Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)

From: Gontzal <gontzalp_at_gmail.com>
Date: Mon, 20 Jul 2009 15:22:46 +0200

Responses in the message.

2009/7/20 Amos Jeffries <squid3_at_treenet.co.nz>:
> Gontzal wrote:
>>
>> Hi Amos,
>>
>> First of all sorry for the delay.
>>
>> Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried
>> with reply_header_access with the same result: none.
>
> By "none" you mean Java still getting the NTLM Proxy_auth header?

I think so, because it is not starting the java applet, neither asking
for basic auth

> Do you have a trace of the 407 reply from Squid to be sure of that?

I don't know how to get the trace, if you can give me more info to get
the trace i would appreciate. I just have the information from the
acces.log

>
>> Same entries on
>> access.log:
>> 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] "CONNECT
>> tp.seg-social.es:443 HTTP/1.1" 407 2015 TCP_DENIED:NONE
>>
>> In the access.log of the parent proxy I get:
>>
>> 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT
>> tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 -
>>
>>
>> This is part of my conf:
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 50
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm ProxySquid
>> auth_param basic credentialsttl 2 hours
>> external_acl_type winbind_group children=10 %LOGIN
>>  /usr/sbin/wbinfo_group.pl
>>
>> acl Java browser Java/1.4 Java/1.5 Java/1.6
>> acl javaConnect method CONNECT
>>
>> reply_header_access Proxy-Authenticate deny Java javaConnect
>> header_replace Proxy-Authenticate basic realm=ProxySquid
>>
>> and after that the http_access tags
>>
>> Another question, the realm value must be the same as defined on
>> "auth_param basic realm ProxySquid " or may be the domain name as
>> defined on smb.conf? In my case it's not the same value.
>
> The realm returned by Squid should always be the one configured in
> squid.conf auth_param

the value of realm must be between " " or not?

Thanks again.

Gontzal

> Amos
>
>>
>>
>> 2009/7/2 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>
>>> On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal <gontzalp_at_gmail.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I've recompiled squid, now 3.0 stable 16 on a non-production opensuse
>>>> 10.3 server with the --enable-http-violations option
>>>> I've added the following lines to my squid.conf file:
>>>>
>>>> acl Java browser Java/1.4 Java/1.5 Java/1.6
>>>>
>>>> header_access Proxy-Authenticate deny Java
>>>> header_replace Proxy-Authenticate Basic realm="XXXX"
>>>>
>>>> The header tags are before the http_access tags, I don't know if it is
>>>> correct. I've also disable the option http_access allow Java
>>>>
>>>> Squid runs correctly but when i check for java, it doesn't work, it
>>>> don't ask for basic auth and doesn't show the java applet page.
>>>>
>>>> On the access log it shows lines like this one:
>>>>
>>>> (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250)
>>>> (tp.seg-social.es:443) text/html-2226bytes 1ms
>>>>
>>>> I've changed the identity of my browser from firefox to java and it
>>>> browses using ntlm auth instead of asking for user/passwd
>>>>
>>>> Where can be the problem?
>>>
>>> In squid-3 the header_access has been broken in half.
>>>
>>> I believe you are needing to use reply_header_access.
>>>
>>> Amos
>>>
>>>> Thanks again!
>>>>
>
>
> --
> Please be using
>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
>  Current Beta Squid 3.1.0.10 or 3.1.0.11
>
Received on Mon Jul 20 2009 - 13:22:55 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 21 2009 - 12:00:03 MDT