Hello to all,
I am using Squid Version 2.5.STABLE6-20040729 and Samba 3.0.2a on Red Hat ES3.0.
Our squid users connect to an internal squid proxy, and then the traffic is
routed depending on the destination : directly for "local traffic", forwarded
to a parent squid proxy for traffic related to other side company, or by
default forwarded to our external squid proxy .
The users are authenticated to AD with ntlm (using winbind) on the internal
proxy.
Everything is working fine except, when a user tries to connect a https site.
Its traffic is then denied on the internal proxy.
If if disable the authentication in the squid.conf of the internal proxy, then
this traffic is ok. (correctly forward to the external proxy)
So my question : is it possible to relay to a squid parent proxy some https
traffic while using ntlm authentication. If yes , how ? . If no, is there a way
to insure that, after having my users authenticated on the internal proxy, their
https traffic is forwarded to the external proxy.
Thanks by advance for your help.
Lionel
squid.conf.
.....
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type wbinfo_group_helper ttl=300 %LOGIN
/usr/local/squid/libexec/wbinfo_group.maj.pl
acl Internet external wbinfo_group_helper Internet
acl Authorized_users proxy_auth REQUIRED
acl my_networks src xxx.xxx.xxx.xxx/24
acl local_intranet dstdomain .site.company
acl remote_intranet dstdomain .company
acl SSL method CONNECT
cache_peer remote_proxy parent 80 0 no-query
cache_peer_access remote_proxy allow remote_intranet
cache_peer my_external_proxy parent 80 0 no-query default
cache_peer_access my_external_proxy deny remote_intranet
cache_peer_access my_external_proxy allow all
always_direct allow local_intranet
never_direct allow all
never_direct allow SSL
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# User authentication
http_access allow my_networks Authorized_users
# Group authentication
# http_access allow my_networks Internet
# No authentication
# http_access allow my_networks
http_access deny all
......
configure options: --prefix=/usr/local/squid --sysconfdir /etc/squid
--enable-gnuregex --enable-storeio=aufs,diskd,ufs --with-pthreads
--enable-useragent-log --enable-snmp --enable-err-languages=French
--enable-auth=ntlm,basic --enable-external-acl-helpers=wbinfo_group
--Received on Fri Aug 06 2004 - 07:24:48 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT