Hi Amos,
I send the trace as requested, yesterday I just came back from
holidays and I was "out":
CONNECT tp.seg-social.es:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES;
rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Proxy-Connection: keep-alive
Host: tp.seg-social.es
HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.0.STABLE16
Mime-Version: 1.0
Date: Tue, 21 Jul 2009 10:28:20 GMT
Content-Type: text/html
Content-Length: 1681
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="ProxySquid "
X-Cache: MISS from deil-trinity2
X-Cache-Lookup: NONE from deil-trinity2:3128
Via: 1.0 deil-trinity2 (squid/3.0.STABLE16)
Proxy-Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>ERROR: Cache Access Denied</title>
<style type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></style>
</head>
<body>
<h1>ERROR</h1>
<h2>Cache Access Denied.</h2>
<hr>
<p>The following error was encountered while trying to retrieve the
URL: https://tp.seg-social.es/*</p>
<blockquote>
<p><b>Cache Access Denied.</b></p>
</blockquote>
<p>Sorry, you are not currently allowed to request
https://tp.seg-social.es/* from this cache until you have
authenticated yourself.</p>
<p>Please contact the <a
href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIED&body=CacheHost%3A%20deil-trinity2%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2021%20Jul%202009%2010%3A28%3A20%20GMT%0D%0A%0D%0AClientIP%3A%20172.28.3.186%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20Mozilla%2F5.0%20(Windows%3B%20U%3B%20Windows%20NT%205.1%3B%20es-ES%3B%20rv%3A1.9.1.1)%20Gecko%2F20090715%20Firefox%2F3.5.1%20(.NET%20CLR%203.5.30729)%0D%0AProxy-Connection%3A%20keep-alive%0D%0AHost%3A%20tp.seg-social.es%0D%0A%0D%0A%0D%0A">cache
administrator</a> if you have difficulties authenticating yourself or
<a href="http://deil-trinity2/cgi-bin/chpasswd.cgi">change</a> your
default password.</p>
<br>
<hr>
<div id="footer">Generated Tue, 21 Jul 2009 10:28:20 GMT by
deil-trinity2 (squid/3.0.STABLE16)</div>
</body></html>
Thanks a lot
2009/7/20 Gontzal <gontzalp_at_gmail.com>:
> Responses in the message.
>
> 2009/7/20 Amos Jeffries <squid3_at_treenet.co.nz>:
>> Gontzal wrote:
>>>
>>> Hi Amos,
>>>
>>> First of all sorry for the delay.
>>>
>>> Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried
>>> with reply_header_access with the same result: none.
>>
>> By "none" you mean Java still getting the NTLM Proxy_auth header?
>
> I think so, because it is not starting the java applet, neither asking
> for basic auth
>
>> Do you have a trace of the 407 reply from Squid to be sure of that?
>
> I don't know how to get the trace, if you can give me more info to get
> the trace i would appreciate. I just have the information from the
> acces.log
>
>>
>>> Same entries on
>>> access.log:
>>> 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] "CONNECT
>>> tp.seg-social.es:443 HTTP/1.1" 407 2015 TCP_DENIED:NONE
>>>
>>> In the access.log of the parent proxy I get:
>>>
>>> 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT
>>> tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 -
>>>
>>>
>>> This is part of my conf:
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp
>>> auth_param ntlm children 50
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic children 5
>>> auth_param basic realm ProxySquid
>>> auth_param basic credentialsttl 2 hours
>>> external_acl_type winbind_group children=10 %LOGIN
>>> /usr/sbin/wbinfo_group.pl
>>>
>>> acl Java browser Java/1.4 Java/1.5 Java/1.6
>>> acl javaConnect method CONNECT
>>>
>>> reply_header_access Proxy-Authenticate deny Java javaConnect
>>> header_replace Proxy-Authenticate basic realm=ProxySquid
>>>
>>> and after that the http_access tags
>>>
>>> Another question, the realm value must be the same as defined on
>>> "auth_param basic realm ProxySquid " or may be the domain name as
>>> defined on smb.conf? In my case it's not the same value.
>>
>> The realm returned by Squid should always be the one configured in
>> squid.conf auth_param
>
> the value of realm must be between " " or not?
>
> Thanks again.
>
> Gontzal
>
>> Amos
>>
>>>
>>>
>>> 2009/7/2 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>>
>>>> On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal <gontzalp_at_gmail.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I've recompiled squid, now 3.0 stable 16 on a non-production opensuse
>>>>> 10.3 server with the --enable-http-violations option
>>>>> I've added the following lines to my squid.conf file:
>>>>>
>>>>> acl Java browser Java/1.4 Java/1.5 Java/1.6
>>>>>
>>>>> header_access Proxy-Authenticate deny Java
>>>>> header_replace Proxy-Authenticate Basic realm="XXXX"
>>>>>
>>>>> The header tags are before the http_access tags, I don't know if it is
>>>>> correct. I've also disable the option http_access allow Java
>>>>>
>>>>> Squid runs correctly but when i check for java, it doesn't work, it
>>>>> don't ask for basic auth and doesn't show the java applet page.
>>>>>
>>>>> On the access log it shows lines like this one:
>>>>>
>>>>> (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250)
>>>>> (tp.seg-social.es:443) text/html-2226bytes 1ms
>>>>>
>>>>> I've changed the identity of my browser from firefox to java and it
>>>>> browses using ntlm auth instead of asking for user/passwd
>>>>>
>>>>> Where can be the problem?
>>>>
>>>> In squid-3 the header_access has been broken in half.
>>>>
>>>> I believe you are needing to use reply_header_access.
>>>>
>>>> Amos
>>>>
>>>>> Thanks again!
>>>>>
>>
>>
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
>> Current Beta Squid 3.1.0.10 or 3.1.0.11
>>
>
Received on Tue Jul 21 2009 - 10:35:55 MDT
This archive was generated by hypermail 2.2.0 : Tue Jul 21 2009 - 12:00:03 MDT