Squid users,
I am having a problem accessing/using certain Java enabled websites through my
squid proxy.
I am using squid-2.6.STABLE6-0.10 on a Suse machine (yes, I know this is an
ancient release...). This release has been serving us very well and I am a bit
reluctant to upgrade. However, I am willing to investigate that as an option.
The proxy uses ntlm_auth to authenticate users against our ADS servers. This
works fine...except for some Java sites. For some sites, the Java client seems
unable to authenticate, but for this site, that does not seem to be the case.
This site in particular is strange for me. It uses a Java applet to upload
photos in order to create a gallery from them. It works partially, until the
client actually wants to perform the upload, when I get a "software connection
abort" from the client. I have a wireshark/tcpdump file of the
transaction, taken on the proxy. I think the POST request from the client
fails because it does not identify the HTTP protocol version.
I have specified the following option in the squid.conf file:
"relaxed_header_parser on"
in order to get around this issue, but unfortunately this has no effect.
My squid.conf is as follows:
http_port 10.254.202.14:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
maximum_object_size_in_memory 15 KB
access_log /var/log/squid/access.log squid
emulate_httpd_log on
url_rewrite_program /usr/local/bin/squidGuard -c
/usr/local/squidGuard/squidGuard.conf
url_rewrite_children 10
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 40
auth_param ntlm keep_alive off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server at Gemeente Nederweert
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
negative_ttl 15 minutes
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255 10.254.202.14/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
acl purge method PURGE
http_access allow purge
acl CKBONLINE dstdomain .ckb-online.nl
always_direct allow CKBONLINE
acl TPG dstdomain .securepostplaza.tntpost.nl
always_direct allow TPG
acl Java browser Java/1.4 Java/1.5 Java/1.6 Java/1.6.0_12 jupload/0.87
http_access allow Java
acl POST method POST # temporary, to get around post problem
http_access allow POST
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
http_access deny all
http_reply_access allow all
icp_access allow all
error_directory /usr/share/squid/errors/Dutch
snmp_port 0
strip_query_terms off
coredump_dir /var/cache/squid
ie_refresh on
relaxed_header_parser on
I hope that someone who is more experienced with squid can help me, because I
have exhausted my own ideas.
Regards,
Joop
------------------------------------------------------------
Dit bericht is gescand op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.
Mailscanner door http://www.prosolit.nl
Professional Solutions fot IT
Received on Thu Mar 05 2009 - 07:24:01 MST
This archive was generated by hypermail 2.2.0 : Thu Mar 05 2009 - 12:00:02 MST