by using the visudo command, which makes the process more secure:

sudo visudo

You should see a line in your file which says:

Defaults        env_reset

Just above this line, add the following line:

Defaults        env_keep = "http_proxy ftp_proxy https_proxy no_proxy"

Save the file. You should now be able to download a test file using wget through sudo:

sudo wget www.google.com

HTTPS

Please note that the campus proxies silently fail when attempting HTTPS over any port other than 443. For now, you can remove the HTTPS proxy settings and use HTTPS without going through the proxies.

Applications which can access NTLM directly

You can configure Konqueror and Firefox to work with Campusnet directly by manually setting the Autoconfiguration file to http://www.uct.ac.za/cache.pac. This means that you have to change your proxy settings whenever you arrive on campus. This is a massive bind to do, but with the help of a Firefox add-on, you can make it slightly less painful.

Windows users are required to make a configuration change in Firefox, for NTLM authentication to work correctly. Linux users needn’t do this.

The only non-browser program known to work with NTLM Authentication is curl, which can be used as a wget substitute.

NTLMAPS

NTLMAPS is older than cntlm (described above) is more reliable, but slower and doesn’t support newer password hash formats that UCT now uses. (It’s packaged under that name for Debian/Ubuntu/most other distros).

apt and other package managers

LEG provides mirrors for a lot of Linux distributions. This means that you can install most packages (except those from non-standard repositories which are not mirrored, e.g. Ubuntu PPAs) from the UCT intranet, without using a proxy. If you find yourself needing to forward apt through campusnet to access the LEG mirrors, then something is wrong — contact the LEG admins or ICTS.

Warning: if you have a quota, you don’t want apt (or whatever package manager you use) to go through campusnet, as it’ll rack up quota usage very quickly. Make sure that you aren’t using ntlmaps/cntlm when you download packages.

If you don’t have a quota, you may find it useful to configure apt to go through the proxy so that you can use unmirrored repositories like PPAs. If you use apt on the command line you will need to set up the environment variables as described above. Whether you use a command-line tool or a GUI tool like Synaptic, you will also need to edit the /etc/apt/apt.conf file and add these lines (replace 3128 with whatever port your proxy listens on):

Acquire::http::proxy "http://localhost:3128/";
Acquire::ftp::proxy "http://localhost:3128/";
Acquire::https::proxy "https://localhost:3128/";

If you have a quota but you want to use PPAs, you can try using the no_proxy environment variable or the NoProxy setting in cntlm.conf to exclude the LEG mirrors. Make sure that your package manager is set up to use these mirrors!

A transparent proxying solution

The “transparent” proxy will pick up all outgoing port 80 traffic, and proxy it. Thus you shouldn’t need to configure any applications, they should just work as soon as you start the proxy.

We’ll use tinyproxy as our transparent proxy, and it’ll pass the requests to ntlmaps/cntlm. On Ubuntu tinyproxy is compiled with transparent support by default, but not so on debian. Debianites might have to recompile it…

# aptitude install tinyproxy

We use an /etc/default/tinyproxy script to insert the necessary iptables rules to intercept the traffic. Note that we only intercept off-campus traffic:

case "$1" in
  start)
    iptables -t nat -A OUTPUT -d 137.158.0.0/16 -j RETURN
    iptables -t nat -A OUTPUT -d 196.24.192.0/18 -j RETURN
    iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to 8888
    ;;
  stop)
    iptables -t nat -F OUTPUT
    ;;
  restart)
    start-stop-daemon --stop --quiet -t --exec $DAEMON > /dev/null || exit 0
 
    iptables -t nat -F OUTPUT
    iptables -t nat -A OUTPUT -d 137.158.0.0/16 -j RETURN
    iptables -t nat -A OUTPUT -d 196.24.192.0/18 -j RETURN
    iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to 8888
    ;;
esac

We make sure that it doesn’t start by default (unless this is a UCT-bound PC):

# update-rc.d -f tinyproxy remove
# update-rc.d tinyproxy stop 20 0 1 2 3 4 5 6 .

Configure it, here are the important settings for /etc/tinyproxy/tinyproxy.conf:

Port 8888
Listen 127.0.0.1
Upstream localhost:8080
ViaProxyName "tinyproxy"

And finally, start it (the --force is necessary because we disabled it from automatically starting):

# invoke-rc.d tinyproxy stop
# invoke-rc.d --force tinyproxy start

More Information

There was a thread on this topic on clug-tech.

Comments

Using tinyproxy in addition to ntlkmps

Following a suggestion in the thread

http://lists.clug.org.za/pipermail/clug-tech/2007-December/039125.html

on CLUG, I installed tinyproxy to do three things:

  1. to channel traffic to *.uct.ac.za directly to the servers, avoiding the proxy server
  2. to send all other traffic through to ntlmaps which is running (as described above) on localhost.
  3. to make it easier for me to swith to different proxy settings when off campus.

I couldn’t get the transparent proxy to work…

OK - my setup: Everything (firefox, thunderbird, …) is configured to connect through tinyproxy (except of SOCKS proxy, which I did not manage to compile into tinyproxy - but that’s fine for the moment) The main changes I did were:

# Sending all traffic through to ntlmaps
upstream localhost:5865
## except of the following:
no upstream ".uct.ac.za"
no upstream "localhost"
no upstream "127.0.0.1"
no upstream "127.0.0.2"

I put these files in a separate file, called tinyproxy.conf.upstream.UCT

My script which is switching between different upstream setting is:

#####################
#!/bin/bash

E_NOARGS=65

if [ -z "$1" ]
then
    echo "Usage: `basename $0` <proxy>"
    exit $E_NOARGS
fi

case "$1" in
    "home") upstream=" /usr/local/etc/tinyproxy/tinyproxy.conf.upstream.HOME";;
    "uct") upstream="/usr/local/etc/tinyproxy/tinyproxy.conf.upstream.UCT";;
    "sun") upstream="/usr/local/etc/tinyproxy/tinyproxy.conf.upstream.SUN";;
    *) proxy="$1";;
esac

conftemplate="/usr/local/etc/tinyproxy/tinyproxy.conf.template"
conf="/usr/local/etc/tinyproxy/tinyproxy.conf"

echo "creating conf file for $1"

cat $conftemplate > $conf
cat $upstream >> $conf

echo "stopping running instance of proxy"
kill `cat /var/run/tinyproxy.pid`

echo "Starting new instance of proxy for $1"
/usr/local/sbin/tinyproxy

#####################

As you can guess, I have two more files which get appended to the basic configuration of tinyproxy, stored in tinyproxy.conf.template. Thie is essentially the basic tinyproxy.conf.

I tested the script at all three locations and it works nicely.

Now a transparent proxying would be brilliant and SOCKS support will be the next step.

Thanks to evetrybody who participated in the above discussion, especially Jeremy for the initial ide and the script, and Stefano and Izak concerning tinyproxy

Rainer

Re: Trans proxies

I’ve added some transparent proxy howto above. Try it, it’s my configuration.

Adding .uct.ac.za to "no upstream"

Why not add .uct.ac.za to the tinyproxy config file to avoid using up your quota when using package managers et al? i.e in addition to the above metnioned “no upotream” add:

no upstream “.uct.ac.za”

that should do it and you can use tinyproxy without worries from your package manager.

Rainer

Re: Adding .uct.ac.za to "no upstream"

If you look at the cache.pac, there are quite a few exceptions - various .uct.ac.za domains that aren’t hosted on campus. Judging by IP Address is probably simpler (My iptables rule is currently doing that).

Google has to go through proxy!

Hi

I just realised that Google has to go through the proxy - so they should be deleted from the “no upstream” settings. (I just checked the cache.pac)

Rainer

Re: Google has to go through proxy!

Oh, they must have changed that over the weekend. Google has been “DIRECT” for a while…

Fixed.

FTP proxy

Hi,

Is it possible to make this transparent proxy (or CNTLMAPS) forward FTP proxy to the UCT proxy server?

re: FTP Proxy

Transparently, no. FTP is a fundamentally different protocol, involving multiple connections. Proxied FTP is more HTTP than FTP.

Configured clients with ntlmaps / cntlm should work, but I can’t say I’ve tested them.

proxy

proxy

configure apt to use the proxy selectively?

The updated how-to is much improved - thank you.

I have one question: I am using FEniCS (fenicsproject.org) and need to use the nightly build as the shipped version does not work in ubuntu 11.10 (http://fenicsproject.org/download/ubuntu_details.html#ubuntu-details).

Once I configure CNTLM and tinyproxy I can add the PPA but once I try fetch updates from the off-campus repository I get the error: 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )

Is there some way to configure apt to fetch the local updates bypassing the proxy (and thus the local transparent proxy as well) for updates hosted on leg - but to then use them for updates hosted on the PPA?

Thanks in advance,

Ernesto

apt, ISA and cntlm

Your HowTo says I shouldn’t use cntlm with apt-getting, but I couldn’t set the universe and multiverse repositories without using cntlm, and without that, I couldn’t install Firefox, without which I can’t surf the web (Konqueror is broken in Kubuntu 7.10 with proxy authentication). So what to do?

apt-get

…so, sorry, but how do I use apt-get then, if I don’t want it to go through campusnet??

I tried

http_proxy=http://ftp.leg.uct.ac.za:80/ update-manager

then got lots of this:

Failed to fetch http://ftp.leg.uct.ac.za/pub/linux/ubuntu/dists/intrepid/main/source/Sou… 404 Not Found
Failed to fetch http://ftp.leg.uct.ac.za/pub/linux/ubuntu/dists/intrepid/restricted/sour… 404 Not Found
Failed to fetch http://ftp.leg.uct.ac.za/pub/linux/ubuntu/dists/intrepid/universe/source… 404 Not Found
Failed to fetch http://ftp.leg.uct.ac.za/pub/linux/ubuntu/dists/intrepid/multiverse/sour… 404 Not Found
Failed to fetch http://ftp.leg.uct.ac.za/pub/linux/ubuntu/dists/intrepid-updates/main/so… 404 Not Found
Failed to fetch http://ftp.leg.uct.ac.za/pub/linux/ubuntu/dists/intrepid-updates/restric… 404 Not Found
Failed to fetch http://ftp.leg.uct.ac.za/pub/linux/ubuntu/dists/intrepid-updates/univers… 404 Not Found
Failed to fetch http://ftp.leg.uct.ac.za/pub/linux/ubuntu/dists/intrepid-updates/multive… 404 Not Found
Failed to fetch http://ftp.leg.uct.ac.za/pub/linux/ubuntu/dists/intrepid-security/main/s… 404 Not Found
Failed to fetch http://ftp.leg.uct.ac.za/pub/linux/ubuntu/dists/intrepid-security/restri… 404 Not Found
Failed to fetch http://ftp.leg.uct.ac.za/pub/linux/ubuntu/dists/intrepid-security/univer… 404 Not Found
Failed to fetch http://ftp.leg.uct.ac.za/pub/linux/ubuntu/dists/intrepid-security/multiv… 404 Not Found
Some index files failed to download, they have been ignored, or old ones used instead.

Any ideas? Sorry - I’m missing something elementary I’m sure…

I had to change one more line

I had to change one more line in tinyproxy.conf. In the Allow section, I have:

Allow 127.0.0.1
Allow 137.158.0.0/16

web rendering under NTLMAPS

After following the steps suggested here, I noticed that many websites’ layout was totally messed up. Any thoughts on why that might happen? I suspect something to do with the css files not getting through the proxy or something like that

wget unable to connect

I’ve installed NTLMAPS as suggested above.

I’ve also set up a LAMP server (linux, apache2, MySQL, PHP5). I need to install http_pecl into PHP.
When I try this I get a number of errors. The errors appear to be because I am unable to connect to the web from the command line.

I tried wget and it is unable to resolve the connection.
How do I allow the command line to connect to the net using the proxy.
errors from wget
—2010-05-26 13:23:30— (try: 2) http://pecl.php.net/get/pecl_http-1.6.1.tgz
Connecting to pecl.php.net|76.75.200.106|:80… failed: Connection timed out.
 Retrying.

errors from the http_pecl make test
FAILED TEST SUMMARY
——————————————————————————————————-
HttpMessage properties [tests/HttpMessage_002.phpt]
HttpRequestPool chain [tests/HttpRequestPool_003.phpt]
HttpRequest multiple posts [tests/HttpRequest_004.phpt]
HttpRequest PUT [tests/HttpRequest_007.phpt]
HttpRequest custom request method [tests/HttpRequest_008.phpt]
HttpRequest callbacks [tests/HttpRequest_009.phpt]
HttpRequest cookie API [tests/HttpRequest_010.phpt]
Bug #15800 Double free when zval is separated in convert_to_* [tests/bug_15800.phpt]
cloning [tests/cloning_001.phpt]
persistent handles [tests/persistent_handles_002.phpt]
urlencoded cookies [tests/request_cookies.phpt]
request etag [tests/request_etag.phpt]
http_put_data() [tests/request_put_data.phpt]

ntlmaps and cntlm only work for some users

On my computer both cntlm and ntlmaps won’t connect to the ISA proxies at UCT with my log in details. However, if I use another person’s log in details everything works fine. So if this isn’t working for you, it might just mean that ICTS just doesn’t like you either.

Change of Proxy Address and adding Auth

Hey

I just had to make two changes to the above config to get it to work:

1. Changing the proxy server to:

proxynet.uct.ac.za:8080

2. and specifying:

Auth NTLM

Proxy Server Problems

I’m a new staff member at UCT and I’m trying to configure my system and I am having trouble with the proxy settings. I’m running Ubuntu 11.10 on a Dell PowerEdge-R715 server. I followed the instructions on this page in relation to the cntlm, and it looked like it was installed properly. That is until I went to install a package in R which is not held in the local cran mirror site and I received the following error message:

> install.packages()
Loading Tcl/Tk interface … done
—- Please select a CRAN mirror for use in this session —-
Warning: unable to access index for repository http://cran.opensourceresources.org/src/contrib
Error in length(pkgs) : ‘pkgs’ is missing
In addition: Warning message:
In open.connection(con, “r”) : unable to connect to ‘wf’ on port 80.
 >

The unable to connect to ‘wf’ on port 80 made me think that I need to do something else to the configuration or that I should also install and configure the tinyproxy. I did so and it also did not work. Downloading and installing this package was only a test. I really need to figure out this proxy server problem before I go any further on a more complex issue. Any suggestions?

cntlm error

Hi, I followed the cntlm installation steps. When I tested my installation with “sudo cntlm -M http://google.com/” I got the following message:

” Config profile 1/4… OK (HTTP code: 301)
——————————————[ Profile 0 ]———
Auth NTLMv2
PassNTLMv2 751017DC12557E2A4C4536298424A0BB
 ————————————————————————”

Does this mean my installation is successful?

Then I tried to install flash plugin with ” sudo apt-get install flashplugin-installer”. The following error appears:

Reading package lists… Done
Building dependency tree
Reading state information… Done
flashplugin-installer is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue [Y/n]? y
Setting up flashplugin-installer (11.2.202.228ubuntu0.11.10.1) …
Downloading…
—2012-04-05 12:35:52— http://archive.canonical.com/pool/partner/a/adobe-flashplugin/adobe-flas…
Resolving proxynet.uct.ac.za… 137.158.153.189, 137.158.153.190, 137.158.153.187, …
Connecting to proxynet.uct.ac.za|137.158.153.189|:8080… connected.
Proxy request sent, awaiting response… 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
2012-04-05 12:35:52 ERROR 407: Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. ).

download failed
The Flash plugin is NOT installed.
dpkg: error processing flashplugin-installer (—configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
flashplugin-installer
E: Sub-process /usr/bin/dpkg returned an error code (1)”

It looks like that it asked for my proxy password for authentication. Is there any way to fix this? I would be really appreciated. The OS I m running is Ubuntu 11.10.

Raspberry Pi

Could someone please help me connect my Raspberry Pi to the UCT Proxy network.

Are you sure?

Surely you don’t need cntlm to change your repositories? You can manually change them in synaptic, or by editing /etc/apt/sources.list

You can find the correct LEG settings here

Gah. Obviously, thinking of

Gah. Obviously, thinking of two things at once - and arriving no-where. If I install and set up cntlm, would the above hack for using update-manager (sure, not apt-get) then work?

:o)

Beware

If you allow 137.158.0.0/16, then anyone on campus can access your tinyproxy, and thus use your cap. (Unless you’ve firewalled off incoming connections to tinyproxy / or only bound to localhost)

deb-src

We don’t have sources. Remove all your ‘deb-src’ lines from /etc/apt/sources.list (the ones that mention ftp.leg, that is)

RE: web rendering under NTLMAPS

Don’t use it for your browser if you can help it. NTLMAPS is rather slow and if your browser can talk NTLM, it’ll probably be faster. But honestly, I’ve never seen any problems like that.

http_proxy

> How do I allow the command line to connect to the net using the proxy.

Through the http_proxy environment variable that most programs respect.

Like so:

$ http_proxy=http://localhost:8080/ wget http://pecl.php.net/get/pecl_http-1.6.1.tgz

Or:

$ export http_proxy=http://localhost:8080/ 
$ wget http://pecl.php.net/get/pecl_http-1.6.1.tgz

You can export it in your .bashrc. Then it’ll be there whenever you open a terminal.

I get the

I get the following errors

http_proxy=http://localhost:8080/ wget http://pecl.php.net/get/pecl_http-1.6.1.tgz
—2010-05-31 10:07:13— http://pecl.php.net/get/pecl_http-1.6.1.tgz
Resolving localhost… 127.0.0.1, 127.0.0.1, ::1
Connecting to localhost|127.0.0.1|:8080… failed: Connection refused.
Connecting to localhost|127.0.0.1|:8080… failed: Connection refused.
Connecting to localhost|::1|:8080… failed: Connection refused.

Looks legitimate

Do you have a proxy listening on local host port 8080 ?

Those errors just look like there’s nothing there.

$ sudo netstat -ntp

will show you what’s listening where

This is the result from sudo

This is the result from sudo netstat -ntp

I’ve replaced my local address with #.#.#.#:

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 #.#.#.#:40787 137.158.152.230:8080 ESTABLISHED 4930/firefox
tcp 0 1 #.#.#.#:50604 193.1.193.64:80 SYN_SENT 1680/freshclam
tcp 0 0 #.#.#.#:40788 137.158.152.230:8080 ESTABLISHED 4930/firefox
tcp 0 0 #.#.#.#:46968 137.158.152.230:8080 ESTABLISHED 4930/firefox
tcp 0 0 #.#.#.#:43507 137.158.152.230:8080 ESTABLISHED 4930/firefox

whoops

Sorry, I meant ”-lntp”

Active Internet connections

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5865 0.0.0.0:* LISTEN 2016/python
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1218/mysqld
tcp 0 0 127.0.0.1:50002 0.0.0.0:* LISTEN 2821/mendeleydeskto
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2098/cupsd
tcp6 0 0 :::80 :::* LISTEN 2201/apache2
tcp6 0 0 ::1:631 :::* LISTEN 2098/cupsd

There you go

It’s port 5865, not port 8080

great that works, thanks

great that works, thanks

Transparent approach

Yes, use the transparent approach

Auth NTLM

Hi,

on my laptop I also had to uncomment the Auth field and set it as:
Auth NTLM

Proxy campusnet.uct.ac.za worked for me. The weird thing is that I my other machine (my desktop) works well without the Auth field.
Maybe there is some MAC filtering going on, and known machines can use different authentication schema.

R through proxy (Ubuntu & OSX)

@Pedro:
I have also struggled to get R to go through cntlm +/- tinyproxy, and just figured this out:
What works for me is to set the proxy to “proxynet.uct.ac.za” before running R:

export http_proxy=http://proxynet.uct.ac.za:8080
R

Once inside R you can check that it is set correctly with Sys.getenv("http_proxy").

And to save some typing, one can define an alias in ~/.bashrc or ~/.bash_aliases like so:

alias rproxy="export http_proxy=http://proxynet.uct.ac.za:8080; R"

so that you can just type “rproxy” to invoke it with the correct proxy setting every time.

Hope that helps!

By the way, this also works in OS X.
If there any Mac users reading this who prefer to call their programs from the Applications folder in Finder, put a script like this into that folder:

export http_proxy=http://proxynet.uct.ac.za:8080
open -a R.app
exit 0

(The “exit 0” is to automatically close the terminal window that pops up.)
Save the script with the extension “.command” and make it executable by typing into a terminal, e.g., chmod +x rproxy.command. Then double-clicking it should open the R graphical interface with the correct proxy.

R through proxy (Ubuntu & OSX)

@Pedro:
I have also struggled to get R to go through cntlm +/- tinyproxy, and just figured this out:
What works for me is to set the proxy to “proxynet.uct.ac.za” before running R:

export http_proxy=http://proxynet.uct.ac.za:8080
R

Once inside R you can check that it is set correctly with: Sys.getenv("http_proxy").

And to save some typing, one can define an alias in ~/.bashrc or ~/.bash_aliases like so:

alias rproxy="export http_proxy=http://proxynet.uct.ac.za:8080; R"

so that you can just type “rproxy” to invoke it with the correct proxy setting every time.

(Note that, AFAIK, this setting for the http_proxy environment variable will persist until you start a new terminal session, so, e.g., don’t use apt-get straight after R without first opening a new terminal.)

Hope that helps!

By the way, this also works in OS X.
If there any Mac users reading this who prefer to call their programs from the Applications folder in Finder, put a script like this into that folder:

export http_proxy=http://proxynet.uct.ac.za:8080
open -a R.app
exit 0

(The “exit 0” is to automatically close the terminal window that pops up.)
Save the script with the extension “.command” and make it executable by typing into a terminal, e.g., chmod +x rproxy.command. Then double-clicking it should open the R graphical interface with the correct proxy setting.

Yes

Your installation was succcessuful, but you are still pointing APT at campusnet, rather than at your CNTLM.

Hey - so you typed “sudo

Hey - so you typed “sudo cntlm -M http://google.com/”
but did you copy the response (those 2 lines between the — symbols) into your cntlm config file?
I think it’s the one in “/etc/cntlm.conf” or something like that (I’m on a windows machine atm)

Also, did you do something like “export http_proxy=localhost:3128” so set the proxy?

The above usually works for me…

-J

A much better alternative to ntlmaps

I have found a NTLM proxy which has been implimented in C, called cntlm. You can find it at http://cntlm.sourceforge.net.

This implimentation does not have the issues that ntlmaps has with regards to simultaneous connections. I now put all of my browsing through cntlm instead of only using ntlmaps for apt.

Ooh, nice

Looks good. It’s still new, so not in many distros yet, but I see debian has picked it up, and Ubuntu will have it in hardy.

I’ll update the howto with it soon.

Syndicate content