Re: [squid-users] squid NTLM setup question

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 12 Sep 2009 20:25:08 +1200

Navjeet wrote:
> We have been using squid in our development environment. Squid has
> been forwarding all the internet bound traffic to a proxy server that
> did not need any authentication until now. But that has changed now
> and now we have use another proxy server that uses NTLM based
> authentication. Now our servers in this development environment only
> have local users (users logging in are not authenticated Windows AD).

> Does the Squid NTLM authentication setup still work in this setup?

Sort of. Squid can be placed into a passive config where it simply
passes authentication to/from the upstream proxy (login=PASS and
connection-auth options to cache_peer). The downside of this is that due
to the nature of NTLM etc the relaying Squid is not able to be
authenticating anyone itself.

The very latest 3.HEAD(3.2) code is being upgraded to let Squid do
Kerberos login with peers as if it was a client browser. NTLM is not an
option.

> Can
> the NTLM setup be configured to use specified user (and password
> hopefully encrypted ) that can be specified in some configuration
> file.

No. Please read up on how NTLM works. Squid only ever sees encrypted
hashes of the login details. Other than the HEAD version mentioned above
all other Squid require the authentication method between Squid and the
per to be done with Basic auth.

> This is needed as many of our applications (Tomcat, ESB etc )
> are headless (i mean not just a web browser) and they now need to go
> thru this new proxy server.
>

Do you mean the requests they make to the Internet need to be done that way?
... or that your Squid is actually meant to be a reverse proxy to access
them?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19
   Current Beta Squid 3.1.0.13
Received on Sat Sep 12 2009 - 08:25:21 MDT

This archive was generated by hypermail 2.2.0 : Sat Sep 12 2009 - 12:00:02 MDT