NPM behind NTLM proxy - node.js

Is it possible to run npm install behind an HTTP proxy, which uses NTLM authentication? If yes, how can I set the server's address and port, the username, and the password?

I solved it this way (OS: Windows XP SP3):
1. Download CNTLM installer and run it.
2. Find and fill in these fields in cntlm.ini. Do not fill in the Password field, it's never a good idea to store unencrypted passwords in text files.
Username YOUR_USERNAME
Domain YOUR_DOMAIN
Proxy YOUR_PROXY_IP:PORT
Listen 53128
3. Open console, and type these commands to generate password hashes.
> cd c:\the_install_directory_of_cntlm
> cntlm -H
Password: ...type proxy password here...
PassLM D6888AC8AE0EEE294D954420463215AE
PassNT 0E1FAED265D32EBBFB15F410D27994B2
PassNTLMv2 91E810C86B3FD1BD14342F945ED42CD6
4. Copy the above three lines into cntlm.ini, under the Domain field's line. Once more, do not fill in the Password field. Save cntlm.ini.
5. Open the Service Manager (from command line: services.msc), and start the service called "CNTLM Authentication Proxy".
6. In the console, type these lines:
> npm config set proxy http://localhost:53128
> npm config set https-proxy http://localhost:53128
> npm config set registry https://registry.npmjs.org
7. Now npm view, npm install etc. should work. Example:
> npm view qunit
...nice answer, no errors :)

CNTLM answer was working for me, but with connection errors make npm unusable. I've fixed them by adding this header in CNTML.
Header Connection: close

Another alternative is to use Px for Windows which talks NTLM on your behalf like Cntlm and NTLMAps without having to provide your credentials. It uses the logged in user's credentials via SSPI.

Rather than running CNTLM, you could instead try running Fiddler when you need to use npm. I've found this works in fairly locked down environments (e.g. investment banks). It's also a tool that is fairly easy to make a business case for (if you need to) since it's invaluable for checking/creating/altering HTTP traffic.
I've had to go this route before due to usage of smartpass authentication - i.e. we didn't actually have passwords. At those locations setting up CNTLM would have been impossible.

You can pass the settings as parameters:
npm --proxy=http://username:password#proxyserver:port --proxy-https=http://username:password#proxyserver:port --registry=http://registry.npmjs.org/ install whateveryouwanttoinstall

CNTLM didn't work for me. I tried all possible combinations. NPM was giving Authentication error. Fiddler came for rescue and saved my time. It is easy to install and configure. Set Fiddler Rule to Automatically Authenticated.In .npmrc set these
registry=http://registry.npmjs.org
proxy=http://127.0.0.1:8888
https-proxy=http://127.0.0.1:8888
http-proxy=http://127.0.0.1:8888
strict-ssl=false
It worked for me :)
Another Fiddler Option:
A second way to make Fiddler act as an HTTP proxy for NTLM and other protocols is to leave the auto authenticate options/rules defaults in place and go to this setting from the menu bar:
Tools > Telerik Fiddler Options > Connections tab
Click on the Allow remote computers to connect checkbox. You will see a dialog explaining the consequences of enabling this option. Restart Fiddler and update the .npmrc file as shown above. Whenever you need npm to access the registry site just run Fiddler. This setting won't affect the way Fiddler runs for other captures.

Open your .npmrc file in C:\users\username\ folder using notepad
Add the below lines..
Replace domain, username, pwd, servername with your correct values
Try to install or get packages now
If trying from Vs2017, close and reopen VS IDE, then only it works
proxy=http://DOMAIN%5CUSERNAME:PWD#proxy.servername.com:6050
https-proxy=http://DOMAIN%5CUSERNAME:PWD#proxy.servername.com:6050
http-proxy=http://DOMAIN%5CUSERNAME:PWD#proxy.servername.com:6050
strict-ssl=false

CNTLM worked for me as suggested by KOL. Thanks KOL for that. Just wanted to add that there are some oddities in individual proxies because of which the password may not be acceptable when using simple cntlm -H.
Use cntlm -I -M http://test.com and copy the below config after erasing older configs and you should be through.
The output is like
---------------------------------------------------
Auth NTLM
PassNT 8EE9B595A89F7D8774C2146FB302CBCF
PassLM 78901DA9889727EDE28EF9F2769485B9
----------------------------------------------------

