[squid-users] TCP_DENIED/407 when using NCSA-AUTH and video streaming

From: Werner Opriel <W.Opr_at_gmx.de>
Date: Thu, 8 Jul 2010 16:44:58 +0200

We are using a debian-Package of Squid 2.7 Stable3 on a Debian Lenny machine
with ncsa-auth configured, acting as a central Internet-Proxy.

All Users/Passwords are stored in /etc/squid/passwd on localhost and only
authenticated users are allowed to surf on sites outside the intranet.
There are no problems with authentication so far.

But we have a problem playing videos from the side http://www.wdr.de, they do
provide media-streams based on flash, for example:
http://www.wdr.de/mediathek/html/regional/2009/07/30/aktuelle-stunde-kuendigung.xml

Those pages can be accessed without problems and the starting picture of the
video is displayed. When we try to play the video we are receiving "network
error" and "file not found" within the flasharea-window after a few seconds.
There is no problem playing an audio stream from this site or flash-videos for
example from youtube.com or golem.de

Our Clients, always with flashplugin installed:
Firefox 3.5 (Win), Firefox 3.6 (Linux) and Chrome (Linux) .

In the access.log we can see an authenticated user "test" surfin on
www.wdr.de.
When starting the video it would seem that he lost his authentication
information and then ends in tcp-denied/407.
When disabling NCSA-AUTH in squid, we can play the videos without any
problems.

extract of our squid.conf
=======================
http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 32 MB
cache_dir ufs /var/spool/squid 1024 16 16
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
mime_table /etc/squid/mime.conf
log_mime_hdrs on
ftp_user anonymous_at_anywhere.com
dns_nameservers 192.xxx.y.z
redirect_program /usr/local/bin/squidGuard -c /etc/squid/squidguard.conf
redirect_children 10
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Anmeldung am internen Proxy
auth_param basic credentialsttl 2 hours
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 1494 2598 1604
acl Safe_ports port 80
acl Safe_ports port 21          
acl Safe_ports port 443 563
acl Safe_ports port 1025-65535
acl CONNECT method CONNECT
acl anwender proxy_auth REQUIRED
acl sysadmins proxy_auth "/etc/squid/sysadmins"
acl intranet src 172.16.10.0/24
acl wochentag time SMTWHFA
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow sysadmins
http_access deny !wochentag
http_access deny !anwender
http_access allow intranet
http_access allow localhost
http_access deny all
icp_access deny all
cache_effective_user proxy
cache_effective_group proxy
logfile_rotate 0
cachemgr_passwd none info menu
icon_directory /usr/share/squid/icons
forwarded_for off
icp_port 0
=================================

extract of access.log:
=================================
1278570915.514     39 172.16.19.222 TCP_MISS/200 647 GET
http://www.wdr.de/mediathek/codebase/img/icon/pfeil-im-kreis-reiterdunkel.gif;jsessionid=4799D61CDD27EBD84D4961AD11F40B09.mediathek4
test DIRECT/149.219.195.51 image/gif [Host: www.wdr.de\r\nProxy-Connection:
keep-alive\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US)
AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99
Safari/533.4\r\nReferer:
http://www.wdr.de/mediathek/html/regional/rueckschau/lokalzeit_ruhr.xml\r\nProxy-Authorization:
Basic dGVzdDp0c3N0YXJ0\r\nAccept: */*\r\nAccept-Encoding:
gzip,deflate,sdch\r\nAccept-Language:
de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4\r\nAccept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie:
JSESSIONID=4799D61CDD27EBD84D4961AD11F40B09.mediathek4\r\n] [HTTP/1.0 200
OK\r\nDate: Thu, 08 Jul 2010 06:35:15 GMT\r\nServer: Apache\r\nLast-Modified:
Tue, 28 Aug 2007 17:55:02
GMT\r\nETag: "3df1eb-f8-438c62c22c980"\r\nAccept-Ranges:
bytes\r\nContent-Length: 248\r\nContent-Type: image/gif\r\nX-Cache: MISS from
proxy.local\r\nX-Cache-Lookup: MISS from proxy.local:8080\r\nVia: 1.1
proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection:
keep-alive\r\nProxy-Connection: keep-alive\r\n\r]
1278570915.534     64 172.16.19.222 TCP_MISS/302 524 GET
http://wdr.ivwbox.de/cgi-bin/ivw/CP/;www.wdr.de/mediathek/html/regional/rueckschau/2010/07/07/lokalzeit_ruhr.xml?r=http%3A//www.wdr.de/studio/essen/lokalzeit/beitrag02.html
test DIRECT/149.219.195.195 text/plain [Host:
wdr.ivwbox.de\r\nProxy-Connection: keep-alive\r\nUser-Agent: Mozilla/5.0
(X11; U; Linux i686; en-US) AppleWebKit/533.4 (KHTML, like Gecko)
Chrome/5.0.375.99 Safari/533.4\r\nReferer:
http://www.wdr.de/mediathek/html/regional/rueckschau/lokalzeit_ruhr.xml\r\nProxy-Authorization:
Basic dGVzdDp0c3N0YXJ0\r\nAccept: */*\r\nAccept-Encoding:
gzip,deflate,sdch\r\nAccept-Language:
de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4\r\nAccept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: srp=00e54c35718a85c20006\r\n]
[HTTP/1.0 302 Moved Temporarily\r\nServer: srp/2ac\r\nDate: Thu, 08 Jul 2010
06:35:14 GMT\r\nLast-Modified: Tue, 22 Aug 2000 15:05:01 GMT\r\nPragma:
no-cache\r\nCache-Control: no-cache, must-revalidate\r\nExpires: 0\r\nP3P:
policyref="http://www.ivwbox.de/p3p.xml", CP="NOI DSP PSAo OUR NOR
UNI"\r\nSet-Cookie: srp=00e54c35718a85c20006;
path=/\r\nLocation: /blank.gif\r\nContent-Type: text/plain\r\nX-Cache: MISS
from proxy.local\r\nX-Cache-Lookup: MISS from proxy.local:8080\r\nVia: 1.0
proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: close\r\n\r]
1278570928.401    239 172.16.19.222 TCP_MISS/302 524 GET
http://wdr.ivwbox.de/cgi-bin/ivw/CP/;www.wdr.de/mediathek/medien/videos_gffstream.fcod.llnwd.net_a792_e1_mp4:media_extern_loke_20100707_144098_web-m.mp4?r=http%3A//www.wdr.de/mediathek/html/regional/rueckschau/lokalzeit_ruhr.xml
test DIRECT/149.219.195.195 text/plain [Host:
wdr.ivwbox.de\r\nProxy-Connection: keep-alive\r\nUser-Agent: Mozilla/5.0
(X11; U; Linux i686; en-US) AppleWebKit/533.4 (KHTML, like Gecko)
Chrome/5.0.375.99 Safari/533.4\r\nReferer:
http://www.wdr.de/themen/global/flashplayer/wsPlayer.swf\r\nProxy-Authorization:
Basic dGVzdDp0c3N0YXJ0\r\nAccept: */*\r\nAccept-Encoding:
gzip,deflate,sdch\r\nAccept-Language:
de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4\r\nAccept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: srp=00e54c35718a85c20006\r\n]
[HTTP/1.0 302 Moved Temporarily\r\nServer: srp/2ac\r\nDate: Thu, 08 Jul 2010
06:35:27 GMT\r\nLast-Modified: Tue, 22 Aug 2000 15:05:01 GMT\r\nPragma:
no-cache\r\nCache-Control: no-cache, must-revalidate\r\nExpires: 0\r\nP3P:
policyref="http://www.ivwbox.de/p3p.xml", CP="NOI DSP PSAo OUR NOR
UNI"\r\nSet-Cookie: srp=00e54c35718a85c20006;
path=/\r\nLocation: /blank.gif\r\nContent-Type: text/plain\r\nX-Cache: MISS
from proxy.local\r\nX-Cache-Lookup: MISS from proxy.local:8080\r\nVia: 1.0
proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: close\r\n\r]
1278570929.836      0 172.16.19.222 TCP_DENIED/407 1822 POST
http://gffstream.fcod.llnwd.net/fcs/ident2 - NONE/- text/html [Host:
gffstream.fcod.llnwd.net\r\nPragma: no-cache\r\nAccept:
*/*\r\nAccept-Encoding: deflate, gzip\r\nProxy-Connection:
Keep-Alive\r\nUser-Agent: Shockwave Flash\r\nConnection:
Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type:
application/x-fcs\r\nContent-Length: 1\r\n] [HTTP/1.0 407 Proxy
Authentication Required\r\nServer: squid/2.7.STABLE3\r\nDate: Thu, 08 Jul
2010 06:35:29 GMT\r\nContent-Type: text/html\r\nContent-Length:
1360\r\nExpires: Thu, 08 Jul 2010 06:35:29 GMT\r\nX-Squid-Error:
ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Basic realm="Anmeldung am
internen Proxy "\r\nX-Cache: MISS from
proxy.local\r\nX-Cache-Lookup: NONE from proxy.local:8080\r\nVia: 1.0
proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: close\r\n\r]
1278570929.843      0 172.16.19.222 TCP_DENIED/407 1810 POST
http://gffstream.fcod.llnwd.net/open/1 - NONE/- text/html [Host:
gffstream.fcod.llnwd.net\r\nPragma: no-cache\r\nAccept:
*/*\r\nAccept-Encoding: deflate, gzip\r\nProxy-Connection:
Keep-Alive\r\nUser-Agent: Shockwave Flash\r\nConnection:
Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type:
application/x-fcs\r\nUser-Agent: Shockwave Flash\r\nConnection:
Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type:
application/x-fcs\r\nContent-Length: 1\r\n] [HTTP/1.0 407 Proxy
Authentication Required\r\nServer: squid/2.7.STABLE3\r\nDate: Thu, 08 Jul
2010 06:35:29 GMT\r\nContent-Type: text/html\r\nContent-Length:
1348\r\nExpires: Thu, 08 Jul 2010 06:35:29 GMT\r\nX-Squid-Error:
ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Basic realm="Anmeldung am
internen Proxy "\r\nX-Cache: MISS from
proxy.local\r\nX-Cache-Lookup: NONE from proxy.local:8080\r\nVia: 1.0
proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: close\r\n\r]
1278570931.992      0 172.16.19.222 TCP_DENIED/407 1822 POST
http://gffstream.fcod.llnwd.net/fcs/ident2 - NONE/- text/html [Host:
gffstream.fcod.llnwd.net\r\nPragma: no-cache\r\nAccept:
*/*\r\nAccept-Encoding: deflate, gzip\r\nProxy-Connection:
Keep-Alive\r\nUser-Agent: Shockwave Flash\r\nConnection:
Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type:
application/x-fcs\r\nContent-Length: 1\r\n] [HTTP/1.0 407 Proxy
Authentication Required\r\nServer: squid/2.7.STABLE3\r\nDate: Thu, 08 Jul
2010 06:35:31 GMT\r\nContent-Type: text/html\r\nContent-Length:
1360\r\nExpires: Thu, 08 Jul 2010 06:35:31 GMT\r\nX-Squid-Error:
ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Basic realm="Anmeldung am
internen Proxy "\r\nX-Cache: MISS from
proxy.local\r\nX-Cache-Lookup: NONE from proxy.local:8080\r\nVia: 1.0
proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: close\r\n\r]
1278570931.996      0 172.16.19.222 TCP_DENIED/407 1810 POST
http://gffstream.fcod.llnwd.net/open/1 - NONE/- text/html [Host:
gffstream.fcod.llnwd.net\r\nPragma: no-cache\r\nAccept:
*/*\r\nAccept-Encoding: deflate, gzip\r\nProxy-Connection:
Keep-Alive\r\nUser-Agent: Shockwave Flash\r\nConnection:
Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type:
application/x-fcs\r\nUser-Agent: Shockwave Flash\r\nConnection:
Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type:
application/x-fcs\r\nContent-Length: 1\r\n] [HTTP/1.0 407 Proxy
Authentication Required\r\nServer: squid/2.7.STABLE3\r\nDate: Thu, 08 Jul
2010 06:35:31 GMT\r\nContent-Type: text/html\r\nContent-Length:
1348\r\nExpires: Thu, 08 Jul 2010 06:35:31 GMT\r\nX-Squid-Error:
ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Basic realm="Anmeldung am
internen Proxy "\r\nX-Cache: MISS from
proxy.local\r\nX-Cache-Lookup: NONE from proxy.local:8080\r\nVia: 1.0
proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: close\r\n\r]
================
Received on Thu Jul 08 2010 - 14:45:09 MDT

This archive was generated by hypermail 2.2.0 : Sun Jul 11 2010 - 12:00:03 MDT