Re: [squid-users] making 'server-side NTLM' work in transparent proxy mode

From: Robert Collins <robert.collins@dont-contact.us>
Date: 14 Aug 2001 16:55:01 +1000

On 13 Aug 2001 23:40:07 -0700, Shrikrishna Karandikar wrote:
> Hello,
>
> I am using squid-2.4 as a transparent proxy. The
> origin server it fronts requires NTLM authentication.
> So all I need from squid is to pass the headers to and
> fro appropriately while maintaining the same
> connection during the critical part of the NTLM 3-way
> handshake.
>
> But it does not work. The NTLM handshake is restarted
> multiple times, probably because squid is opening new
> connections.

Correct.

> I tried increasing the persistent connection related
> timeouts and disabling pipelining. It did not help
> much. Am I missing some other config parameter or is
> it not possible for NTLM authentcation to work thru
> squid?

It is not possible.

> appreciate your help,
> shri
>
> P.S: I am not trying to set up squid to perform NTLM
> authentication itself. The NTLM authentication is
> happening at the origin server. All I need squid to do
> is to perform all transactions on the same connection
> and pass all headers back and forth correctly.

There is a link in the squid FAQ to the Microsoft site where they
document that NTLM does not work thru http proxies. In fact in recent
clients (IE 5.5. and above) if there is a proxy configured in the
browser, the browser will not even attempt to use NTLM authentication.

If you're trying to do this with web accelerator in order to accelerate
a intranet, then in theory it's possible, but a lot of work will be
needed to ensure that the connection pinning happens appropriately. If
you are doing this on a client proxy in transparent mode, the same
amount of work is needed.

I started doing such work at one point in association with the NTLM
authentication support in squid 2.5, which is when we found that IE
wouldn't try to perform NTLM when a proxy was configured. I don't have
the time in my out-of-office ours to do it unfortunately.

I would consider doing it as a paid enhancement to squid.

Cheers,
Rob
Received on Tue Aug 14 2001 - 01:07:57 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:36 MST