Re: [squid-users] NTLM and MSN

From: Billy Macdonald <whmac33@dont-contact.us>
Date: Fri, 10 Sep 2004 16:22:51 -0700

Zizazat wrote:
> I think IM clients and squid + NTLM are going to be the death of me.
>
> I'm trying to make my squid work with NTLM + Samba, and everything
> seems to be working great from my browser, but when I try to sign into
> my MSN client I am met with stunning failure after stunning failure.
> Seaching the mail archive show that I should allow the site
> gateway.messenger.hotmail.com out directly before my required auth
> statements, but this still does not seem to be working. I am still
> logging TCP_DENIED (see below)
>
> xx.yy.zz.190 - - [09/Sep/2004:16:24:36 -0500] "POST
> http://gateway.messenger.hotmail.com/gateway/gateway.dll? HTTP/1.1"
> 407 1844 TCP_DENIED:NONE
>
> Here are the relevant portions of my squid.conf
>
> acl MYUSERS proxy_auth REQUIRED
> acl MYBADUSERS proxy_auth_regex -i cafriese
> acl msn dst 207.46.104.20 207.46.110.0/24
>
> ...(I have a series of subnet based ACLs for my internal networks I allow)
> acl subnet-10-0-0 src 10.0.0.0/255.0.0.0 (etc...)
>
> http_access deny MYBADUSERS
> http_access allow all msn
> http_access allow all MYUSERS
> http_access allow subnet-10-0-0 (etc...)
> http_access deny all
>
> Any thoughts on this matter would be of great help. Thanks!
>
> If this is not enough of my config, I'll gladly share more :)

Squid does the http_access lines top down.

http_access deny MYBADUSERS
       needs to know the username to determing if they are good or bad
so it requests the username from the browser at that point.

put the allow lines that don't need username auth before _ANY_
http_access lines that rely on username for alloy OR deny and you'll be set.

Billy
Received on Fri Sep 10 2004 - 17:26:13 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT