Hi,
I've recompiled squid, now 3.0 stable 16 on a non-production opensuse
10.3 server with the --enable-http-violations option
I've added the following lines to my squid.conf file:
acl Java browser Java/1.4 Java/1.5 Java/1.6
header_access Proxy-Authenticate deny Java
header_replace Proxy-Authenticate Basic realm="XXXX"
The header tags are before the http_access tags, I don't know if it is
correct. I've also disable the option http_access allow Java
Squid runs correctly but when i check for java, it doesn't work, it
don't ask for basic auth and doesn't show the java applet page.
On the access log it shows lines like this one:
(01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250)
(tp.seg-social.es:443) text/html-2226bytes 1ms
I've changed the identity of my browser from firefox to java and it
browses using ntlm auth instead of asking for user/passwd
Where can be the problem?
Thanks again!
2009/6/30 Amos Jeffries <squid3_at_treenet.co.nz>:
>
>
> I agree this does look like a good clean solution. I'll look at
> implementing a small on/off toggle to do only this change for safer Java
> bypass. May not be very soon though. What version of Squid are you using?
>
> Meanwhile yes, you do have to add the option to the ./configure options and
> re-compile = re-install Squid.
> The install process if done right should not alter existing squid.conf and
> be a simple drop-in to the existing install. But a backup is worth doing
> just in case.
> If currently using a packages Squid, you may want to contact the package
> maintainer for any help on the configure and install steps.
>
> Amos
>
> On Mon, 29 Jun 2009 10:40:06 +0200, Gontzal <gontzalp_at_gmail.com> wrote:
>> Hi Kevin,
>>
>>
>> Thanks for your post, I think is a very good solution to the Java
> security
>> hole.
>>
>> I've seen that for using header_access and header_replace you need to
>> compile with the --enable-http-violations. My question is, if I
>> compiled squid without this option, is there any way to add this
>> feature or I've to compile entire squid again? In this case, should I
>> save my configuration files?
>>
>> Where should I put these lines, after acls?
>>
>> Thanks again
>>
>> Gontzal
>>
>> 2009/6/27 Kevin Blackwell <akblackwel_at_gmail.com>:
>>> This what your looking for?
>>>
>>> acl javaNtlmFix browser -i java
>>> acl javaConnect method CONNECT
>>> header_access Proxy-Authenticate deny javaNtlmFix javaConnect
>>> header_replace Proxy-Authenticate Basic realm="Internet"
>>>
>>> now only https/ssl access from java will have basic auth and so a
>>> password dialog.
>>> normal http access will work with ntlm challenge response.
>>>
>>> thanxs again
>>>
>>> markus
>>>
>>>>-----Ursprüngliche Nachricht-----
>>>>Von: Rietzler, Markus (Firma Rietzler Software / RZF)
>>>>Gesendet: Dienstag, 16. Oktober 2007 18:17
>>>>An: 'Chris Robertson'; squid-users_at_squid-cache.org
>>>>Betreff: AW: [squid-users] force basic NTLM-auth for certain
>>>>clients/urls
>>>>
>>>>thanxs for that hint - it worked as a fix
>>>>
>>>>i have addes this to my squid.conf
>>>>
>>>>acl javaNtlmFix browser -i java
>>>>header_access Proxy-Authenticate deny javaNtlmFix
>>>>header_replace Proxy-Authenticate Basic realm="Internet Access"
>>>>
>>>>now any java-client (java web start, java or applets in
>>>>browser) will only see the basic auth scheme.
>>>>a username/password dialog pops up and i have to enter my credentials.
>>>>
>>>>any other client (firefox, ie) still se both NTLM and Basic
>>>>scheme and use NTLM challenge response to authenticate...
>>>>
>>>>the little drawback is, that there is that little nasty dialog
>>>>but connection via proxy is working...
>>>>
>>>>thanxs
>>>>
>>>>markus
>>>>
>>>
>>> On Sat, May 9, 2009 at 12:13 AM, Nitin
>>> Bhadauria<nitin.bhadauria_at_tetrain.com> wrote:
>>>> Dear All,
>>>>
>>>> Please reply if we have some solution for the problem. I am stuck with
>>>> the
>>>> problem my server is live and i can't afforded to allow the java sites
>>>> to
>>>> unauthorized users in the network.
>>>>
>>>> Regards,
>>>> Nitin B.
>>>>
>>>>
>>>> Nitin Bhadauria wrote:
>>>>>
>>>>> Dear All,
>>>>>
>>>>>
>>>>> I have the same problem ..
>>>>>
>>>>> Everytime a browser proxying through squid tries to load a secure java
>>>>> applet, it comes up with a red x where the java applet should be.
>>>>>
>>>>>
>>>>> So I have bybass those sites for authentication, But the problem is
>>>>> users
>>>>> how don't have permission to access internet they are also able to
>>>>> access
>>>>> those sites.
>>>>>
>>>>> Please update if we had find any other solution for the problem.
>>>>>
>>>>> Thanks in advance for any reply.
>>>>>
>>>>> Regards,
>>>>> Nitin Bhadauria
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>
Received on Wed Jul 01 2009 - 10:56:54 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 02 2009 - 12:00:01 MDT