[squid-users] Issue with proxy auth with facebook

From: Simon Dwyer <mail_at_simmyd.net>
Date: Thu, 12 Apr 2012 09:37:23 +1000

Hi All,

I have setup squid to authenticate with NTLM then BASIC with the
ntlm_auth program.

I believe that it is all working fine for most users but for an example
my linux desktop with firefox i get prompted for my crendentials (thats
fine) but when i go to https://www.facebook.com or pages that link to it
i keep getting prompted for my password.

the access.log shows this

1334186696.459 2 10.37.0.1 TCP_DENIED/407 4028 CONNECT
www.facebook.com:443 - NONE/- text/html
1334186696.463 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
www.facebook.com:443 - NONE/- text/html
1334186696.465 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
www.facebook.com:443 - NONE/- text/html

and my browser doesnt seem to present the credentals properly. Sites
like https://www.westpac.com.au seems to work perfectly.

I am now running firefox 11.

Where would be the first place to start looking?

Simon

Config following

[root_at_proxy1 ~]# cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
cache_dir aufs /var/spool/squid 16384 32 512

cache_mem 1024 MB
http_port 8080
snmp_port 3401
visible_hostname proxy1.mulawa.internal
acl snmppublic snmp_community ng-community-ro
snmp_access allow snmppublic
snmp_incoming_address 0.0.0.0
snmp_outgoing_address 255.255.255.255
ignore_expect_100 on

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 30
auth_param basic realm TSG proxy-caching web server
auth_param basic credentialsttl 8 hours

url_rewrite_program /usr/local/bin/squidGuard
-c /usr/local/squidGuard/squidGuard.conf
url_rewrite_children 30

acl BrownhouseIT src 10.37.0.0/24
acl GTALK_ports port 443 5222 5050 5223
acl GTALK_hosts dstdomain talk.google.com www.google.com
acl GTALK_domains dstdomain .l.google.com
acl GTALK_methods method CONNECT

acl SSL_ports port 443
acl SSL_ports port 5222
acl SSL_ports port 5223
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
acl UnauthorizedDomains url_regex microsoft.com
acl UnauthorizedDomains url_regex verisign.com
acl UnauthorizedDomains url_regex thawte.com
acl UnauthorizedDomains url_regex crl.usertrust.com
acl UnauthorizedServers src 10.20.0.77
acl UnauthorizedServers src 10.20.0.70
acl UnauthorizedServers src 10.20.0.191

acl oem-gc-host src 10.20.0.144
acl oem-gc-domain url_regex linux-update.oracle.com

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow BrownhouseIT GTALK_methods GTALK_ports GTALK_hosts
http_access allow BrownhouseIT GTALK_methods GTALK_ports GTALK_domains
http_access allow UnauthorizedServers
http_access allow UnauthorizedDomains
http_access allow oem-gc-host oem-gc-domain
http_access deny !AuthorizedUsers
http_access allow AuthorizedUsers
http_access deny all
Received on Wed Apr 11 2012 - 23:37:31 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 12 2012 - 12:00:03 MDT