Related

Error parsing proxy URL. Bad port number

When I use wget command in RHEL 6.5, getting the error
Error parsing proxy URL. Bad port number.
The command used to set the proxy was
export http_proxy="http_proxy://username:password#address:port/".
Yes I know this issue can be resolved by using
http_proxy=address wget --proxy-user=username --proxy-password=<password> url.
But I want to install a package and during installation, it will need to download few other packages. so the proxy should be already set and ready before the installation. How can we resolve this?
The password I used caused this issue as it had a # in it. I replaced # with %23 [UTF encoding] and now this is working fine.
make us Use of "--no-proxy"
Example : wget https://dl-ssl.google.com/linux/linux_signing_key.pub --no-proxy
This will elimimate the current proxy and try to download what ever we need..
I set up the proxy on Ubuntu using general system settings (manual option).
The problem was I pasted the proxy URL with a port, while the port is also separately specified there, in different field.

npm install error - unable to get local issuer certificate

I am getting an unable to get local issuer certificate error when performing an npm install:
typings ERR! message Unable to read typings for "es6-shim". You should check the
entry paths in "es6-shim.d.ts" are up to date
typings ERR! caused by Unable to connect to "https://raw.githubusercontent.com/D
efinitelyTyped/DefinitelyTyped/7de6c3dd94feaeb21f20054b9f30d5dabc5efabd/es6-shim
/es6-shim.d.ts"
typings ERR! caused by unable to get local issuer certificate
I have recently update to node 4 from a much earlier version and it sounds like node is much more strict when these kind of problems arise.
There is an issue discussed here which talks about using ca files, but it's a bit beyond my understanding and I'm unsure what to do about it.
I am behind a corporate firewall, but I can get to the url fine in a browser without any restriction.
Does anyone have any further insight into this issue and what possible solutions there are?
I'm wondering about reverting to node 0.12 in the meantime :(
Try
npm config set strict-ssl false
This is a alternative shared in this url https://github.com/nodejs/node/issues/3742
There is an issue discussed here which talks about using ca files, but it's a bit beyond my understanding and I'm unsure what to do about it.
This isn't too difficult once you know how! For Windows:
Using Chrome go to the root URL NPM is complaining about (so https://raw.githubusercontent.com in your case).
Open up dev tools and go to Security-> View Certificate. Check Certification path and make sure your at the top level certificate, if not open that one. Now go to "Details" and export the cert with "Copy to File...".
You need to convert this from DER to PEM. There are several ways to do this, but the easiest way I found was an online tool which should be easy to find with relevant keywords.
Now if you open the key with your favorite text editor you should see
-----BEGIN CERTIFICATE-----
yourkey
-----END CERTIFICATE-----
This is the format you need. You can do this for as many keys as you need, and combine them all into one file. I had to do github and the npm registry keys in my case.
Now just edit your .npmrc to point to the file containing your keys like so
cafile=C:\workspace\rootCerts.crt
I have personally found this to perform significantly better behind our corporate proxy as opposed to the strict-ssl option. YMMV.
This worked for me:
export NODE_TLS_REJECT_UNAUTHORIZED=0
Please refer to the NodeJS documentation for usage and warnings:
https://nodejs.org/api/cli.html#cli_node_tls_reject_unauthorized_value
Anyone gets this error when 'npm install' is trying to fetch a package from HTTPS server with a self-signed or invalid certificate.
Quick and insecure solution:
npm config set strict-ssl false
Why this solution is insecure?
The above command tells npm to connect and fetch module from server even server do not have valid certificate and server identity is not verified. So if there is a proxy server between npm client and actual server, it provided man in middle attack opportunity to an intruder.
Secure solution:
If any module in your package.json is hosted on a server with self-signed CA certificate then npm is unable to identify that server with an available system CA certificates.
So you need to provide CA certificate for server validation with the explicit configuration in .npmrc.
In .npmrc you need to provide cafile, please refer to more detail about cafile configuration.
cafile=./ca-certs.pem
In ca-certs file, you can add any number of CA certificates(public) that you required to identify servers. The certificate should be in “Base-64 encoded X.509 (.CER)(PEM)” format.
For example,
# cat ca-certs.pem
DigiCert Global Root CA
=======================
-----BEGIN CERTIFICATE-----
CAUw7C29C79Fv1C5qfPrmAE.....
-----END CERTIFICATE-----
VeriSign Class 3 Public Primary Certification Authority - G5
========================================
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQ......
-----END CERTIFICATE-----
Note: once you provide cafile configuration in .npmrc, npm try to identify all server using CA certificate(s) provided in cafile only, it won't check system CA certificate bundles then.
Here's a well-known public CA authority certificate bundle.
One other situation when you get this error:
If you have mentioned Git URL as a dependency in package.json and git is on invalid/self-signed certificate then also npm throws a similar error.
You can fix it with following configuration for git client
git config --global http.sslVerify false
Typings can be configured with the ~/.typingsrc config file. (~ means your home directory)
After finding this issue on github: https://github.com/typings/typings/issues/120, I was able to hack around this issue by creating ~/.typingsrc and setting this configuration:
{
"proxy": "http://<server>:<port>",
"rejectUnauthorized": false
}
It also seemed to work without the proxy setting, so maybe it was able to pick that up from the environment somewhere.
This is not a true solution, but was enough for typings to ignore the corporate firewall issues so that I could continue working. I'm sure there is a better solution out there.
