Re: [squid-users] NTLM pass-through breaking uploads to Flickr, etc.

From: Mike Ely <mikeely_at_amyskitchen.net>
Date: Fri, 19 Feb 2010 09:21:55 -0800

On 2/17/10 4:10 PM, "Mike Ely" <mikeely_at_amyskitchen.net> wrote:

> Hi there,
>
> We've got 2.6 stable running as logging only server, no caching going on.
> Users are authenticated via NTLM if they're on Windows, works fine in FF and
> IE with one exception. Uploading a file prompts a second auth dialogue
> (regardless of which browser) and entering credentials to that only causes
> the browser to hork. I've tested this on XP and 2k3, various browser
> versions.
>
> What I find interesting about this is that if I set the Internet Connection
> Settings in the control panel to "auto-detect" I will get the failure even
> if I explicitly configure FireFox (via about:config) to not do NTLM
> pass-through. My current working guess is that Flickr (and the work-related
> site that uses a somewhat similar ajaxy/flashy uploader) is making a call to
> Flash and Flash is barfing on the NTLM pass-through, but that's really only
> a guess.
>
> Steps to reproduce:
> Setup NTLM auth
> Connect through the proxy
> Attempt to upload a photo to Flickr
>
> Steps to work around:
> Disable "automatically connect" on the client control panel and auth by
> hand, or use a non-windows client and also auth by hand.
>
>
>
> Squid.conf here:
> # Generic stuff
> visible_hostname proxy
> http_port 3128
> cache_mgr [redacted]
>
> # Don't cache ANYTHING
> cache_dir null /tmp
>
> # Custom error messages are nice
> error_directory /etc/squid/customerrors/amys
>
> # ShoreTel Client Badly Broken:
> request_entities on
>
> # Further workarounds for broken ShoreTel:
> acl shoretel url_regex CSISISAPI\.dll/\?
> http_access allow shoretel
> always_direct allow shoretel
>
> # In Squid 2.6, you have to explicitly declare this:
> access_log /var/log/squid/access.log squid
>
> # Let's not take forever to shutdown the server, OK?
> shutdown_lifetime 15 seconds
>
> # Even smart people get confused when their web browser fails
> # trying to find http://bart
> dns_defnames on
>
> # Let's let some stuff pass unhassled:
> acl directaccess dstdomain "/etc/squid/direct.squid"
> acl unrestricted dstdomain "/etc/squid/unrestricted.squid"
> always_direct allow directaccess
> http_access allow unrestricted
>
> # NTLM User Authentication
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param ntlm keep_alive on
>
> # LDAP User Authentication
> auth_param basic program /usr/lib64/squid/squid_ldap_auth \
> -b "dc=[redacted],dc=net" \
> -D "cn=[redacted],cn=Users,dc=[redacted],dc=net" \
> -w "[redacted]" \
> -f "sAMAccountName=%s" \
> -h ldap
>
> auth_param basic children 5
> auth_param basic realm Amy's Intranet Login
> auth_param basic credentialsttl 2 hours
>
> # More generic stuff
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl snmp_manager src [redacted]/255.255.255.255
> acl localhost src 127.0.0.1/255.255.255.255
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 631 # cups
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl Safe_ports port 5440 # ShoreTel
> acl Safe_ports port 8000 # Oracle EBS
> acl windowsupdate dstdomain windowsupdate.microsoft.com
> acl windowsupdate dstdomain .update.microsoft.com
> acl windowsupdate dstdomain download.windowsupdate.com
> acl windowsupdate dstdomain redir.metaservices.microsoft.com
> acl windowsupdate dstdomain images.metaservices.microsoft.com
> acl windowsupdate dstdomain c.microsoft.com
> acl windowsupdate dstdomain www.download.windowsupdate.com
> acl windowsupdate dstdomain wustat.windows.com
> acl windowsupdate dstdomain crl.microsoft.com
> acl windowsupdate dstdomain sls.microsoft.com
> acl windowsupdate dstdomain productactivation.one.microsoft.com
> acl windowsupdate dstdomain ntservicepack.microsoft.com
>
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> acl wuCONNECT dstdomain www.update.microsoft.com
> acl wuCONNECT dstdomain sls.microsoft.com
>
> acl FTP proto FTP
> http_access deny !Safe_ports
>
> #SNMP Config
> snmp_port 3401
> acl snmppublic snmp_community [redacted]
> snmp_access allow snmppublic snmp_manager
> snmp_access allow snmppublic localhost
> snmp_access deny all
>
> #This prevents squid from even trying to cache
> cache deny all
>
> # Set up group queries against AD. Don't monkey with the OU.
> external_acl_type InetGroup %LOGIN /usr/lib64/squid/squid_ldap_group \
> -b "dc=[redacted],dc=net" -D "cn=[redacted],cn=Users,dc=[redacted],dc=net" \
> -s sub \
> -w "[redacted]" \
> -f
> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=WebAccess,dc=[r
> edacted],dc=net))" \
> -h ldap
>
> # Destinations here
> acl fedex dstdomain .fedex.com
>
> # User groups here
> acl localnet proxy_auth REQUIRED src 10.0.0.0/8
> http_access allow CONNECT wuCONNECT localnet
> http_access allow windowsupdate localnet
> acl AllWebAccess external InetGroup allweb
> acl FedexWebAccess external InetGroup fedexweb
> acl BlockedWebAccess external InetGroup blockedweb
>
> http_access allow fedex FedexWebAccess
> http_access allow AllWebAccess
> http_access allow !BlockedWebAccess
> http_access deny all

Hate to re-bump this, but the issue seems to have flown under the radar
since it was posted last week. I just did a packet capture of the whole
interaction but am unable to see where things go sideways - I see the
traffic between the proxy and the client doing gets to flickr/yahoo, and
then the "proxy authentication required" comes up out of nowhere. Surely
this is something straightforward that I have screwed up in my config, but I
can't for the life of me see it.

Am not sure posting the pcap file would be wise given the amount of auth
info included, but would be happy to answer specific questions related to
what happens and when.

Thanks again,
Mike
Received on Fri Feb 19 2010 - 17:22:04 MST

This archive was generated by hypermail 2.2.0 : Sat Feb 20 2010 - 12:00:05 MST