Re: [squid-users] squid, Safari and https pages problem

I have found that Safari does a lot of things that no other browser does. Many
things that work on Firefox, IE, Mozilla or any other browser do not work in
Safari. I have Mac users also, I encourage them to use Firefox. No surprise
that Safari doesnt work correctly. I would suggest Firefox for you apple
users.

Quoting Markus Krause <krause@biochem.mpg.de>:

> Hi list,
>
> i searched in the archives and other forums but could not find a solution
> (only
> descriptions!) for the following problem, which causes quite a lot annoyance
> for our apple users, i hope someone on this has a solution for this:
>
> we are using squid 2.5.9 on a recent debian linux box with one password for
> all
> users. for most browsers and applications theres is no problem at all, but
> users which are using Safari 2.x on a recent Mac OS X 10.4. are forced to
> retype the proxy username and password on some web pages delivered via https,
> not only once but several times! this occures on pages like "web.de" or
> "https://www.editorialmanager.com/mc/".
> actually it seems that Safari does not send the proxy username and password
> to
> squid but as others (another institute) reported that they have no problems
> at
> all i am wondering if there might by a configuration problem. other browsers
> like netscape, firefox or opera work without problems, but some of our users
> do
> not want to switch!
> if the error occurs i am finding the following in /var/log/squid/access.log:
>
> ===== /var/log/squid/access.log =====
> 1157445010.280 3 192.168.0.35 TCP_DENIED/407 1711 CONNECT img.web.de:443
> -
> NONE/- text/html
> 1157445010.347 144 192.168.0.35 TCP_MISS/200 1984 CONNECT
> freemailng2402.web.de:443 proxyuser DIRECT/217.72.196.3 -
> 1157445011.001 8 192.168.0.35 TCP_DENIED/407 1744 CONNECT
> freemailng2402.web.de:443 - NONE/- text/html
> 1157445058.071 159 192.168.0.35 TCP_MISS/200 7649 CONNECT
> freemailng2402.web.de:443 proxyuser DIRECT/217.72.196.3 -
> 1157445058.938 1388 192.168.0.35 TCP_MISS/200 16769 CONNECT img.web.de:443
> proxyuser DIRECT/217.72.200.153 -
> 1157445059.081 1181 192.168.0.35 TCP_MISS/200 6014 CONNECT img.web.de:443
> proxyuser DIRECT/217.72.200.153 -
> 1157445059.087 1190 192.168.0.35 TCP_MISS/200 9702 CONNECT img.web.de:443
> proxyuser DIRECT/217.72.200.153 -
> 1157445059.142 1282 192.168.0.35 TCP_MISS/200 8938 CONNECT img.web.de:443
> proxyuser DIRECT/217.72.200.153 -
> ===== /var/log/squid/access.log =====
>
> running squid in debug mode i see (only parts with errors):
> ===== Squid Debug output ====
> 2006/09/05 10:30:10| parseHttpRequest: req_hdr = {Host: freemailng2402.web.de
> User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; de-de) AppleWebKit/418.8
> (KHTML, like Gecko) Safari/419.3
>
> }
> 2006/09/05 10:30:10| parseHttpRequest: end = {}
> 2006/09/05 10:30:10| parseHttpRequest: prefix_sz = 187, req_line_sz = 44
> 2006/09/05 10:30:10| clientSetKeepaliveFlag: http_ver = 1.0
> 2006/09/05 10:30:10| clientSetKeepaliveFlag: method = CONNECT
>
> [snipp]
>
> 2006/09/05 10:30:10| aclMatchAcl: checking 'acl testacl proxy_auth REQUIRED'
> 2006/09/05 10:30:10| authenticateAuthenticate: broken auth or no proxy_auth
> header. Requesting auth header.
> 2006/09/05 10:30:10| aclMatchAcl: returning 0 sending authentication
> challenge.
> 2006/09/05 10:30:10| aclMatchAclList: no match, returning 0
> 2006/09/05 10:30:10| aclCheck: requiring Proxy Auth header.
> 2006/09/05 10:30:10| aclCheck: match found, returning 2
> 2006/09/05 10:30:10| aclCheckCallback: answer=2
> 2006/09/05 10:30:10| The request CONNECT freemailng2402.web.de:443 is DENIED,
> because it matched 'testacl'
> 2006/09/05 10:30:10| clientSendMoreData: Appending 1313 bytes after 324 bytes
> of
> headers
> 2006/09/05 10:30:11| connStateFree: FD 15
> 2006/09/05 10:30:11| httpRequestFree: freemailng2402.web.de:443
> =======
>
> is this really a bug in Safari (just tested again with the latest version
> 2.0.4)
> or is there some incompatibility?
> any ideas how i can solve this (apart from using a different browser!)??
>
> my squid.conf:
> ======= /etc/squid/squid.conf
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> debug_options ALL,1
> auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 128.0.0.0/8
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl testnet proxy_auth REQUIRED
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow testnet
> http_access deny all
> http_reply_access allow all
> icp_access deny all
> icp_access allow testnet
> visible_hostname testproxy.biochem.mpg.de
> coredump_dir /var/spool/squid
> =======
>
> thanks in advance for any hints!!
>
> regards
> markus
>
> --
> Markus Krause email: krause@biochem.mpg.de
> Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS
> by order of the Computing Center of the Max-Planck-Institute of Biochemistry
> Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98
>
> ---------------------------------------------------------------------
> This message was sent using https://webmail.biochem.mpg.de
> If you encounter any problems please report to rz-linux@biochem.mpg.de
>

--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools