69

Is it possible to run npm install behind an HTTP proxy, which uses NTLM authentication? If yes, how can I set the server's address and port, the username, and the password?

kol
  • 27,881
  • 12
  • 83
  • 120

8 Answers8

136

I solved it this way (OS: Windows XP SP3):

1. Download CNTLM installer and run it.

2. Find and fill in these fields in cntlm.ini. Do not fill in the Password field, it's never a good idea to store unencrypted passwords in text files.

Username    YOUR_USERNAME
Domain      YOUR_DOMAIN
Proxy       YOUR_PROXY_IP:PORT
Listen      53128

3. Open console, and type these commands to generate password hashes.

> cd c:\the_install_directory_of_cntlm
> cntlm -H
Password: ...type proxy password here...
PassLM          D6888AC8AE0EEE294D954420463215AE
PassNT          0E1FAED265D32EBBFB15F410D27994B2
PassNTLMv2      91E810C86B3FD1BD14342F945ED42CD6

4. Copy the above three lines into cntlm.ini, under the Domain field's line. Once more, do not fill in the Password field. Save cntlm.ini.

5. Open the Service Manager (from command line: services.msc), and start the service called "CNTLM Authentication Proxy".

6. In the console, type these lines:

> npm config set proxy http://localhost:53128
> npm config set https-proxy http://localhost:53128
> npm config set registry https://registry.npmjs.org

7. Now npm view, npm install etc. should work. Example:

> npm view qunit
...nice answer, no errors :)
kol
  • 27,881
  • 12
  • 83
  • 120
  • 7
    You can start cntlm directly from the command line with `net start cntlm` – adhocgeek Dec 19 '13 at 11:29
  • 2
    For using NTLM authorization with CNTLM, follow below instructions: 1. After step-2, run this commandline command cntlm -I -M http://www.google.co.in 2. Prompts for domain password - copy it into cntlm.ini and restart service 3. Generates following password hash Auth NTLM PassNT XXXXXXXXXXXXXXXXXXXXXXXXXX PassLM XXXXXXXXXXXXXXXXXXXXXXXXXX – amar Feb 17 '14 at 12:27
  • found link where it explained in detail http://stackoverflow.com/a/15437508/224700 – amar Feb 18 '14 at 11:12
  • 1
    great solution thanks, one note - on point 6 above the address url should be prefixed with http rather than https – Mike Aug 26 '14 at 13:45
  • For anyone who does not like to use windows service or have information in INI file, here is another way: download a portalbe version; remove domain/username/password completely from INI file; start the tool from command line by using `cntlm -c cntlm.ini -v -a ntlm -I` (sure you can create a bat file to wrap it); enter your password every time you start the tool. – hardywang Jan 13 '15 at 16:36
  • To fix connection errors on some NTLM proxies, configure this header in Cntml : "Header Connection: close" – Toilal May 07 '15 at 09:12
  • if you need to debug connections or check if your config is correct, start it with `cntlm -c cntlm.ini -v` it will stay in the foreground (cmd line) and will give lot's of useful information. – Markus Dec 20 '16 at 17:39
  • why changing the registry? what is the problem with default one(s) ? – Michal Bernhard Feb 09 '17 at 07:38
  • 4
    @MichalBernhard Not sure if this is the correct answer, but I noticed when the registry was set to default (`https://registry.npmjs.org`) `npm install @` would "get stuck" on an operation like: `fetchMetadata: http fetch GET 304 https://registry.npmjs.org/isurl 280ms (from cache)` or `fetchMetadata: sill resolveWithNewModule uuid@2.0.3 checking installable status`. Once I changed the registry as suggested in the answer, everything worked fine. – Spencer R Jul 18 '17 at 18:47
  • 1
    Not working in Windows 10. Getting this error: `npm ERR! code E418 npm ERR! 418 I'm a teapot - GET http://registry.npmjs.org/create-react-app - got unknown host (registry.npmjs.org:80) npm ERR! A complete log of this run can be found in: npm ERR! C:\Users\faizanmubasher\AppData\Roaming\npm-cache\_logs\2019-08-22T07_22_44_767Z-debug.log Install for create-react-app@latest failed with code 1` – Faizan Mubasher Aug 22 '19 at 07:29
  • I got the same issue as Faizan Mubasher directly above - solution found [here](https://stackoverflow.com/questions/51524828#51526023). @kol - Would suggest updating the post to set the registry to http**s**://registry.npmjs.org. – Steve Chambers Nov 27 '19 at 12:51
  • 1
    @SteveChambers Done. Thanks. – kol Nov 27 '19 at 13:14
12

Another alternative is to use Px for Windows which talks NTLM on your behalf like Cntlm and NTLMAps without having to provide your credentials. It uses the logged in user's credentials via SSPI.

genotrance
  • 383
  • 2
  • 5
  • 1
    Gave this a go and it worked well- as good as CNTLM. No more hashed password management! I like it. – Rabid Dec 22 '16 at 11:17
  • 2
    Thx for your work on this tool! This should definitely be the answer to this thread! I was unable to make cntlm worked, my credentials were always rejected by the proxy (407). Px works like a charm! – Gregory_Ott Jan 13 '17 at 14:32
  • 1
    Hell yeah! This great tool! And npm work great with px, when cntlm hangs. – Renat Zaripov Jul 13 '18 at 09:38
  • PX worked for me, while CNTLM didn't. PX also worked smoothly with maven, IntelliJ and JVM's in general. – user1884155 Apr 18 '19 at 14:02
11

CNTLM answer was working for me, but with connection errors make npm unusable. I've fixed them by adding this header in CNTML.

Header      Connection: close
Toilal
  • 3,301
  • 1
  • 24
  • 32
  • Hi Toilal, is that header needed when you do many requests via npm install because then 20 times npm stops due to network problems... will that fix the problem when you do an initial npm install after check out a repo? – HelloWorld Dec 17 '19 at 20:46
  • @HelloWorld seems so. (old answer, I don't have to use CNTML anymore) – Toilal Jan 28 '20 at 13:05
  • I use the python proxy px now, works much better/more stable! – HelloWorld Jan 31 '20 at 16:11
9

Rather than running CNTLM, you could instead try running Fiddler when you need to use npm. I've found this works in fairly locked down environments (e.g. investment banks). It's also a tool that is fairly easy to make a business case for (if you need to) since it's invaluable for checking/creating/altering HTTP traffic.

I've had to go this route before due to usage of smartpass authentication - i.e. we didn't actually have passwords. At those locations setting up CNTLM would have been impossible.

adhocgeek
  • 1,437
  • 1
  • 16
  • 30
6

You can pass the settings as parameters:

npm --proxy=http://username:password@proxyserver:port --proxy-https=http://username:password@proxyserver:port --registry=http://registry.npmjs.org/ install whateveryouwanttoinstall
Dunken
  • 8,481
  • 7
  • 54
  • 87
  • 5
    This is Basic Authentication, not NTLM. – kol May 07 '15 at 11:03
  • 3
    @kol, that's true, but the proxies that use NTLM auth, frequently, allow basic auth too. In my opinion, the issue with this method is the storage of its personal password in the NPM configuration. – mcoolive Sep 30 '15 at 08:52
  • 1
    is it not https-proxy instead of proxy-https? – Srichakradhar Jan 08 '18 at 12:43
  • I downvoted because this is basic auth, and it is NOT TRUE that most ntlm proxies also allow basic auth. This is completely up to the sysadmins to decide and not some default that is usually "true". – user1884155 Apr 16 '19 at 15:11
5

CNTLM didn't work for me. I tried all possible combinations. NPM was giving Authentication error. Fiddler came for rescue and saved my time. It is easy to install and configure. Set Fiddler Rule to Automatically Authenticated.In .npmrc set these

registry=http://registry.npmjs.org
proxy=http://127.0.0.1:8888
https-proxy=http://127.0.0.1:8888
http-proxy=http://127.0.0.1:8888
strict-ssl=false

It worked for me :)

Another Fiddler Option:

A second way to make Fiddler act as an HTTP proxy for NTLM and other protocols is to leave the auto authenticate options/rules defaults in place and go to this setting from the menu bar:

Tools > Telerik Fiddler Options > Connections tab

Click on the Allow remote computers to connect checkbox. You will see a dialog explaining the consequences of enabling this option. Restart Fiddler and update the .npmrc file as shown above. Whenever you need npm to access the registry site just run Fiddler. This setting won't affect the way Fiddler runs for other captures.

Sixto Saez
  • 12,610
  • 5
  • 43
  • 51
Rakesh Sharma
  • 141
  • 2
  • 5
  • You could still use cntlm, you just need to set those proxy lines as whatever the listen port is in your cntlm.ini file. CNTLM would be necessary if you were authenticating to the proxy with credentials – Bhetzie Nov 16 '16 at 02:22
5
  1. Open your .npmrc file in C:\users\username\ folder using notepad
  2. Add the below lines..
  3. Replace domain, username, pwd, servername with your correct values
  4. Try to install or get packages now

  5. If trying from Vs2017, close and reopen VS IDE, then only it works

    proxy=http://DOMAIN%5CUSERNAME:PWD@proxy.servername.com:6050   
https-proxy=http://DOMAIN%5CUSERNAME:PWD@proxy.servername.com:6050  
http-proxy=http://DOMAIN%5CUSERNAME:PWD@proxy.servername.com:6050   
strict-ssl=false
phuclv
  • 37,963
  • 15
  • 156
  • 475
Sundara Prabu
  • 2,361
  • 1
  • 21
  • 20
0

CNTLM worked for me as suggested by KOL. Thanks KOL for that. Just wanted to add that there are some oddities in individual proxies because of which the password may not be acceptable when using simple cntlm -H.

Use cntlm -I -M http://test.com and copy the below config after erasing older configs and you should be through.

The output is like 

---------------------------------------------------
Auth            NTLM
PassNT          8EE9B595A89F7D8774C2146FB302CBCF
PassLM          78901DA9889727EDE28EF9F2769485B9
----------------------------------------------------
phuclv
  • 37,963
  • 15
  • 156
  • 475
kausik sen
  • 1