On 11/08/11 00:04, Christian Gregoire wrote:
> Hello,
>
> I use Squid 3.1.9 + ICAP + ClamAV with NTLM authentication on a CentOS box. It
> works pretty well, except in one particular case.
>
> Here, the HTTP client is a third-party software on Windows, not a standard
> navigator, which makes a few HTTP requests when it is launched.
>
> Most of the requests show the NTLM challenge/response steps correctly, but not
> the last one which is denied by the Squid service. The only special thing I can
> see is that the content length of that request is set to zero (see the traces
> and the headers below).
Maybe. I recall some talk about 0-length POST a while back. But there
have been no patches related to it submitted yet.
I also notice that the failed attempt has a much longer blob tag than
the successful one.
Check cache.log for any mentions of problems. Perhapse enable debugging
with -d on the helper to see if there is an issue with the validation.
>
> Please note: if NTLM auth is disabled on the Squid server, it works fine.
>
>
> 1312956350.701 0 10.1.100.5 TCP_DENIED/407 3837 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html
> 1312956350.702 0 10.1.100.5 TCP_DENIED/407 4219 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html
> 1312956351.543 841 10.1.100.5 TCP_MISS/200 721 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet
> expinet.colissimo DIRECT/84.37.93.36 text/xml
> 1312956351.559 0 10.1.100.5 TCP_DENIED/407 3837 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html
> 1312956351.560 0 10.1.100.5 TCP_DENIED/407 4219 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html
> 1312956352.390 830 10.1.100.5 TCP_MISS/200 720 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet
> expinet.colissimo DIRECT/84.37.93.36 text/xml
> 1312956352.407 0 10.1.100.5 TCP_DENIED/407 3837 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html
> 1312956352.408 0 10.1.100.5 TCP_DENIED/407 4219 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html
> 1312956353.281 873 10.1.100.5 TCP_MISS/200 716 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet
> expinet.colissimo DIRECT/84.37.93.36 text/xml
> 1312956353.296 0 10.1.100.5 TCP_DENIED/407 3837 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html
> 1312956353.298 0 10.1.100.5 TCP_DENIED/407 4219 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html
> 1312956354.165 868 10.1.100.5 TCP_MISS/200 715 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet
> expinet.colissimo DIRECT/84.37.93.36 text/xml
> 1312956354.189 0 10.1.100.5 TCP_DENIED/407 3845 POST
> http://www.colis-logistique.com/expeditor/updateApplication/servlet - NONE/-
> text/html
> 1312956354.190 0 10.1.100.5 TCP_DENIED/407 4227 POST
> http://www.colis-logistique.com/expeditor/updateApplication/servlet - NONE/-
> text/html
> 1312956355.005 814 10.1.100.5 TCP_MISS/200 719 POST
> http://www.colis-logistique.com/expeditor/updateApplication/servlet
> expinet.colissimo DIRECT/84.37.93.36 text/xml
> 1312956355.016 0 10.1.100.5 TCP_DENIED/407 3773 GET
> http://www.colis-logistique.com/updatesite? - NONE/- text/html
> 1312956355.017 0 10.1.100.5 TCP_DENIED/407 4155 GET
> http://www.colis-logistique.com/updatesite? - NONE/- text/html
> 1312956355.579 561 10.1.100.5 TCP_MISS/200 765 GET
> http://www.colis-logistique.com/updatesite? expinet.colissimo DIRECT/84.37.93.36
> APPLICATION/OCTET-STREAM
> 1312956356.570 430 10.1.100.5 TCP_MISS/200 4599 POST
> http://www.colis-logistique.com/expeditor/updateaccount/servlet
> expinet.colissimo DIRECT/84.37.93.36 text/xml
> 1312956357.437 769 10.1.100.5 TCP_MISS/200 720 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet
> expinet.colissimo DIRECT/84.37.93.36 text/xml
> 1312956357.452 0 10.1.100.5 TCP_DENIED/407 3837 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html
> 1312956357.454 0 10.1.100.5 TCP_DENIED/407 4219 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html
> 1312956358.267 814 10.1.100.5 TCP_MISS/200 715 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet
> expinet.colissimo DIRECT/84.37.93.36 text/xml
> 1312956359.448 0 10.1.100.5 TCP_DENIED/407 3835 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html<---- STEP 1
> 1312956359.449 0 10.1.100.5 TCP_DENIED/407 4217 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html<---- STEP 2
> 1312956359.451 0 10.1.100.5 TCP_DENIED/407 4193 POST
> http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
> text/html<---- STILL DENIED !!!!!!
>
> ------------------- Headers of the HTTP session for the denied request :
>
> POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1
> Content-Type: application/x-www-form-urlencoded
> User-Agent: TELINTRANSCOM
> Host: www.colis-logistique.com
> Content-Length: 0
> Pragma: no-cache
>
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/3.1.9
> Mime-Version: 1.0
> Date: Wed, 10 Aug 2011 11:41:16 GMT
> Content-Type: text/html
> Content-Length: 3469
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Vary: Accept-Language
> Content-Language: en
> Proxy-Authenticate: NTLM
> X-Cache: MISS from fw-master
> Via: 1.0 fw-master (squid/3.1.9)
> Connection: close
>
> POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1
> Content-Type: application/x-www-form-urlencoded
> User-Agent: TELINTRANSCOM
> Host: www.colis-logistique.com
> Content-Length: 0
> Pragma: no-cache
> Proxy-Connection: Keep-Alive
> Proxy-Authorization: NTLM
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
>
What application is this? there are two bugs in those headers that need
reporting. Not related to your NTLM problems though.
"TELINTRANSCOM" appears to be a company name rather than a software
product name so I have no way to contact them myself to do it.
* Pragma: no-cache only works (sometimes) for HTTP/1.0 software, and
should not be sent without a matching Cache-Control: no-cache for
HTTP/1.1 softwares.
* Proxy-Connection: is not a correct header. It should be just Connection:
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/3.1.9
> Mime-Version: 1.0
> Date: Wed, 10 Aug 2011 11:41:16 GMT
> Content-Type: text/html
> Content-Length: 3605
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Vary: Accept-Language
> Content-Language: en
> Proxy-Authenticate: NTLM
> TlRMTVNTUAACAAAADAAMADAAAAAFgomifYF1+R0dG4gAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA==
>
> X-Cache: MISS from fw-master
> Via: 1.0 fw-master (squid/3.1.9)
> Connection: keep-alive
>
> POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1
> Content-Type: application/x-www-form-urlencoded
> User-Agent: TELINTRANSCOM
> Host: www.colis-logistique.com
> Content-Length: 0
> Pragma: no-cache
> Proxy-Connection: Keep-Alive
> Proxy-Authorization: NTLM
> TlRMTVNTUAADAAAAGAAYAKIAAAAYABgAugAAAAwADABIAAAARgBGAFQAAAAIAAgAmgAAAAAAAADSAAAABYKIogUCzg4AAAAPUABJAEMASABPAE4AZQB4AHAAaQBuAGUAdAAuAGMAbwBsAGkAcwBzAGkAbQBvACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFQAUwBFADEAFnMeVH6eNxAAAAAAAAAAAAAAAAAAAAAAEueFV9XBLGkb2/4/sGwqnNiuOXFXC5lA
>
>
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/3.1.9
> Mime-Version: 1.0
> Date: Wed, 10 Aug 2011 11:41:16 GMT
> Content-Type: text/html
> Content-Length: 3829
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Vary: Accept-Language
> Content-Language: en
> Proxy-Authenticate: NTLM
> X-Cache: MISS from fw-master
> Via: 1.0 fw-master (squid/3.1.9)
> Connection: close
>
> ------------------- Headers for an accepted one :
>
> POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1
> Content-Type: application/x-www-form-urlencoded
> User-Agent: TELINTRANSCOM
> Host: www.colis-logistique.com
> Content-Length: 587
> Pragma: no-cache
>
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/3.1.9
> Mime-Version: 1.0
> Date: Wed, 10 Aug 2011 11:40:40 GMT
> Content-Type: text/html
> Content-Length: 3471
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Vary: Accept-Language
> Content-Language: en
> Proxy-Authenticate: NTLM
> X-Cache: MISS from fw-master
> Via: 1.0 fw-master (squid/3.1.9)
> Connection: close
>
> POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1
> Content-Type: application/x-www-form-urlencoded
> User-Agent: TELINTRANSCOM
> Host: www.colis-logistique.com
> Content-Length: 587
> Pragma: no-cache
> Proxy-Connection: Keep-Alive
> Proxy-Authorization: NTLM
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
>
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/3.1.9
> Mime-Version: 1.0
> Date: Wed, 10 Aug 2011 11:40:40 GMT
> Content-Type: text/html
> Content-Length: 3607
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Vary: Accept-Language
> Content-Language: en
> Proxy-Authenticate: NTLM
> TlRMTVNTUAACAAAADAAMADAAAAAFgomiNP/Vxjp4/tAAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA==
>
> X-Cache: MISS from fw-master
> Via: 1.0 fw-master (squid/3.1.9)
> Connection: keep-alive
>
> POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1
> Content-Type: application/x-www-form-urlencoded
> User-Agent: TELINTRANSCOM
> Host: www.colis-logistique.com
> Content-Length: 587
> Pragma: no-cache
> Proxy-Connection: Keep-Alive
> Proxy-Authorization: NTLM
> TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAAAwADABIAAAAIgAiAFQAAAAIAAgAdgAAAAAAAACuAAAABYKIogUCzg4AAAAPUABJAEMASABPAE4AZQB4AHAAaQBuAGUAdAAuAGMAbwBsAGkAcwBzAGkAbQBvAFQAUwBFADEAuyOcnxnMyogAAAAAAAAAAAAAAAAAAAAAGvDfkb4KZM8Lkgec9ot0QL5qpUrN+xaa
>
>
> HTTP/1.0 200 OK
> Date: Wed, 10 Aug 2011 11:34:59 GMT
> Server: Apache
> Vary: User-Agent
> Content-Type: text/xml
> X-Cache: MISS from fw-master
> Via: ICAP/1.0 fw-master.domain.local (C-ICAP/0.1.3 SquidClamav/Antivirus service
> ), 1.0 fw-master (squid/3.1.9)
> Connection: close
>
> ------------------- Squid configuration file :
>
> http_port 3129
> cache_access_log /servers/squid/logs/access.log
> cache_store_log /servers/squid/logs/store.log
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_encode off
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> icap_service service_req reqmod_precache bypass=1
> icap://127.0.0.1:1344/squidclamav
> adaptation_access service_req allow all
> icap_service service_resp respmod_precache bypass=1
> icap://127.0.0.1:1344/squidclamav
> adaptation_access service_resp allow all
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> external_acl_type GroupeInternet %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
>
> acl AccesInternetOK external GroupeInternet gg_internet
> acl CONNECT method CONNECT
>
> http_access allow CONNECT
Sigh. Your proxy has no security. NTLM is an illusion.
Try this:
squidclient -P request.txt -m CONNECT google.com:80
Where request.txt contains:
"
GET / HTTP/1.1
Host: google.com
"
Poof. No login.
This is why Safe_ports and SSL_Ports exists. Please use them.
> http_access allow AccesInternetOK
> http_access deny all
>
>
>
> Any idea ?
>
> Christian
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.10Received on Wed Aug 10 2011 - 12:54:49 MDT
This archive was generated by hypermail 2.2.0 : Thu Aug 11 2011 - 12:00:01 MDT