RE: [squid-users] FW: Allowing streaming media through NTLM Authentication

Yes wbinfo_group is better for per ACL group matchings but it isn't required in my environment.

I haven't found a good free http debugger although there are a few that have 14 day trials. A quick google should give you a few options.

I currently just use the three I listed previously as that seems to cover Windows Media and quicktime. I haven't had any other reports from users about other streaming protocols

Regards,

Mathew Archibald
Network/Systems Officer
Reid Library
University of Western Australia

Telephone:    (08) 6488 1161
Fax:             (08) 6488 1012
Email:           marchibald@library.uwa.edu.au

-----Original Message-----
From: Mauricio Silveira [mailto:msilveira@linuxbr.com]
Sent: Thursday, 9 August 2007 12:26 PM
To: Mathew Archibald
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] FW: Allowing streaming media through NTLM Authentication

Interesting the "--require-membership-of", haven't noticed it at all.

This parameter is interesting to check for the global presence of a user into the domain, but not for matching particular rules for specific ACLs, such as "http_access allow streaming_media STREAM_AD_GROUP"
together with the external_acl and so on...

About the http debugger... I was using "log_mime_hdrs on" to check the user agents... but it seems like the ones I find there are not the correct ones!? Should I really use an http debugger? Which one do you use, Mathew?

Mathew, have you got the complete list of browsers you use for streaming_media?

Mauricio

Mathew Archibald wrote:
> Whoops my copy and paste didn't go through so well. Below is formatted
> properly
>
> acl AuthorizedUsers proxy_auth REQUIRED
> acl streaming_media browser -i
> "/usr/local/squid-2.6STABLE13/etc/user_agent.conf"
> http_access allow streaming_media
> http_access allow AuthorizedUsers
>
> I used to use wbinfo_group until I figured out how to match on groups
> using the auth_param:
>
> auth_param ntlm program /usr/local/samba-3.0.25a/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> --require-membership-of="CYGNET\\staff"
> auth_param ntlm children 10
> auth_param ntlm keep_alive on
>
> If you use a http debugger on your traffic you can see the User Agent
> string of the streaming media http request and then allow this traffic
> through unauthenticated
>
> Mat
>
>
> -----Original Message-----
> From: Mauricio Silveira [mailto:msilveira@linuxbr.com]
> Sent: Wednesday, 8 August 2007 11:44 AM
> To: Mathew Archibald
> Subject: Re: [squid-users] FW: Allowing streaming media through NTLM
> Authentication
>
> Hi Mathew,
>
> You're matching against authenticated users, I'm using it against
> wbinfo_group.
>
> Anyway this should work, such as "http_access allow streaming_media
> Streaming_allow" (Streaming_allow is an external acl for matching
> against a group into the AD server). I didn't notice that browser regex
> was case-insensitive(is it?).
> Maybe the definitive solution would be using some "trickery" with
> req_mime_type, req_header, rep_mime_type options.
>
> I'm Just getting tired of this matter.
>
> Mauricio
>
> Mathew Archibald wrote:
>
>> Hi Guys
>>
>> I was able to work around this problem by matching on the streaming
>> media's User Agent string. My squid.conf looks like this:
>>
>>
>>
>> And the user_agent.conf file looks like this:
>>
>> nsplayer
>> windows-media-player
>> quicktime
>>
>> Mat
>>
>> -----Original Message-----
>> From: Gavin White [mailto:white.gavin@gmail.com]
>> Sent: Tuesday, 7 August 2007 8:58 PM
>> To: Plant, Dean
>> Cc: squid-users@squid-cache.org
>> Subject: Re: [squid-users] FW: Allowing streaming media through NTLM
>> Authentication
>>
>> Hi Dean,
>>
>> how did you disable ntlm authentication? I want to allow certain
>> clients to bypass ntlm auth based on their IP address.
>>
>> Thanks,
>>
>> Gavin
>>
>> On 8/7/07, Plant, Dean <dean.plant@roke.co.uk> wrote:
>>
>>
>>> Mauricio Silveira wrote:
>>>
>>>
>>>> Hi!
>>>>
>>>> I'm somehow "Happy" I'm not alone with this problem...
>>>>
>>>> I'm having this problem since squid 2.6STABLE9... (ALWAYS)
>>>>
>>>> I've tried everything possible without success...
>>>>
>>>> Let's try to get some progress on this matter, I'll dedicate some
>>>>
>>>>
>> time
>>
>>
>>>> to this soon (still this week or the next at most)
>>>>
>>>> If you have any progress, please post it here.
>>>>
>>>> Let's be sure of the problem... try accessing these radios:
>>>>
>>>> http://www.radios.com.br/emissoras/transa_prpop.htm
>>>> http://www.radios.com.br/emissoras/transa_sppop.htm
>>>>
>>>>
>>>> The former uses http as protocol, so it will ask for user/password,
>>>> the latter uses mms as protocol, so it won't ask for user/password.
>>>>
>>>>
>>> I get the same results using squid-2.6.STABLE13-1.RHEL4.
>>>
>>> I have had to disable NTLM authentication (easy fix) for some sites
>>>
>>>
>> with
>>
>>
>>> streaming media but to be honest I have not had the time to fully
>>> investigate the cause.
>>>
>>> Dean
>>>
>>>
>>>
>>>> As far as my small brain knows... that's mms that should be giving
>>>> headaches, not the http one!
>>>>
>>>> Please post back if you get the same results, I have to show my boss
>>>>
>
>
>>>> I'm right, I'm not alone and i DO KNOW how to configure squid. :D
>>>>
>>>> I'll post here if I get it working, let's flame this discussion....
>>>>
>>>>
>> I
>>
>>
>>>> see everyone trying to get rid of streamings, but not trying to get
>>>>
>>>>
>> it
>>
>>
>>>> working without these "imperfections".
>>>>
>>>> Thanks,
>>>>
>>>> Mauricio
>>>>
>>>>
>>>>
>>>>> Hi
>>>>>
>>>>> Apologies if this has been discussed before but I couldn't find a
>>>>> solution for my exact problem in the archives.
>>>>>
>>>>> I run Squid 2.6STABLE13 and have configured it to use NTLM
>>>>> authentication for all client requests. This is working properly
>>>>>
>>>>>
>> for
>>
>>
>>>>> standard traffic but I am hitting a problem with streaming media.
>>>>>
>>>>> I'm aware that most streaming media can't handle NTLM
>>>>>
>>>>>
>> authentication
>>
>>
>>>>> automatically and therefore when a user tries to access streaming
>>>>> media a login box pops up. I don't want the users being asked to
>>>>> authenticate so I'm trying to come up with a solution to instruct
>>>>> the proxy server to not authenticate the streaming media.
>>>>>
>>>>> I've tried matching on the streaming media mime types but ran into
>>>>> the problem in that the mime type is in the response and not the
>>>>> request and it is the request that is authenticated.
>>>>>
>>>>> Has anyone dealt with this issue before and how did you go about
>>>>> allowing streaming media through an authenticated proxy?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Mathew Archibald
>>>>>
>>>>>
>>
>>
>>
>
>
>
>
Received on Wed Aug 08 2007 - 23:43:47 MDT