If you're on a corporate computer, it likely has custom certificates (note the plural on that). It took a while to figure out, but I've been using this little script to grab everything and configure Node, NPM, Yarn, AWS, and Git (turns out the solution is similar for most tools). Stuff this in your ~/.bashrc or ~/.zshrc or similar location:
function setup-certs() {
# place to put the combined certs
local cert_path="$HOME/.certs/all.pem"
local cert_dir=$(dirname "${cert_path}")
[[ -d "${cert_dir}" ]] || mkdir -p "${cert_dir}"
# grab all the certs
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain > "${cert_path}"
security find-certificate -a -p /Library/Keychains/System.keychain >> "${cert_path}"
# configure env vars for commonly used tools
export GIT_SSL_CAINFO="${cert_path}"
export AWS_CA_BUNDLE="${cert_path}"
export NODE_EXTRA_CA_CERTS="${cert_path}"
# add the certs for npm and yarn
# and since we have certs, strict-ssl can be true
npm config set -g cafile "${cert_path}"
npm config set -g strict-ssl true
yarn config set cafile "${cert_path}" -g
yarn config set strict-ssl true -g
}
setup-certs
You can then, at any time, run setup-certs in your terminal. Note that if you're using Nvm to manage Node versions, you'll need to run this for each version of Node. I've noticed that some corporate certificates get rotated every so often. Simply re-running setup-certs fixes all that.
You'll notice that most answers suggest setting strict-ssl to false. Please don't do that. Instead use the setup-certs solution to use the actual certificates.
My problem was that my company proxy was getting in the way. The solution here was to identify the Root CA / certificate chain of our proxy, (on mac) export it from the keychain in .pem format, then export a variable for node to use.
export NODE_EXTRA_CA_CERTS=/path/to/your/CA/cert.pem
There are different reason for this issue and workaround is different depends on situation. Listing here few workaround (note: it is insecure workaround so please check your organizational policies before trying).
Step 1: Test and ensure internet is working on machine with command prompt and same url is accessible directly which fails by NPM. There are many tools for this, like curl, wget etc. If you are using windows then try telnet or curl for windows.
Step 2: Set strict ssl to false by using below command
npm -g config set strict-ssl false
Step 3: Set reject unauthorized TLS to no by using below command:
export NODE_TLS_REJECT_UNAUTHORIZED=0
In case of windows (or can use screen to set environment variable):
set NODE_TLS_REJECT_UNAUTHORIZED=0
Step 4: Add unsafe param in installation command e.g.
npm i -g abc-package#1.0 --unsafe-perm true
In case you use yarn:
yarn config set strict-ssl false
Add:
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
Source: Ignore invalid self-signed ssl certificate in node.js with https.request?
I have encountered the same issue. This command didn't work for me either:
npm config set strict-ssl false
After digging deeper, I found out that this link was block by our IT admin.
http://registry.npmjs.org/npm
So if you are facing the same issue, make sure this link is accessible to your browser first.
For anyone coming to this from macOS:
Somehow, npm hasn't picked up correct certificates file location, and I needed to explicitly point to it:
$ echo "cafile=$(brew --prefix)/share/ca-certificates/cacert.pem" >> ~/.npmrc
$ cat ~/.npmrc # for ARM macOS
cafile=/opt/homebrew/share/ca-certificates/cacert.pem
Well this is not a right answer but can be consider as a quick workaround. Right answer is turn off Strict SSL.
I am having the same error
PhantomJS not found on PATH
Downloading https://github.com/Medium/phantomjs/releases/download/v2.1.1/phantomjs-2.1.1-windows.zip
Saving to C:\Users\Sam\AppData\Local\Temp\phantomjs\phantomjs-2.1.1-windows.zip
Receiving...
Error making request.
Error: unable to get local issuer certificate
at TLSSocket. (_tls_wrap.js:1105:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:639:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:469:38)
So the after reading the error.
Just downloaded the file manually and placed it on the required path.
i.e
C:\Users\Sam\AppData\Local\Temp\phantomjs\
This solved my problem.
PhantomJS not found on PATH
Download already available at C:\Users\sam\AppData\Local\Temp\phantomjs\phantomjs-2.1.1-windows.zip
Verified checksum of previously downloaded file
Extracting zip contents
A disclaimer: This solution is less secure, bad practice, don't do this.
I had a duplicate error message--I'm behind a corporate VPN/firewall. I was able to resolve this issue by adding a .typingsrc file to my user directory (C:\Users\MyUserName\.typingsrc in windows). Of course, anytime you're circumventing SSL you should be yapping to your sys admins to fix the certificate issue.
Change the registry URL from https to http, and as seen in nfiles' answser above, set rejectUnauthorized to false.
.typingsrc (placed in project directory or in user root directory)
{
"rejectUnauthorized": false,
"registryURL": "http://api.typings.org/"
}
Optionally add your github token (I didn't find success until I had added this too.)
{
"rejectUnauthorized": false,
"registryURL": "http://api.typings.org/",
"githubToken": "YourGitHubToken"
}
See instructions for setting up your github token at https://github.com/blog/1509-personal-api-tokens
Once you have your certificate (cer or pem file), add it as a system variable like in the screenshot below.
This is the secure way of solving the problem, rather than disabling SSL. You have to tell npm or whatever node tool you're using to use these certificates when establing an SSL connection using the environment variable NODE_EXTRA_CA_CERTS.
This is common when you're behind a corporate firewall or proxy. You can find the correct certificate by just inspecting the security tab in Chrome when visiting a page while on your company's VPN or proxy and exporting the certificate through the "Manage Computer Certificates" window in Windows.
On FreeBSD, this error can be produced because the cafile path is set to a symlink instead of the absolute path.

