[squid-users] Mozilla Firefox sometimes badly asking re-authentication (NTLM/negotiate)

From: George Machitidze <giomac_at_gmail.com>
Date: Fri, 17 Feb 2012 13:00:44 +0400

I've faced this problem with Squid 3.1.16, especially on youtube when
starting the video or scrolling through it, note that it's asking you
to authenticate not all the time, but sometimes, when it shouldn't:
Mozilla Firefox shows window to enter credentials moz-proxy:3128. When
entering VALID credentials, it's refusing and asking again and again.
By pressing "cancel" everything works and video loads normally.
I've tried to find the reason with sniffer - maybe browser was
accessing restricted URL, but i couldn't get the point.
Maybe this is FF bug, maybe configuration problem, squid behavior and
other browsers are using some other methods...

sample config:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged) machines
acl squid_ports port 3128 8080
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl CONNECT method CONNECT
acl internal_icons urlpath_regex −i /squid-internal-static/icons/
http_access allow localnet to_localhost squid_ports internal_icons
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_port 3128
http_port 8080

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

ftp_user anonymous
ftp_telnet_protocol off
ftp_epsv off
acl FTP_ports port 21
acl FTPproto proto FTP
always_direct allow FTPproto
acl allowedftpmethod method GET
http_access deny FTPproto !allowedftpmethod
http_access deny FTPproto !FTP_ports

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-
ntlmssp --domain=TEST
auth_param ntlm children 10
auth_param ntlm keep_alive off

auth_param negotiate program /usr/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=TEST --kerberos /usr/lib64/squid/squid_kerb_auth -s
GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off

external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R
-K -b "dc=TEST,dc=ge" -D squid_at_test.ge -W /etc/squid/ldappass.txt -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Techgroups,OU=testgroups,DC=TEST,DC=ge))"
-h dc.test.ge

acl auth proxy_auth REQUIRED

acl FullAccess external memberof "/etc/squid/full_access.txt"

acl testtest src 192.168.0.1

http_access deny !auth
http_access allow testtest FullAccess
http_access deny all

cache_mem 1024 MB
minimum_object_size 0 KB
maximum_object_size 8192 KB
maximum_object_size_in_memory 8192 KB

Best regards,
George Machitidze
Received on Fri Feb 17 2012 - 09:01:11 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 20 2012 - 12:00:03 MST