Re: Squid authentication to upstream ISAserverwithNegotiate/Kerberos from Markus Moeller on 2007-07-22 (squid-dev)

From: Markus Moeller <huaraz@dont-contact.us>
Date: Sun, 22 Jul 2007 14:44:52 +0100

I think I know why my patch doesn't work for CONNECT sites. The reason is
that request->host does NOT contain the next proxy as it is the case for the
GET method. Is there any other structure/varibale which contains the next
proxy for all methods ?

Thanks
Markus

"Markus Moeller" <huaraz@moeller.plus.com> wrote in message
news:f6qbal$jil$1@sea.gmane.org...
>I did some further investigation and it seems the ISA server reacts
>differently for CONNECT and GET. I tried both Basic and Negotiate with the
>existing squid way of doing it (not waiting for a 407, but immediatly send
>a Proxy Authorization) and in both cases it works fine for HTTP GET and
>fails for HTTP CONNECT. Has anybody experienced similar ?
>
> Is anybody working on squid to handle the processing of a 407 from an
> upstream proxy ?
>
> Markus
>
>
> "Markus Moeller" <huaraz@moeller.plus.com> wrote in message
> news:f6eomc$f8f$1@sea.gmane.org...
>> Find attached a patch which adds a call to my functions to http.c and a
>> tar file with my routines. To make it work do the following:
>>
>> 1) Patch 2.6.STABLE13 with my patch file and extract my source to squid's
>> src directory.
>> 2) Run configure with CFLAGS="-I/usr/kerberos/include"
>> LDFLAGS="-L/usr/kerberos/lib -Wl,-R/usr/kerberos/lib"
>> LIBS="-lgssapi_krb5 -lkrb5" ./configure (this assumes MIT Kerberos)
>> 3) Configure Kerberos with AD as kdc
>> 4) Create a keytab with an AD user (This will be the user for
>> authenticating squid to the ISA server) as follows
>> #ktutil
>> ktutil: addent -password -p markus@WINDOWS2003.HOME -k 1 -e rc4-hmac
>> Password for markus@WINDOWS2003.HOME:
>> ktutil: wkt mm.keytab
>> ktutil: quit
>> 5) Set the keytab environment variable in the squid startup file with:
>> export KRB5_KTNAME=FILE:/etc/squid/mm.keytab
>> 6) Add a line to squid.conf like
>> cache_peer isa.windows2003.home parent 8080 0 proxy-only
>> no-query login=NEGOTIATE
>>
>> Markus
>>
>> If the attachments don't get through you can find then at
>> http://squidkerbauth.cvs.sourceforge.net/squidkerbauth/ under
>> squid_kerb_proxy_auth
>>
>>
>>
>>
>> "Henrik Nordstrom" <henrik@henriknordstrom.net> wrote in message
>> news:1183503059.9447.13.camel@henriknordstrom.net...
>>
>>
>
>
> --------------------------------------------------------------------------------
>
>
>>
>>
>>
>
>
>
>
Received on Sun Jul 22 2007 - 07:45:43 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:06 MDT