[squid-users] Using squid with NTLM and BASIC authentication from Matthew Richards on 2003-11-23 (squid-users)

From: Matthew Richards <matthew.richards@dont-contact.us>
Date: Mon, 24 Nov 2003 15:15:46 +1100

Hello All,

SETUP:
I am running squid-2.5.STABLE3 on RH7.3 (2.4.18-4) in a network environment that
also contains a Windows 2000 domain as well as a number of Linux machines.

REQUIREMENTS:
I wish to set up Squid so that it requires authentication. I want Squid to support
NTLM (for any MSIE user agents) and BASIC (for any other user agents).

I posted a similar question here
(http://www.squid-cache.org/mail-archive/squid-users/200311/0682.html)

One of the responses that I received was from Henrik and read:

"Squid always challenges using all configured authentication schemes. It is the client who
selects the most suitable scheme to use. What this means is that this "fallback" should
be automatic. User-agents who support NTLM will use NTLM, others will use
Basic (or Digest if configured and supported by the user-agent)."

This confused me as I had read the following in the Squid FAQ (read it for yourself here:
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html - ss23.1 ):

"although currently you can only use one scheme at a time."

According to my interpretation of Henrik's response I should be able to meet my requirements by configuring Squid with the following options:

./configure --prefix=/usr/local/squid --enable-auth="ntlm,basic" \
--enable-ntlm-auth-helpers="SMB" --enable-basic-auth-helpers="NCSA" \
--enable-ntlm-fail-open

Then all I should need to do is configure the following directives in squid.conf:

auth_param ntlm program /usr/local/squid/libexec/ntlm_auth MYDOMAIN/pdcbox
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/.passwd
auth_param basic children 5
auth_param basic realm My Company LAN
auth_param basic credentialsttl 2 hours

acl people proxy_auth REQUIRED
http_access allow people
http_access deny all

I also have the following directive configured.

cache_peer 165.228.128.10 parent 3128 0 no-query default

Have I got it right? Did I miss any required compilation options or directives? Can someone please comment?

Thank you,
Matthew Richards
Received on Sun Nov 23 2003 - 21:15:13 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:33 MST