Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 21 Jul 2009 00:32:24 +1200

Gontzal wrote:
> Hi Amos,
>
> First of all sorry for the delay.
>
> Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried
> with reply_header_access with the same result: none.

By "none" you mean Java still getting the NTLM Proxy_auth header?
Do you have a trace of the 407 reply from Squid to be sure of that?

> Same entries on
> access.log:
> 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] "CONNECT
> tp.seg-social.es:443 HTTP/1.1" 407 2015 TCP_DENIED:NONE
>
> In the access.log of the parent proxy I get:
>
> 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT
> tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 -
>
>
> This is part of my conf:
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 50
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm ProxySquid
> auth_param basic credentialsttl 2 hours
> external_acl_type winbind_group children=10 %LOGIN /usr/sbin/wbinfo_group.pl
>
> acl Java browser Java/1.4 Java/1.5 Java/1.6
> acl javaConnect method CONNECT
>
> reply_header_access Proxy-Authenticate deny Java javaConnect
> header_replace Proxy-Authenticate basic realm=ProxySquid
>
> and after that the http_access tags
>
> Another question, the realm value must be the same as defined on
> "auth_param basic realm ProxySquid " or may be the domain name as
> defined on smb.conf? In my case it's not the same value.

The realm returned by Squid should always be the one configured in
squid.conf auth_param

Amos

>
>
> 2009/7/2 Amos Jeffries <squid3_at_treenet.co.nz>:
>> On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal <gontzalp_at_gmail.com> wrote:
>>> Hi,
>>>
>>> I've recompiled squid, now 3.0 stable 16 on a non-production opensuse
>>> 10.3 server with the --enable-http-violations option
>>> I've added the following lines to my squid.conf file:
>>>
>>> acl Java browser Java/1.4 Java/1.5 Java/1.6
>>>
>>> header_access Proxy-Authenticate deny Java
>>> header_replace Proxy-Authenticate Basic realm="XXXX"
>>>
>>> The header tags are before the http_access tags, I don't know if it is
>>> correct. I've also disable the option http_access allow Java
>>>
>>> Squid runs correctly but when i check for java, it doesn't work, it
>>> don't ask for basic auth and doesn't show the java applet page.
>>>
>>> On the access log it shows lines like this one:
>>>
>>> (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250)
>>> (tp.seg-social.es:443) text/html-2226bytes 1ms
>>>
>>> I've changed the identity of my browser from firefox to java and it
>>> browses using ntlm auth instead of asking for user/passwd
>>>
>>> Where can be the problem?
>> In squid-3 the header_access has been broken in half.
>>
>> I believe you are needing to use reply_header_access.
>>
>> Amos
>>
>>> Thanks again!
>>>

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.10 or 3.1.0.11
Received on Mon Jul 20 2009 - 12:32:32 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 20 2009 - 12:00:02 MDT