Accessing Github behind corporate proxy Node.js

I am having an issue with calling the following command from cmd for installing PhoneGap:
npm install -g phonegap
The following error is returned:
Failed to connect to github.com port 443: Timed out
There are a fair amount of questions regarding this topic and they all seem to provide the same answer - make sure the proxy settings for git and nodejs are configured. I set up the node proxy settings like so:
npm config set proxy http://proxyname:8080
npm config set https-proxy http://proxyname:8080
And for git:
git config --global http.proxy http://proxyname:8080
git config --global https.proxy http://proxyname:8080
Both git config --list and npm config list confirm that these proxy settings are in place.
I have also allowed the programs through the fire wall by going to Windows Firewall -> Allow a program or feature through windows firewall. Then I selected the node.exe for Node.js and for git I selected git.exe.
I still however have the issue whereby it is failing to connect to Github. Is there anything else I am missing or forgetting to setup? Both Node.js and Git were installed for the first time for this task.
In addition to the above settings, it's possible that you're getting this error if some of the downloaded libraries declare their dependencies using the git:// protocol instead of https://. These dependencies then usually fail with the above error.
To fix this, you can run the following:
git config --global url."https://".insteadOf git://
This will add a configuration option to Git, asking Git to use https whenever a URL uses the git:// protocol.
This setting fixed many proxy issues for me.
You need to add proxy authentication to your command application. I assume you are working in windows, the following works for me (I don't need to add the proxy to either npm or git unless running git commands).
In your active command window you need either or both of these for each session including initial instalation adding devices or plugins and on first application build:
set https_proxy=http://username:password#proxy:port
set http_proxy=http://username:password#proxy:port
So mine looks like this:
set https_proxy=http://john.doe:1234#proxy.det.nsw.edu.au:8080
Ben
With git 2.8 (March 2016), you don't have to embed in clear text your password in the url.
See commit 372370f, commit ef97639 (26 Jan 2016) by Knut Franke (``).
Helped-by: Junio C Hamano (gitster), Eric Sunshine (sunshinebell28), and Elia Pinto (devzero2000).
(Merged by Junio C Hamano -- gitster -- in commit 30f302f, 03 Feb 2016)
http: use credential API to handle proxy authentication
Currently, the only way to pass proxy credentials to curl is by including them in the proxy URL. Usually, this means they will end up on disk unencrypted, one way or another (by inclusion in ~/.gitconfig, shell profile or history).
Since proxy authentication often uses a domain user, credentials can be security sensitive; therefore, a safer way of passing credentials is desirable.
If the configured proxy contains a username but not a password, query the
credential API for one. Also, make sure we approve/reject proxy credentials
properly.
So:
In addition to the syntax understood by curl, it is possible to specify a proxy string with a user name but no password, in which case git will attempt to acquire one in the same way it does for other credentials.
See gitcredentials for more information.
The syntax thus is:
[protocol://][user[:password]#]proxyhost[:port]
This can be overridden on a per-remote basis; see remote.<name>.proxy.
http: allow selection of proxy authentication method
CURLAUTH_ANY does not work with proxies which answer unauthenticated requests with a 307 redirect to an error page instead of a 407 listing supported authentication methods.
Therefore, allow the authentication method to be set using the environment variable GIT_HTTP_PROXY_AUTHMETHOD or configuration variables http.proxyAuthmethod and remote.<name>.proxyAuthmethod (in analogy
to http.proxy and remote.<name>.proxy).
The following values are supported:
anyauth (default)
basic
digest
negotiate
ntlm

