Joop Beris wrote:
> Squid users,
>
> I am having a problem accessing/using certain Java enabled websites through my
> squid proxy.
> I am using squid-2.6.STABLE6-0.10 on a Suse machine (yes, I know this is an
> ancient release...). This release has been serving us very well and I am a bit
> reluctant to upgrade. However, I am willing to investigate that as an option.
>
> The proxy uses ntlm_auth to authenticate users against our ADS servers. This
> works fine...except for some Java sites. For some sites, the Java client seems
> unable to authenticate, but for this site, that does not seem to be the case.
>
> This site in particular is strange for me. It uses a Java applet to upload
> photos in order to create a gallery from them. It works partially, until the
> client actually wants to perform the upload, when I get a "software connection
> abort" from the client. I have a wireshark/tcpdump file of the
> transaction, taken on the proxy. I think the POST request from the client
> fails because it does not identify the HTTP protocol version.
You mean it sends only:
"POST http://example.com/blah\n" ??
Squid identifies that as a special-case of HTTP labeled for convenience
version HTTP/0.9.
I'm not sure if auth or any other HTTP/1.0 actions that the POST might
need will actually be done when in 0.9 mode.
You may want to make the ACL sightly more restrictive:
http_access allow Java POST
instead of just a global POST permitted.
>
> I have specified the following option in the squid.conf file:
> "relaxed_header_parser on"
> in order to get around this issue, but unfortunately this has no effect.
>
> My squid.conf is as follows:
>
> http_port 10.254.202.14:3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> maximum_object_size_in_memory 15 KB
> access_log /var/log/squid/access.log squid
> emulate_httpd_log on
> url_rewrite_program /usr/local/bin/squidGuard -c
> /usr/local/squidGuard/squidGuard.conf
> url_rewrite_children 10
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 40
> auth_param ntlm keep_alive off
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server at Gemeente Nederweert
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> negative_ttl 15 minutes
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255 10.254.202.14/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> acl purge method PURGE
> http_access allow purge
> acl CKBONLINE dstdomain .ckb-online.nl
> always_direct allow CKBONLINE
> acl TPG dstdomain .securepostplaza.tntpost.nl
> always_direct allow TPG
> acl Java browser Java/1.4 Java/1.5 Java/1.6 Java/1.6.0_12 jupload/0.87
> http_access allow Java
> acl POST method POST # temporary, to get around post problem
> http_access allow POST
> acl AuthorizedUsers proxy_auth REQUIRED
> http_access allow all AuthorizedUsers
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> error_directory /usr/share/squid/errors/Dutch
> snmp_port 0
> strip_query_terms off
> coredump_dir /var/cache/squid
> ie_refresh on
> relaxed_header_parser on
>
> I hope that someone who is more experienced with squid can help me, because I
> have exhausted my own ideas.
>
> Regards,
>
> Joop
>
>
>
>
>
> ------------------------------------------------------------
> Dit bericht is gescand op virussen en andere gevaarlijke
> inhoud door MailScanner en lijkt schoon te zijn.
> Mailscanner door http://www.prosolit.nl
> Professional Solutions fot IT
>
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6Received on Thu Mar 05 2009 - 09:27:17 MST
This archive was generated by hypermail 2.2.0 : Thu Mar 05 2009 - 12:00:02 MST