1

As the title says i have got some issues with Cntlm. I'm working with the 0.92.3 version and launched from the source code. What i am trying to do is starting Cntlm as a standalone proxy with localhost configuration, to browse internet and launch applications (e.g. Skype).

I am working on Mint and the command uname -a gives:

Linux Jarvis 3.16.0-38-generic #52~14.04.1-Ubuntu SMP Fri May 8 09:43:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Those are the steps i did before asking:

./configure
make
sudo make install

everything goes fine. I also export http, https and ftp proxy with:

export http_proxy = http://127.0.0.1:3128 
export https_proxy = https://127.0.0.1:3128 
export ftp_proxy = https://127.0.0.1:3128

and also everything goes fine. What remains is to launch cntlm, doing with:

sudo cntlm -v -f

it keeps information passed by cntlm.conf correctly, and display it's staying in the foreground.

I go in my browser (firefox) and configure it for the proxy, setting 127.0.0.1 as http proxy and 3128 as the port.

when i launch a browser tab a do a test research under the proxy, the terminal starts to elaborate data, but after a few seconds it keeps saying that:

cntlm[11605]: Serious error during accept: Too many open files

until i press ctrl+C.

this is the cntlm.conf i have:

#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#

Username    myUsername
Domain      localhost
Password    password
# NOTE: Use plaintext password only at your own risk
# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
# command sequence to get the right config for your environment.
# See cntlm man page
# Example secure config shown below.
# PassLM          1AD35398BE6565DDB5C4EF70C0593492
# PassNT          77B9081511704EE852F94227CF48A793
### Only for user 'testuser', domain 'corp-uk'
# PassNTLMv2      D5826E9C665C37C80B53397D5C07BBCB

# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
#
# Workstation   netbios_hostname

# List of parent proxies to use. More proxies can be defined
# one per line in format <proxy_ip>:<proxy_port>
#

Listen      127.0.0.1:3128
#Listen     192.168.0.1:3128

#Proxy      10.0.0.41:8080
#Proxy      10.0.0.42:8080
Proxy       127.0.0.1:3128

# List addresses you do not want to pass to parent proxies
# * and ? wildcards can be used
#
NoProxy     localhost, 127.0.0.*, 10.*, 192.168.*

# Specify the port cntlm will listen on
# You can bind cntlm to specific interface by specifying
# the appropriate IP address also in format <local_ip>:<local_port>
# Cntlm listens on 127.0.0.1:3128 by default
#

# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
#
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#
SOCKS5Proxy 5000
#SOCKS5User username:password

# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
#
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#
#Auth       LM
#Flags      0x06820000

# Enable to allow access from other computers
#
#Gateway    yes

# Useful in Gateway mode to allow/restrict certain IPs
# Specifiy individual IPs or subnets one rule per line.
#

Allow       127.0.0.1
Deny        0/0

# GFI WebMonitor-handling plugin parameters, disabled by default
#
#ISAScannerSize     1024
#ISAScannerAgent    Wget/
#ISAScannerAgent    APT-HTTP/
#ISAScannerAgent    Yum/

# Tunnels mapping local port to a machine behind the proxy.
# The format is <local_port>:<remote_host>:<remote_port>
# 
#Tunnel     11443:remote.com:443

i tried many times to change configuration but it really doesn't change. If i put 127.0.0.1:3128 as default Proxy (what i am trying to do) it starts well but ends in a loop.

what should i do to make it works and where is the problem?

i have not touched the original source code. So it should work as intended.

Thanks in advance.

Edit: this is the ulimit -a output after su :

core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 15079
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 15079
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited
Basionkler
  • 11
  • 1
  • 4
  • Seems you've riched open files limit. With what user are you starting cntlm? Can you `su` as that user and post here the output from this command? `ulimit -a` – Fredi Dec 11 '15 at 12:44
  • i attached it on the original post. – Basionkler Dec 11 '15 at 12:50
  • Can you try augmenting the `open files` limit let's say to 10240 for the cntlm's user and retry? Check here on how to do it: http://askubuntu.com/questions/162229/how-do-i-increase-the-open-files-limit-for-a-non-root-user – Fredi Dec 11 '15 at 14:50
  • I followed those instruction and changed the value successfully.. but the problem still remains, i got `cannot create socket(): Too many open files` – Basionkler Dec 11 '15 at 15:45
  • can you check the number of files open at that time by cntlm? lsof -nPp `pidof cntlm` | wc -l. And ensure your user got the open file limits and that cntlm got restarted after you changed those – Fredi Dec 11 '15 at 15:54

1 Answers1

0

Ok i think i figured out what's going on here. Basically the problem is putting in the configuration file the line

Proxy    127.0.0.1:3128

And the line:

Listen 3128 (or 127.0.0.1:3128 as well)

In fact i think that configuration send the proxy in a loop in which the threads are never closed, sending connection request on a single site, no matter what the limit is.

For a simple browser connection (e.g. Firefox), just leave that line:

Listen    3128

or

Listen    127.0.0.1:3128

which are the same. For the Proxy you can follow this scheme:

Proxy    ipAddress:port

this couple of data can be easily found on web.

Configure Firefox (or another browser) to connect to you localhost proxy, setting localhost(or 127.0.0.1) as Host and the same port number you are listening to. That worked for me.

I still don't know how to make it start with various applications(since i don't know if they are actually running behind the proxy, it's saying nothing about it), but by now is still a solution.

Basionkler
  • 11
  • 1
  • 4