cabal can't use http proxy

My Linux(redhat6) server has to use http proxy to connect to outside world. While it works for other things like wget, it doesn't work for cabal.
cabal update -v3
shows errors like this:
407 - proxy authentication required cabal: Failed to download
http://hackage.haskell.org/packages/archive/00-index.tar.gz :
ErrorMisc "Unsucessful HTTP code: 407"
I tried to change http_proxy environment variable to format like http:// user: passwd at proxy:port, but it doesn't work either.
The same problem has been asked here
But I'm not allowed use a proxy server like polipo, is there any other way to make cabal work behind a proxy?
You can use cntlm to talk to proxy. It will handle authentication issues. After configuring and installing cntlm, set up the new environmental variable by modifying http_proxy, https_proxy etc.
Your cabal command should work after that.
some detailed procedure here:
Download cntlm from here
It's a c program with no other dependencies so very easy to make, just follow the instructions in the downloaded package.
After installing cntlm, follow this answer from Colonel Panic. Obviously on linux you need to change cntlm.exe to ./cntlm, I named the configure file cntlm.conf
The default listen port for cntlm is 3124, if you can't use that port, change it to something else like 53124, then add this to your cntlm.conf or cntlm.ini file:
Listen 127.0.0.1:53124
Start cntlm in the background:
./cntlm -c cntlm.conf
Change your http_proxy environment variable to talk to the cntlm process rather than the real proxy.
export http_proxy=http:// 127.0.0.1:53124
That's it, cabal will work as good as ever.
You can also setup the http_proxy directly in the system setting:
http_proxy=http://username:password#hostname:port

Get Node.js npm command to work behind corporate proxy

I am trying to install bower
npm install -g bower
but am getting an authentication error from our proxy
...
npm http 407 http://registry.npmjs.org/bower
...
Error Code: 407 Proxy Authentication Required.
...
I am trying to get npm working behind a corprate proxy. I think our proxy is a little weird because the only way I was able to get maven downloading packages was to add wagon-http-lightweight.jar as a maven extension.
http://maven.apache.org/wagon/wagon-providers/wagon-http-lightweight/
I have tried all the regular things as described here:
Is there a way to make npm install (the command) to work behind proxy?
(I don't need to supply authentication details in my maven proxy settings).
npm config set registry http://registry.npmjs.org/
npm config set proxy http://myusername:mypassword#proxy.us.somecompany:8080
npm config set https-proxy http://myusername:mypassword#proxy.us.somecompany:8080
npm config set strict-ssl false
What else can I try?
Can try this....working for me.
Open IE (Chrome did not work for me).
Hit the URL http://registry.npmjs.org
it will download json output if successful.
Now go back to command prompt and try npm install.
I was able to get this working by installing a local proxy:
NPM behind NTLM proxy
Use fiddler http://www.telerik.com/fiddler
Install and run and that's it, everything will run as it is supposed to. I spent half a day cracking my head on this
Edit: I honestly have no idea if it was fiddler or something else I tried that fixed it (it is mostly the latter) but you should try setting registry, http-proxy, proxy and strict-ssl
When authentication is required for the HTTP proxy:
Fiddler can be configured to authenticate with the corporate HTTP proxy using NTLM or other protocols. Leave the existing auto authenticate options/rules defaults in place. Instead, go to this setting from the menu bar:
Tools > Telerik Fiddler Options > Connections tab
Click on the Allow remote computers to connect checkbox. You will see a dialog explaining the consequences of enabling this option. Restart Fiddler and update the .npmrc file as shown above. Whenever you need npm to access the registry site just run Fiddler. This setting won't affect the way Fiddler runs for other captures.
I have the same issue.
The root cause is my password contains a special character '#', when I npm set config proxy, the character become '#' in .npmrc file, so I change my password to remove the special character and it's working fine.
If your password does not contains special characters, just use syntax command below, it will work.
npm config set strict-ssl=false
npm config set proxy http://<username>:<password>#<proxy-server-url>:<port>
npm config set https-proxy http://<username>:<password>#<proxy-server-url>:<port>
Thanks,

Resources