[squid-users] Squid NTML and auth problems with POST from Dmitrijs Demidovs on 2010-06-15 (squid-users)

From: Dmitrijs Demidovs <dmitrijs.demidovs_at_datakom.lv>
Date: Tue, 15 Jun 2010 13:49:36 +0300

Hi list!

I have a problems with Squid and winbind auth.

There is a couple of sites (internal CMS systems and external banking sites) what have the
same problems - users can not send attached data files using html web forms (http POST method).

We have Squid and Samba/winbind scheme what perform auth of users against AD domain via NTLM.
Everything works just fine except this mystical POST problems.

It looks like this:
===
1276593195.910 256 10.1.2.20 TCP_DENIED/407 4500 POST http://www.site.com/admin.php? - NONE/- text/html
1276593195.919 7 10.1.2.20 TCP_DENIED/407 4706 POST http://www.site.com/admin.php? - NONE/- text/html
===

And if I make a hole in auth for POST method using:
===
acl POST method POST
acl POST_whitelist dstdomain "/etc/squid/POST_whitelist.txt"
http_access allow POST POST_whitelist all
===

and try to send file via form, then all is working fine again:
===
1276593290.237 438 10.1.2.20 TCP_MISS/200 6752 GET http://www.site.com/admin.php? USER01 DEFAULT_PARENT/10.1.4.2 text/html
1276593290.303 2 10.1.2.20 TCP_DENIED/407 4582 GET http://www.site.com/n.php - NONE/- text/html
1276593290.307 1 10.1.2.20 TCP_DENIED/407 4788 GET http://www.site.com/n.php - NONE/- text/html
1276593290.490 180 10.1.2.20 TCP_MISS/200 413 GET http://www.site.com/n.php USER01 DEFAULT_PARENT/10.1.4.2 text/html
1276593305.751 12342 10.1.2.20 TCP_MISS/302 817 POST http://www.site.com/admin.php? - DEFAULT_PARENT/10.1.4.2 text/html
1276593305.755 1 10.1.2.20 TCP_DENIED/407 4680 GET http://www.site.com/admin.php? - NONE/- text/html
1276593305.761 1 10.1.2.20 TCP_DENIED/407 4886 GET http://www.site.com/admin.php? - NONE/- text/html
1276593306.106 344 10.1.2.20 TCP_MISS/302 722 GET http://www.site.com/admin.php? USER01 DEFAULT_PARENT/10.1.4.2 text/html
1276593306.110 0 10.1.2.20 TCP_DENIED/407 4684 GET http://www.site.com/admin.php? - NONE/- text/html
===

I Googled this and have read a lot of forums, but the only thing that I found jet, is that there is some king of "brain damage" in ntlm auth scheme
(it performs auth in a couple of iterations each time sending more and more of info about user, and this is fine fore GET but bad for POST).

Anyway, it seems that InternetExplorrer 8 (and Firefox 3 as well) do not performs additional auth iterations then they get first 407 while POSTing data.

I been trying to overcome this problem by using squid configuration directives like "auth_param ntlm keep_alive on/off", "no_cache" and
"ie_refresh on/off". Unfortunately - no luck for me :(

Is there any solution for this problem except "acl POST hole" I made?

Any help is highly wanted.

Thanks in advance.
Received on Tue Jun 15 2010 - 10:49:40 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 15 2010 - 12:00:03 MDT