[squid-users] squid, Safari and https pages problem from Markus Krause on 2006-09-09 (squid-users)

From: Markus Krause <krause@dont-contact.us>
Date: Sun, 10 Sep 2006 01:20:29 +0200

Hi list,

i searched in the archives and other forums but could not find a solution (only
descriptions!) for the following problem, which causes quite a lot annoyance
for our apple users, i hope someone on this has a solution for this:

we are using squid 2.5.9 on a recent debian linux box with one password for all
users. for most browsers and applications theres is no problem at all, but
users which are using Safari 2.x on a recent Mac OS X 10.4. are forced to
retype the proxy username and password on some web pages delivered via https,
not only once but several times! this occures on pages like "web.de" or
"https://www.editorialmanager.com/mc/".
actually it seems that Safari does not send the proxy username and password to
squid but as others (another institute) reported that they have no problems at
all i am wondering if there might by a configuration problem. other browsers
like netscape, firefox or opera work without problems, but some of our users do
not want to switch!
if the error occurs i am finding the following in /var/log/squid/access.log:

===== /var/log/squid/access.log =====
1157445010.280 3 192.168.0.35 TCP_DENIED/407 1711 CONNECT img.web.de:443 -
NONE/- text/html
1157445010.347 144 192.168.0.35 TCP_MISS/200 1984 CONNECT
freemailng2402.web.de:443 proxyuser DIRECT/217.72.196.3 -
1157445011.001 8 192.168.0.35 TCP_DENIED/407 1744 CONNECT
freemailng2402.web.de:443 - NONE/- text/html
1157445058.071 159 192.168.0.35 TCP_MISS/200 7649 CONNECT
freemailng2402.web.de:443 proxyuser DIRECT/217.72.196.3 -
1157445058.938 1388 192.168.0.35 TCP_MISS/200 16769 CONNECT img.web.de:443
proxyuser DIRECT/217.72.200.153 -
1157445059.081 1181 192.168.0.35 TCP_MISS/200 6014 CONNECT img.web.de:443
proxyuser DIRECT/217.72.200.153 -
1157445059.087 1190 192.168.0.35 TCP_MISS/200 9702 CONNECT img.web.de:443
proxyuser DIRECT/217.72.200.153 -
1157445059.142 1282 192.168.0.35 TCP_MISS/200 8938 CONNECT img.web.de:443
proxyuser DIRECT/217.72.200.153 -
===== /var/log/squid/access.log =====

running squid in debug mode i see (only parts with errors):
===== Squid Debug output ====
2006/09/05 10:30:10| parseHttpRequest: req_hdr = {Host: freemailng2402.web.de
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; de-de) AppleWebKit/418.8
(KHTML, like Gecko) Safari/419.3

}
2006/09/05 10:30:10| parseHttpRequest: end = {}
2006/09/05 10:30:10| parseHttpRequest: prefix_sz = 187, req_line_sz = 44
2006/09/05 10:30:10| clientSetKeepaliveFlag: http_ver = 1.0
2006/09/05 10:30:10| clientSetKeepaliveFlag: method = CONNECT

[snipp]

2006/09/05 10:30:10| aclMatchAcl: checking 'acl testacl proxy_auth REQUIRED'
2006/09/05 10:30:10| authenticateAuthenticate: broken auth or no proxy_auth
header. Requesting auth header.
2006/09/05 10:30:10| aclMatchAcl: returning 0 sending authentication challenge.
2006/09/05 10:30:10| aclMatchAclList: no match, returning 0
2006/09/05 10:30:10| aclCheck: requiring Proxy Auth header.
2006/09/05 10:30:10| aclCheck: match found, returning 2
2006/09/05 10:30:10| aclCheckCallback: answer=2
2006/09/05 10:30:10| The request CONNECT freemailng2402.web.de:443 is DENIED,
because it matched 'testacl'
2006/09/05 10:30:10| clientSendMoreData: Appending 1313 bytes after 324 bytes of
headers
2006/09/05 10:30:11| connStateFree: FD 15
2006/09/05 10:30:11| httpRequestFree: freemailng2402.web.de:443
=======

is this really a bug in Safari (just tested again with the latest version 2.0.4)
or is there some incompatibility?
any ideas how i can solve this (apart from using a different browser!)??

my squid.conf:
======= /etc/squid/squid.conf
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
debug_options ALL,1
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 128.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
acl testnet proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow testnet
http_access deny all
http_reply_access allow all
icp_access deny all
icp_access allow testnet
visible_hostname testproxy.biochem.mpg.de
coredump_dir /var/spool/squid
=======

thanks in advance for any hints!!

regards
markus

--
Markus Krause                                   email: krause@biochem.mpg.de
Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS
by order of the Computing Center of the Max-Planck-Institute of Biochemistry
Tel.: 089 - 89 40 85 99                         Fax.: 089 - 89 40 85 98
---------------------------------------------------------------------
     This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux@biochem.mpg.de

Received on Sat Sep 09 2006 - 17:20:41 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:03 MDT