Hi all
Browsing the Internet is only permitted after athenticating (NTLM
w/ ADS). This will run undetected by most users since this part is
done by the client.
After upgrading our system to debian Etch (squid=2.6.5-6,
winbind=3.0.24-6etch4, samba=3.0.24-6etch4) we started having
some problems (I'll use separate mails for each problem).
When our users try to connect to
https://keylink.ubs.com/keylink.ubs.com/client/int/startklw.html
they will not be able to use this service.
In the log of the proxy I have this line:
1182327931.205 0 x.y.z.a TCP_DENIED/400 1614 NONE \
error:unsupported-request-method - NONE/- text/html
Digging a little bit deeper with a sniffer I found that the
header line CONNECT is missing. The older squid version
(2.5.12-4) seemed to ignore this.
The workaround to keep the users doing their jobs was to grant
access to ksylink.ubs.com without userauthentication.
But what's the clean way to solve this?
acl AuthorizedUsers proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80 8080 443
acl CONNECT method CONNECT
acl our_networks src 10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0
192.168.0.0/255.255.0.0 ...
http_access allow our_networks AuthorizedUsers Safe_ports
http_access allow our_networks AuthorizedUsers CONNECT SSL_ports
...
auth_param ntlm program /usr/bin/ntlm_auth \
--helper-protocol=squid-2.5-ntlmssp \
--require-membership-of=S-....
auth_param ntlm children 60
auth_param ntlm keep_alive on
...
auth_param basic program /usr/bin/ntlm_auth \
--helper-protocol=squid-2.5-basic \
--require-membership-of=S-.....
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
Best regards
Jörg
Received on Mon Jun 25 2007 - 09:48:11 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT