I agree this does look like a good clean solution. I'll look at
implementing a small on/off toggle to do only this change for safer Java
bypass. May not be very soon though. What version of Squid are you using?
Meanwhile yes, you do have to add the option to the ./configure options and
re-compile = re-install Squid.
The install process if done right should not alter existing squid.conf and
be a simple drop-in to the existing install. But a backup is worth doing
just in case.
If currently using a packages Squid, you may want to contact the package
maintainer for any help on the configure and install steps.
Amos
On Mon, 29 Jun 2009 10:40:06 +0200, Gontzal <gontzalp_at_gmail.com> wrote:
> Hi Kevin,
>
>
> Thanks for your post, I think is a very good solution to the Java
security
> hole.
>
> I've seen that for using header_access and header_replace you need to
> compile with the --enable-http-violations. My question is, if I
> compiled squid without this option, is there any way to add this
> feature or I've to compile entire squid again? In this case, should I
> save my configuration files?
>
> Where should I put these lines, after acls?
>
> Thanks again
>
> Gontzal
>
> 2009/6/27 Kevin Blackwell <akblackwel_at_gmail.com>:
>> This what your looking for?
>>
>> acl javaNtlmFix browser -i java
>> acl javaConnect method CONNECT
>> header_access Proxy-Authenticate deny javaNtlmFix javaConnect
>> header_replace Proxy-Authenticate Basic realm="Internet"
>>
>> now only https/ssl access from java will have basic auth and so a
>> password dialog.
>> normal http access will work with ntlm challenge response.
>>
>> thanxs again
>>
>> markus
>>
>>>-----Ursprüngliche Nachricht-----
>>>Von: Rietzler, Markus (Firma Rietzler Software / RZF)
>>>Gesendet: Dienstag, 16. Oktober 2007 18:17
>>>An: 'Chris Robertson'; squid-users_at_squid-cache.org
>>>Betreff: AW: [squid-users] force basic NTLM-auth for certain
>>>clients/urls
>>>
>>>thanxs for that hint - it worked as a fix
>>>
>>>i have addes this to my squid.conf
>>>
>>>acl javaNtlmFix browser -i java
>>>header_access Proxy-Authenticate deny javaNtlmFix
>>>header_replace Proxy-Authenticate Basic realm="Internet Access"
>>>
>>>now any java-client (java web start, java or applets in
>>>browser) will only see the basic auth scheme.
>>>a username/password dialog pops up and i have to enter my credentials.
>>>
>>>any other client (firefox, ie) still se both NTLM and Basic
>>>scheme and use NTLM challenge response to authenticate...
>>>
>>>the little drawback is, that there is that little nasty dialog
>>>but connection via proxy is working...
>>>
>>>thanxs
>>>
>>>markus
>>>
>>
>> On Sat, May 9, 2009 at 12:13 AM, Nitin
>> Bhadauria<nitin.bhadauria_at_tetrain.com> wrote:
>>> Dear All,
>>>
>>> Please reply if we have some solution for the problem. I am stuck with
>>> the
>>> problem my server is live and i can't afforded to allow the java sites
>>> to
>>> unauthorized users in the network.
>>>
>>> Regards,
>>> Nitin B.
>>>
>>>
>>> Nitin Bhadauria wrote:
>>>>
>>>> Dear All,
>>>>
>>>>
>>>> I have the same problem ..
>>>>
>>>> Everytime a browser proxying through squid tries to load a secure java
>>>> applet, it comes up with a red x where the java applet should be.
>>>>
>>>>
>>>> So I have bybass those sites for authentication, But the problem is
>>>> users
>>>> how don't have permission to access internet they are also able to
>>>> access
>>>> those sites.
>>>>
>>>> Please update if we had find any other solution for the problem.
>>>>
>>>> Thanks in advance for any reply.
>>>>
>>>> Regards,
>>>> Nitin Bhadauria
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
Received on Tue Jun 30 2009 - 02:15:37 MDT
This archive was generated by hypermail 2.2.0 : Tue Jun 30 2009 - 12:00:04 MDT