Re: [squid-users] TCP_DENIED/407 when using NCSA-AUTH and video streaming

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 11 Jul 2010 18:49:26 +1200

Werner Opriel wrote:
> We are using a debian-Package of Squid 2.7 Stable3 on a Debian Lenny machine
> with ncsa-auth configured, acting as a central Internet-Proxy.
>
> All Users/Passwords are stored in /etc/squid/passwd on localhost and only
> authenticated users are allowed to surf on sites outside the intranet.
> There are no problems with authentication so far.
>
> But we have a problem playing videos from the side http://www.wdr.de, they do
> provide media-streams based on flash, for example:
> http://www.wdr.de/mediathek/html/regional/2009/07/30/aktuelle-stunde-kuendigung.xml
>
> Those pages can be accessed without problems and the starting picture of the
> video is displayed. When we try to play the video we are receiving "network
> error" and "file not found" within the flasharea-window after a few seconds.
> There is no problem playing an audio stream from this site or flash-videos for
> example from youtube.com or golem.de
>
> Our Clients, always with flashplugin installed:
> Firefox 3.5 (Win), Firefox 3.6 (Linux) and Chrome (Linux) .
>
> In the access.log we can see an authenticated user "test" surfin on
> www.wdr.de.
> When starting the video it would seem that he lost his authentication
> information and then ends in tcp-denied/407.
> When disabling NCSA-AUTH in squid, we can play the videos without any
> problems.
>
<snip>

It's clear the flash player is making it's own background HTTP requests
and not sending credentials. This is a flash player problem.

You have a choice of putting up with it or letting the player through
your Squid without authentication. The headers you log show a few things
like User-Agent, source website and Content-Type you could match on to
identify its requests.

Either way, complain and let the players authors and the website authors
know about the problem. Maybe one day they will fix it.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.5
Received on Sun Jul 11 2010 - 06:49:34 MDT

This archive was generated by hypermail 2.2.0 : Sun Jul 11 2010 - 12:00:03 MDT