Re: Squid 2.5 proxying NTLM from Gary Price \(ICT\) on 2003-04-26 (squid-dev)

From: Gary Price \(ICT\) <gprice@dont-contact.us>
Date: Sat, 26 Apr 2003 23:39:10 +1000

Hi again
I have a transparent proxy and a population including both general Internet
users and corporate users, who use (among other things) Outlook Web Access
(OWA). Squid 2.5 already recognizes most of the HTTP request headers required
for OWA, so it goes halfway to being able to proxy this traffic. As well, my
traffic for OWA is not very intense, so I can afford to have a dedicated server
connection for every OWA user. Also I understand the need for end-to-end
connections and I can implement that. Also that NTLM violates certain
principles of HTTP connection management. However, as I am mainly working with
SquidNT at present it seems quite reasonable to be able to handle at least a
small OWA population. I am just asking about changes that seem to have been
made to actively prevent NTLM authentication proxying from working in Squid
2.5. I have perused the last 12 months of squid-dev archives and did not find
anything on this topic. In the code, the only thing I found so far was the
removal of the headers in question. I would appreciate any information you can
offer about this.

Thanks again
Gary Price
ICT
----- Original Message -----
From: "Henrik Nordstrom" <hno@marasystems.com>
To: "Gary Price (ICT)" <gprice@bigpond.net.au>; <squid-dev@squid-cache.org>
Sent: Saturday, April 26, 2003 6:12 PM
Subject: Re: Squid 2.5 proxying NTLM

On Saturday 26 April 2003 08.09, Gary Price \(ICT\) wrote:

> a while ago I posted to this list about proxying NTLM in Squid 2.3.
> I have since upgraded to 2.5 and I'm interested in implementing
> proxying for NTLM authentication. I notice that Squid now actively
> removes NTLM auth headers.

Yes, this because we know they cannot be proxied by Squid as Microsoft
violated fundamental aspects of HTTP connection management when
designing these unstandard authentication methods.

For NTLM and NEGOTIATE to become proxyable Squid must be teached about
the very different connection management requirements by these
non-HTTP authentication protocols.

See the squid-dev archives on connection pinning.

Regards
Henrik
Received on Sat Apr 26 2003 - 07:39:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:43 MST