[squid-users] NTLM auth and ContentLength = 0

From: Christian Gregoire <cgregoir99_at_yahoo.com>
Date: Wed, 10 Aug 2011 13:04:11 +0100 (BST)

Hello, I use Squid 3.1.9 + ICAP + ClamAV with NTLM authentication on a CentOS box. It works pretty well, except in one particular case. Here, the HTTP client is a third-party software on Windows, not a standard navigator, which makes a few HTTP requests when it is launched. Most of the requests show the NTLM challenge/response steps correctly, but not the last one which is denied by the Squid service. The only special thing I can see is that the content length of that request is set to zero (see the traces and the headers below). Please note: if NTLM auth is disabled on the Squid server, it works fine. 1312956350.701 0 10.1.100.5 TCP_DENIED/407 3837 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956350.702 0 10.1.100.5 TCP_DENIED/407 4219 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956351.543 841 10.1.100.5 TCP_MISS/200 721 POST http://www.colis-logistique.com/expeditor/updateReference/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956351.559 0 10.1.100.5 TCP_DENIED/407 3837 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956351.560 0 10.1.100.5 TCP_DENIED/407 4219 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956352.390 830 10.1.100.5 TCP_MISS/200 720 POST http://www.colis-logistique.com/expeditor/updateReference/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956352.407 0 10.1.100.5 TCP_DENIED/407 3837 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956352.408 0 10.1.100.5 TCP_DENIED/407 4219 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956353.281 873 10.1.100.5 TCP_MISS/200 716 POST http://www.colis-logistique.com/expeditor/updateReference/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956353.296 0 10.1.100.5 TCP_DENIED/407 3837 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956353.298 0 10.1.100.5 TCP_DENIED/407 4219 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956354.165 868 10.1.100.5 TCP_MISS/200 715 POST http://www.colis-logistique.com/expeditor/updateReference/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956354.189 0 10.1.100.5 TCP_DENIED/407 3845 POST http://www.colis-logistique.com/expeditor/updateApplication/servlet - NONE/- text/html 1312956354.190 0 10.1.100.5 TCP_DENIED/407 4227 POST http://www.colis-logistique.com/expeditor/updateApplication/servlet - NONE/- text/html 1312956355.005 814 10.1.100.5 TCP_MISS/200 719 POST http://www.colis-logistique.com/expeditor/updateApplication/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956355.016 0 10.1.100.5 TCP_DENIED/407 3773 GET http://www.colis-logistique.com/updatesite? - NONE/- text/html 1312956355.017 0 10.1.100.5 TCP_DENIED/407 4155 GET http://www.colis-logistique.com/updatesite? - NONE/- text/html 1312956355.579 561 10.1.100.5 TCP_MISS/200 765 GET http://www.colis-logistique.com/updatesite? expinet.colissimo DIRECT/84.37.93.36 APPLICATION/OCTET-STREAM 1312956356.570 430 10.1.100.5 TCP_MISS/200 4599 POST http://www.colis-logistique.com/expeditor/updateaccount/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956357.437 769 10.1.100.5 TCP_MISS/200 720 POST http://www.colis-logistique.com/expeditor/updateReference/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956357.452 0 10.1.100.5 TCP_DENIED/407 3837 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956357.454 0 10.1.100.5 TCP_DENIED/407 4219 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956358.267 814 10.1.100.5 TCP_MISS/200 715 POST http://www.colis-logistique.com/expeditor/updateReference/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956359.448 0 10.1.100.5 TCP_DENIED/407 3835 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html <---- STEP 1 1312956359.449 0 10.1.100.5 TCP_DENIED/407 4217 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html <---- STEP 2 1312956359.451 0 10.1.100.5 TCP_DENIED/407 4193 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html <---- STILL DENIED !!!!!! ------------------- Headers of the HTTP session for the denied request : POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: TELINTRANSCOM Host: www.colis-logistique.com Content-Length: 0 Pragma: no-cache HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.9 Mime-Version: 1.0 Date: Wed, 10 Aug 2011 11:41:16 GMT Content-Type: text/html Content-Length: 3469 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Proxy-Authenticate: NTLM X-Cache: MISS from fw-master Via: 1.0 fw-master (squid/3.1.9) Connection: close POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: TELINTRANSCOM Host: www.colis-logistique.com Content-Length: 0 Pragma: no-cache Proxy-Connection: Keep-Alive Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw== HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.9 Mime-Version: 1.0 Date: Wed, 10 Aug 2011 11:41:16 GMT Content-Type: text/html Content-Length: 3605 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADAAAAAFgomifYF1+R0dG4gAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA== X-Cache: MISS from fw-master Via: 1.0 fw-master (squid/3.1.9) Connection: keep-alive POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: TELINTRANSCOM Host: www.colis-logistique.com Content-Length: 0 Pragma: no-cache Proxy-Connection: Keep-Alive Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAKIAAAAYABgAugAAAAwADABIAAAARgBGAFQAAAAIAAgAmgAAAAAAAADSAAAABYKIogUCzg4AAAAPUABJAEMASABPAE4AZQB4AHAAaQBuAGUAdAAuAGMAbwBsAGkAcwBzAGkAbQBvACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFQAUwBFADEAFnMeVH6eNxAAAAAAAAAAAAAAAAAAAAAAEueFV9XBLGkb2/4/sGwqnNiuOXFXC5lA HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.9 Mime-Version: 1.0 Date: Wed, 10 Aug 2011 11:41:16 GMT Content-Type: text/html Content-Length: 3829 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Proxy-Authenticate: NTLM X-Cache: MISS from fw-master Via: 1.0 fw-master (squid/3.1.9) Connection: close ------------------- Headers for an accepted one : POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: TELINTRANSCOM Host: www.colis-logistique.com Content-Length: 587 Pragma: no-cache HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.9 Mime-Version: 1.0 Date: Wed, 10 Aug 2011 11:40:40 GMT Content-Type: text/html Content-Length: 3471 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Proxy-Authenticate: NTLM X-Cache: MISS from fw-master Via: 1.0 fw-master (squid/3.1.9) Connection: close POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: TELINTRANSCOM Host: www.colis-logistique.com Content-Length: 587 Pragma: no-cache Proxy-Connection: Keep-Alive Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw== HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.9 Mime-Version: 1.0 Date: Wed, 10 Aug 2011 11:40:40 GMT Content-Type: text/html Content-Length: 3607 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADAAAAAFgomiNP/Vxjp4/tAAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA== X-Cache: MISS from fw-master Via: 1.0 fw-master (squid/3.1.9) Connection: keep-alive POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: TELINTRANSCOM Host: www.colis-logistique.com Content-Length: 587 Pragma: no-cache Proxy-Connection: Keep-Alive Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAAAwADABIAAAAIgAiAFQAAAAIAAgAdgAAAAAAAACuAAAABYKIogUCzg4AAAAPUABJAEMASABPAE4AZQB4AHAAaQBuAGUAdAAuAGMAbwBsAGkAcwBzAGkAbQBvAFQAUwBFADEAuyOcnxnMyogAAAAAAAAAAAAAAAAAAAAAGvDfkb4KZM8Lkgec9ot0QL5qpUrN+xaa HTTP/1.0 200 OK Date: Wed, 10 Aug 2011 11:34:59 GMT Server: Apache Vary: User-Agent Content-Type: text/xml X-Cache: MISS from fw-master Via: ICAP/1.0 fw-master.domain.local (C-ICAP/0.1.3 SquidClamav/Antivirus service ), 1.0 fw-master (squid/3.1.9) Connection: close ------------------- Squid configuration file : http_port 3129 cache_access_log /servers/squid/logs/access.log cache_store_log /servers/squid/logs/store.log icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 external_acl_type GroupeInternet %LOGIN /usr/local/squid/libexec/wbinfo_group.pl acl AccesInternetOK external GroupeInternet gg_internet acl CONNECT method CONNECT http_access allow CONNECT http_access allow AccesInternetOK http_access deny all Any idea ? Christian
Received on Wed Aug 10 2011 - 12:04:19 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 10 2011 - 12:00:01 MDT