[squid-users] Bypass NTLM authentication on regex in URL

From: Nickcx <ncairncross_at_condenast.co.uk>
Date: Wed, 22 Jul 2009 04:54:00 -0700 (PDT)

Hi,

I am new to everything Linux as of 2 days ago and I'd like a bit of guidance
on something.. bear with me, I'm ultra new, but loving it...

My setup so far:

I'm configuring a 2.6 Squid box forwarding to a parent proxy - OK
I'm using NTLM authentication, with fall back of Basic - OK
I am testing with PCs and Macs visiting bbc.co.uk video (or any other Akamai
serving site)- NOT OK

PC browsers are fine, but my Safari Mac is having problems sending the POST
back to the Akamai server(s) in question. This is not unusual and I've dealt
with this before successfully on other proxies (BlueCoat and MS ISA 2006). I
can give more details on what I see in the logs but basically on the BC and
ISA I add a rule to bypass authentication if the URL contains '/open/1' or
http://*:1935/.

I just can't get my head around what ACLs and http_access I need to put in!
He's the ACL part of my squid.conf. For simplicity, I'm just trying to allow
un-authenticated access if the URL contains the work 'open' but ideally I'd
like http://*/open/1 and http://*:1935/open/1

==
acl all proxy_auth REQUIRED
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8 acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl bypass url_regex pattern -i open
http_access allow bypass
http_access allow localhost
http_access allow all
http_reply_access allow all
===

However, my access log still shows:
===
1248263503.555 13 172.16.0.57 TCP_DENIED/403 1471 POST
http://92.122.125.63/open/1 - NONE/- text/html
1248263504.223 19 172.16.0.57 TCP_DENIED/403 1481 POST
http://92.122.125.63:1935/open/1 - NONE/- text/html
1248263513.577 19 172.16.0.57 TCP_DENIED/403 1479 POST
http://92.122.125.63:443/open/1 - NONE/- text/html
==

I know it's the POST part that breaks the whole thing (and have tried POST
in squid to no avail..)

Any and all help and direction would be gratefully received by this n00b

Nickcx

-- 
View this message in context: http://www.nabble.com/Bypass-NTLM-authentication-on-regex-in-URL-tp24604896p24604896.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Wed Jul 22 2009 - 11:54:04 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 22 2009 - 12:00:05 MDT