Step‑by‑Step Guide to Installing and Configuring Cntlm Proxy on Linux and Windows

Overview

Cntlm is a lightweight HTTP secondary proxy that forwards requests to an upstream proxy while keeping authentication credentials hidden. It is useful in environments where only an upstream proxy is available and direct access to its credentials is undesirable.

Installation

Debian‑based Linux

sudo apt install cntlm

Other Linux distributions

Most distributions provide a cntlm package in their repositories; install with the native package manager (e.g., yum install cntlm, pacman -S cntlm).

Windows

choco install cntlm

Configuration file

The default configuration file is /etc/cntlm.conf (Windows: C:\Program Files\Cntlm\cntlm.conf). A minimal working configuration looks like:

Username    USERNAME
Domain      COMPANY_DOMAIN
# Password can be omitted if NTLM hashes are supplied
Password    ********

# Upstream proxy servers (comma‑separated or multiple lines)
Proxy       proxy.company.com:8080
Proxy       proxy2.company.com:8080

# Addresses that should bypass the upstream proxy
NoProxy     localhost, 127.0.0.*, 10.*, 192.168.*, .company.com

# Local listening port for client applications
Listen      3128

Replace USERNAME, COMPANY_DOMAIN, and the proxy hostnames with values that match your environment.

Allowing remote clients

By default cntlm only accepts connections from the local host. To enable other machines on the network to use the proxy, add:

Gateway    yes

Access control

Optionally restrict which client addresses are allowed to use the proxy:

Allow       127.0.0.1
Deny        0/0   # deny all other addresses

Obtaining NTLM authentication hashes

Cntlm can contact an external site and output the NTLM hashes required for authentication. After editing /etc/cntlm.conf, reload or restart the service, then run:

sudo cntlm -vc /etc/cntlm.conf -M http://example.com

The command prints a block similar to:

Auth            NTLM
PassNT          7FA051B4B85F0E7EEBB24D3CD73E52B0
PassLM          23A1E1A7276E84EA4846D4C9FF957C35

Copy the PassNT and PassLM values into the configuration file.

Adding the hashes to the config

Auth            NTLM
PassNT          7FA051B4B85F0E7EEBB24D3CD73E52B0
PassLM          23A1E1A7276E84EA4846D4C9FF957C35

Reloading or restarting the service

Cntlm installed from a package manager is managed by systemd. After any change to cntlm.conf, reload the daemon to apply the new settings without dropping existing connections: sudo systemctl reload cntlm If the reload does not take effect, perform a full restart:

sudo systemctl restart cntlm

Reference

Original article: https://note.qidong.name/2018/11/cntlm-proxy/