Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)

From: Gontzal <gontzalp_at_gmail.com>
Date: Mon, 29 Jun 2009 10:40:06 +0200

Hi Kevin,

Thanks for your post, I think is a very good solution to the Java security hole.

I've seen that for using header_access and header_replace you need to
compile with the --enable-http-violations. My question is, if I
compiled squid without this option, is there any way to add this
feature or I've to compile entire squid again? In this case, should I
save my configuration files?

Where should I put these lines, after acls?

Thanks again

Gontzal

2009/6/27 Kevin Blackwell <akblackwel_at_gmail.com>:
> This what your looking for?
>
> acl javaNtlmFix browser -i java
> acl javaConnect method CONNECT
> header_access Proxy-Authenticate deny javaNtlmFix javaConnect
> header_replace Proxy-Authenticate Basic realm="Internet"
>
> now only https/ssl access from java will have basic auth and so a
> password dialog.
> normal http access will work with ntlm challenge response.
>
> thanxs again
>
> markus
>
>>-----Ursprüngliche Nachricht-----
>>Von: Rietzler, Markus (Firma Rietzler Software / RZF)
>>Gesendet: Dienstag, 16. Oktober 2007 18:17
>>An: 'Chris Robertson'; squid-users_at_squid-cache.org
>>Betreff: AW: [squid-users] force basic NTLM-auth for certain
>>clients/urls
>>
>>thanxs for that hint - it worked as a fix
>>
>>i have addes this to my squid.conf
>>
>>acl javaNtlmFix browser -i java
>>header_access Proxy-Authenticate deny javaNtlmFix
>>header_replace Proxy-Authenticate Basic realm="Internet Access"
>>
>>now any java-client (java web start, java or applets in
>>browser) will only see the basic auth scheme.
>>a username/password dialog pops up and i have to enter my credentials.
>>
>>any other client (firefox, ie) still se both NTLM and Basic
>>scheme and use NTLM challenge response to authenticate...
>>
>>the little drawback is, that there is that little nasty dialog
>>but connection via proxy is working...
>>
>>thanxs
>>
>>markus
>>
>
> On Sat, May 9, 2009 at 12:13 AM, Nitin
> Bhadauria<nitin.bhadauria_at_tetrain.com> wrote:
>> Dear All,
>>
>> Please reply if we have some solution for the problem. I am stuck with the
>> problem my server is live and i can't afforded to allow the java sites to
>> unauthorized users in the network.
>>
>> Regards,
>> Nitin B.
>>
>>
>> Nitin Bhadauria wrote:
>>>
>>> Dear All,
>>>
>>>
>>> I have the same problem ..
>>>
>>> Everytime a browser proxying through squid tries to load a secure java
>>> applet, it comes up with a red x where the java applet should be.
>>>
>>>
>>> So I have bybass those sites for authentication, But the problem is users
>>> how don't have permission to access internet they are also able to access
>>> those sites.
>>>
>>> Please update if we had find any other solution for the problem.
>>>
>>> Thanks in advance for any reply.
>>>
>>> Regards,
>>> Nitin Bhadauria
>>>
>>>
>>>
>>>
>>
>>
>
Received on Mon Jun 29 2009 - 08:40:33 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 30 2009 - 12:00:04 MDT