Make direct failback if proxy is unavailable for a certain period of time

versat / cntlm

Cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy intended to help you break free from the chains of Microsoft proprietary world. More info on http://cntlm.sourceforge.net/ website. This version also supports: SSPI (on Windows, NTLM authentication only), Kerberos authentication, IPv6, proxy PAC files.

GNU General Public License v2.0

127 stars 40 forks source link

Make direct failback if proxy is unavailable for a certain period of time #96

Closed yolkispalkis closed 4 months ago

yolkispalkis commented 7 months ago

In case the user has disconnected from the corporate network and is using the device on the pure Internet

fralken commented 7 months ago

This would be a nice feature but a bit tricky to implement. You have to understand when proxies are not available and trying to connect directly to the internet but also understand when they become available again, that is to understand that targets become unreachable because you are back in the corporate network.

If you are on macOS with the Kerberos single sign on extension, we implemented a configuration that activates a new instance of cntlm with its own configuration, for internal (corporate) network and for external network. You can find it in this branch of my repo:

git clone -b macos-setup https://github.com/fralken/cntlm.git

jschwartzenberg commented 7 months ago

This is something you could implement in your own PAC file if your interface is in a different subnet when not on the corporate network. Implementing tricky discovering mechanisms to determine how to route traffic tends to bring along security issues.

fralken commented 4 months ago

Here, following @jschwartzenberg idea, instead of implementing a custom PAC file, we could implement a new rule in cntlm so that proxy configuration is dependent on the IP address of the client, e.g. if the client is in the corporate network it must connect via proxy, if it is e.g. at home it can connect directly. This configuration then should go in the conf file.

jschwartzenberg commented 4 months ago

You can implement such rule inside of a regular PAC file. See this section: https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file#myipaddress

Anything beyond this had better be handled in tandem with something like NetworkManager I think.

fralken commented 4 months ago

Yes you are right, my concern is that probably the pac file is provided by your company and you don't want to mess up with it. The myIPAddress function is actually implemented in c in the cntlm code base (see pac.c) and its logic could be reused somewhere else in the codebase.

But again I fully agree with you that the quickest way to achieve this behaviour is by implementing a proper pac file.