Mike Ely wrote:
> On 2/17/10 4:10 PM, "Mike Ely" <mikeely_at_amyskitchen.net> wrote:
>
>> Hi there,
>>
>> We've got 2.6 stable running as logging only server, no caching going on.
>> Users are authenticated via NTLM if they're on Windows, works fine in FF and
>> IE with one exception. Uploading a file prompts a second auth dialogue
>> (regardless of which browser) and entering credentials to that only causes
>> the browser to hork. I've tested this on XP and 2k3, various browser
>> versions.
>>
>> What I find interesting about this is that if I set the Internet Connection
>> Settings in the control panel to "auto-detect" I will get the failure even
>> if I explicitly configure FireFox (via about:config) to not do NTLM
>> pass-through. My current working guess is that Flickr (and the work-related
>> site that uses a somewhat similar ajaxy/flashy uploader) is making a call to
>> Flash and Flash is barfing on the NTLM pass-through, but that's really only
>> a guess.
>>
>> Steps to reproduce:
>> Setup NTLM auth
>> Connect through the proxy
>> Attempt to upload a photo to Flickr
>>
>> Steps to work around:
>> Disable "automatically connect" on the client control panel and auth by
>> hand, or use a non-windows client and also auth by hand.
>>
>>
>>
>> Squid.conf here:
>> # Generic stuff
>> visible_hostname proxy
>> http_port 3128
>> cache_mgr [redacted]
>>
>> # Don't cache ANYTHING
>> cache_dir null /tmp
>>
>> # Custom error messages are nice
>> error_directory /etc/squid/customerrors/amys
>>
>> # ShoreTel Client Badly Broken:
>> request_entities on
>>
>> # Further workarounds for broken ShoreTel:
>> acl shoretel url_regex CSISISAPI\.dll/\?
>> http_access allow shoretel
>> always_direct allow shoretel
>>
>> # In Squid 2.6, you have to explicitly declare this:
>> access_log /var/log/squid/access.log squid
>>
>> # Let's not take forever to shutdown the server, OK?
>> shutdown_lifetime 15 seconds
>>
>> # Even smart people get confused when their web browser fails
>> # trying to find http://bart
>> dns_defnames on
>>
>> # Let's let some stuff pass unhassled:
>> acl directaccess dstdomain "/etc/squid/direct.squid"
>> acl unrestricted dstdomain "/etc/squid/unrestricted.squid"
>> always_direct allow directaccess
>> http_access allow unrestricted
>>
>> # NTLM User Authentication
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 10
>> auth_param ntlm keep_alive on
>>
>> # LDAP User Authentication
>> auth_param basic program /usr/lib64/squid/squid_ldap_auth \
>> -b "dc=[redacted],dc=net" \
>> -D "cn=[redacted],cn=Users,dc=[redacted],dc=net" \
>> -w "[redacted]" \
>> -f "sAMAccountName=%s" \
>> -h ldap
>>
>> auth_param basic children 5
>> auth_param basic realm Amy's Intranet Login
>> auth_param basic credentialsttl 2 hours
>>
>> # More generic stuff
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl snmp_manager src [redacted]/255.255.255.255
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl SSL_ports port 443 563
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 563 # https, snews
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 631 # cups
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 901 # SWAT
>> acl Safe_ports port 5440 # ShoreTel
>> acl Safe_ports port 8000 # Oracle EBS
>> acl windowsupdate dstdomain windowsupdate.microsoft.com
>> acl windowsupdate dstdomain .update.microsoft.com
>> acl windowsupdate dstdomain download.windowsupdate.com
>> acl windowsupdate dstdomain redir.metaservices.microsoft.com
>> acl windowsupdate dstdomain images.metaservices.microsoft.com
>> acl windowsupdate dstdomain c.microsoft.com
>> acl windowsupdate dstdomain www.download.windowsupdate.com
>> acl windowsupdate dstdomain wustat.windows.com
>> acl windowsupdate dstdomain crl.microsoft.com
>> acl windowsupdate dstdomain sls.microsoft.com
>> acl windowsupdate dstdomain productactivation.one.microsoft.com
>> acl windowsupdate dstdomain ntservicepack.microsoft.com
>>
>> acl purge method PURGE
>> acl CONNECT method CONNECT
>>
>> acl wuCONNECT dstdomain www.update.microsoft.com
>> acl wuCONNECT dstdomain sls.microsoft.com
>>
>> acl FTP proto FTP
>> http_access deny !Safe_ports
>>
>> #SNMP Config
>> snmp_port 3401
>> acl snmppublic snmp_community [redacted]
>> snmp_access allow snmppublic snmp_manager
>> snmp_access allow snmppublic localhost
>> snmp_access deny all
>>
>> #This prevents squid from even trying to cache
>> cache deny all
>>
>> # Set up group queries against AD. Don't monkey with the OU.
>> external_acl_type InetGroup %LOGIN /usr/lib64/squid/squid_ldap_group \
>> -b "dc=[redacted],dc=net" -D "cn=[redacted],cn=Users,dc=[redacted],dc=net" \
>> -s sub \
>> -w "[redacted]" \
>> -f
>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=WebAccess,dc=[r
>> edacted],dc=net))" \
>> -h ldap
>>
>> # Destinations here
>> acl fedex dstdomain .fedex.com
>>
>> # User groups here
>> acl localnet proxy_auth REQUIRED src 10.0.0.0/8
1) "proxy_auth" ACL type accepts a list of usernames OR the word
"REQUIRED" to accept any valid username.
2) "proxy_auth REQUIRED src" has never been valid AFAICT. The "src ..."
bit has silently been discarded by all Squid 2.6+ I'm aware of.
3) If I'm wrong about (2) being discarded then the effect will be that
the username "src" or "10.0.0.0/8" with no password might possibly be
used to login on your Squid.
4) Without IP address range checks there is no restriction on where the
logins may be done from.
>> http_access allow CONNECT wuCONNECT localnet
'localnet Requires authentication and will challenge.
>> http_access allow windowsupdate localnet
'localnet Requires authentication and will challenge.
NOTE: 'localnet' being one of the default Squid-3 ACL all documentation
you will find anywhere will assume that it retains that default type
(which is to match source IP address only).
SOLUTION:
Create a new name for your login ACL and use that where login is needed.
Revert localnet to IP range "src" type and use that where appropriate
as well.
>> acl AllWebAccess external InetGroup allweb
>> acl FedexWebAccess external InetGroup fedexweb
>> acl BlockedWebAccess external InetGroup blockedweb
>>
>> http_access allow fedex FedexWebAccess
>> http_access allow AllWebAccess
>> http_access allow !BlockedWebAccess
>> http_access deny all
>
>
> Hate to re-bump this, but the issue seems to have flown under the radar
> since it was posted last week. I just did a packet capture of the whole
> interaction but am unable to see where things go sideways - I see the
> traffic between the proxy and the client doing gets to flickr/yahoo, and
> then the "proxy authentication required" comes up out of nowhere. Surely
> this is something straightforward that I have screwed up in my config, but I
> can't for the life of me see it.
>
> Am not sure posting the pcap file would be wise given the amount of auth
> info included, but would be happy to answer specific questions related to
> what happens and when.
The notes I've added above in your config should help out a LOT.
Get those corrected and we can work on the additional fix after that.
Amos
-- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE24 Current Beta Squid 3.1.0.16Received on Sat Feb 20 2010 - 02:11:31 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 24 2010 - 12:00:06 MST