cntlm icon indicating copy to clipboard operation
cntlm copied to clipboard
verified publisher icon versat

Make direct failback if proxy is unavailable for a certain period of time

Open gbhn opened this issue 1 year ago • 2 comments

In case the user has disconnected from the corporate network and is using the device on the pure Internet

gbhn avatar Feb 08 '24 22:02 gbhn

This would be a nice feature but a bit tricky to implement. You have to understand when proxies are not available and trying to connect directly to the internet but also understand when they become available again, that is to understand that targets become unreachable because you are back in the corporate network.

If you are on macOS with the Kerberos single sign on extension, we implemented a configuration that activates a new instance of cntlm with its own configuration, for internal (corporate) network and for external network. You can find it in this branch of my repo:

git clone -b macos-setup https://github.com/fralken/cntlm.git

fralken avatar Feb 11 '24 22:02 fralken

This is something you could implement in your own PAC file if your interface is in a different subnet when not on the corporate network. Implementing tricky discovering mechanisms to determine how to route traffic tends to bring along security issues.

jschwartzenberg avatar Feb 14 '24 14:02 jschwartzenberg

Here, following @jschwartzenberg idea, instead of implementing a custom PAC file, we could implement a new rule in cntlm so that proxy configuration is dependent on the IP address of the client, e.g. if the client is in the corporate network it must connect via proxy, if it is e.g. at home it can connect directly. This configuration then should go in the conf file.

fralken avatar May 23 '24 09:05 fralken

You can implement such rule inside of a regular PAC file. See this section: https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file#myipaddress

Anything beyond this had better be handled in tandem with something like NetworkManager I think.

jschwartzenberg avatar May 23 '24 14:05 jschwartzenberg

Yes you are right, my concern is that probably the pac file is provided by your company and you don't want to mess up with it. The myIPAddress function is actually implemented in c in the cntlm code base (see pac.c) and its logic could be reused somewhere else in the codebase.

But again I fully agree with you that the quickest way to achieve this behaviour is by implementing a proper pac file.

fralken avatar May 23 '24 20:05 fralken