This fork of btrepp/docker-cntlm implements the configuration necessary to secure your proxy by explicity allowing/denying ip addresses or ranges of ip addresses. Please see the comments in cntlm_start.sh for details. Thanks to btrepp for creating this initial image!
This is a simple dockerfile that wraps up cntlm into debian. It will set up a open proxy, that uses NTLMv2 to authenticate upstream. The main use case is to get a simple proxy setup that plays nice with windows networks.
Ideally you can use this with redsocks+iptables, to make docker images think they have direct access, but the connections are actually tunneled through.
container->redsocks->ctnlm->upstream
Simple usage is
docker run --rm -p 3128:3128 btrepp/cntlm user.name domain NTVLMv2Hash upstream_proxy:port
This will create an unathenticated proxy on the host running at 3128
By default I've only set this up to accept Hashed passwords. cntlm supports actual passwords, but that is left up to you to figure out. A script exists in the images that will help you get the hash
docker run --rm -t -i --entrypoint="get_ntlm.sh" btrepp/cntlm user.name@domain upstream_proxy:port
This will ask you for your password and attempt to use the upstream proxy to get to docker.io. If it succeeds it will print a PassNTLMv2 line, use this hash above when launching the container.
This was a quick hack to get together as nothing currently existed on the registry. Feel free to fork it and send pull requests