Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)

From: Gontzal <>
Date: Mon, 20 Jul 2009 12:30:54 +0200

Hi Amos,

First of all sorry for the delay.

Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried
with reply_header_access with the same result: none. Same entries on
access.log: - - [20/Jul/2009:12:10:26 +0200] "CONNECT HTTP/1.1" 407 2015 TCP_DENIED:NONE

In the access.log of the parent proxy I get:

1248084163.393 131533 TCP_MISS/000 2696 CONNECT - DEFAULT_PARENT/ -

This is part of my conf:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm ProxySquid
auth_param basic credentialsttl 2 hours
external_acl_type winbind_group children=10 %LOGIN /usr/sbin/

acl Java browser Java/1.4 Java/1.5 Java/1.6
acl javaConnect method CONNECT

reply_header_access Proxy-Authenticate deny Java javaConnect
header_replace Proxy-Authenticate basic realm=ProxySquid

and after that the http_access tags

Another question, the realm value must be the same as defined on
"auth_param basic realm ProxySquid " or may be the domain name as
defined on smb.conf? In my case it's not the same value.

2009/7/2 Amos Jeffries <>:
> On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal <> wrote:
>> Hi,
>> I've recompiled squid, now 3.0 stable 16 on a non-production opensuse
>> 10.3 server with the --enable-http-violations option
>> I've added the following lines to my squid.conf file:
>> acl Java browser Java/1.4 Java/1.5 Java/1.6
>> header_access Proxy-Authenticate deny Java
>> header_replace Proxy-Authenticate Basic realm="XXXX"
>> The header tags are before the http_access tags, I don't know if it is
>> correct. I've also disable the option http_access allow Java
>> Squid runs correctly but when i check for java, it doesn't work, it
>> don't ask for basic auth and doesn't show the java applet page.
>> On the access log it shows lines like this one:
>> (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (>
>> ( text/html-2226bytes 1ms
>> I've changed the identity of my browser from firefox to java and it
>> browses using ntlm auth instead of asking for user/passwd
>> Where can be the problem?
> In squid-3 the header_access has been broken in half.
> I believe you are needing to use reply_header_access.
> Amos
>> Thanks again!
Received on Mon Jul 20 2009 - 10:31:39 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 22 2009 - 12:00:05 MDT