[squid-users] POST method not authenticating from Adam Clark on 2005-06-08 (squid-users)

From: Adam Clark <Adam.Clark@dont-contact.us>
Date: Thu, 9 Jun 2005 13:59:27 +1000

Hey all,
We are having some problems with the POST method and authentication.
The client is IE6, running squid-2.5.STABLE3 with squid-2.5-ntlmssp
helper

Essentially, everything seems to behaving correctly except when some
users
Want to post forms. This problem only seems limited to the POST method
As if I allow the POST method without authentication, everything seems
to
Be ok.

I have been informed that the following is quite normal, two denieds in
quick sucession before a successful request.
1118288449.039 0 172.16.9.217 TCP_DENIED/407 1821 GET
http://www.ngv.vic.gov.au/admin/JOBS_edit.jsp? - NONE/- text/html
1118288449.043 0 172.16.9.217 TCP_DENIED/407 1825 GET
http://www.ngv.vic.gov.au/admin/JOBS_edit.jsp? - NONE/- text/html
1118288449.055 11 172.16.9.217 TCP_MISS/200 8982 GET
http://www.ngv.vic.gov.au/admin/JOBS_edit.jsp? JDyer DIRECT/172.16.9.46
text/html

But the post method does not do this, as you can see there is a few
seconds in between
1118288455.695 0 172.16.9.217 TCP_DENIED/407 1821 POST
http://www.ngv.vic.gov.au/admin/JOBS_edit.jsp? - NONE/- text/html
1118288460.576 0 172.16.9.217 TCP_DENIED/407 1821 POST
http://www.ngv.vic.gov.au/admin/JOBS_edit.jsp? - NONE/- text/html
1118288463.128 3 172.16.9.217 TCP_DENIED/407 1821 POST
http://www.ngv.vic.gov.au/admin/JOBS_edit.jsp? - NONE/- text/html
1118288470.254 0 172.16.9.217 TCP_DENIED/407 1821 POST
http://www.ngv.vic.gov.au/admin/JOBS_edit.jsp? - NONE/- text/html
1118288472.774 0 172.16.9.217 TCP_DENIED/407 1821 POST
http://www.ngv.vic.gov.au/admin/JOBS_edit.jsp? - NONE/- text/html
1118288500.497 0 172.16.9.217 TCP_DENIED/407 1821 POST
http://www.ngv.vic.gov.au/admin/JOBS_edit.jsp? - NONE/- text/html
1118288515.572 0 172.16.9.217 TCP_DENIED/407 1821 POST
http://www.ngv.vic.gov.au/admin/JOBS_edit.jsp? - NONE/- text/html

We get a page cannot be displayed and we back to the form and try to
post again.

Has anybody seen problems like this?

Thanks

Adam Clark

Network Administrator
National Gallery of Victoria
180 St Kilda Rd
Melbourne, Vic, 3004

Squid conf
http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 128 MB
maximum_object_size 1024 MB
maximum_object_size_in_memory 16 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir diskd /var/cache0 24576 16 256 Q1=72 Q2=64
cache_dir diskd /var/cache1 24576 16 256 Q1=72 Q2=64
dns_retransmit_interval 1 seconds
dns_timeout 10 seconds
hosts_file none
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 20 minutes
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl SSL_ports port 8463 # Aurion ESS Service
acl SSL_ports port 8445 # TrendMicro SSL ports
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl NW-INT src 172.16.0.0/12 192.168.2.0/24
acl NW-DMZ src 10.10.10.0/24
acl NW-VPN src 10.10.11.0/24
acl NW-SRV src 172.16.5.0/24 172.16.22.0/24
acl NW-SRV-DST dst 172.16.5.0/24 172.16.22.0/24
acl NW-LAB src 172.16.50.0/24 172.16.51.0/24
acl Authorized-Users proxy_auth REQUIRED
acl POST method POST # Temporary to get
around the POST Problem
acl INTRANET url_regex ^http://*.boh.ngv.local
http_access allow localhost
http_access allow NW-DMZ
http_access allow NW-SRV
http_access allow NW-LAB
http_access allow NW-INT NW-SRV-DST
http_access allow POST # Temporary to get around the POST
Problem
http_access allow Authorized-Users
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr helpdesk
logfile_rotate 10
coredump_dir /var/spool/squid
pipeline_prefetch on
Received on Wed Jun 08 2005 - 21:59:57 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT