On 12.04.2012 11:37, Simon Dwyer wrote:
> Hi All,
>
> I have setup squid to authenticate with NTLM then BASIC with the
> ntlm_auth program.
>
> I believe that it is all working fine for most users but for an
> example
> my linux desktop with firefox i get prompted for my crendentials
> (thats
> fine) but when i go to https://www.facebook.com or pages that link to
> it
> i keep getting prompted for my password.
>
> the access.log shows this
>
> 1334186696.459 2 10.37.0.1 TCP_DENIED/407 4028 CONNECT
> www.facebook.com:443 - NONE/- text/html
> 1334186696.463 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
> www.facebook.com:443 - NONE/- text/html
> 1334186696.465 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
> www.facebook.com:443 - NONE/- text/html
>
> and my browser doesnt seem to present the credentals properly. Sites
> like https://www.westpac.com.au seems to work perfectly.
>
> I am now running firefox 11.
>
> Where would be the first place to start looking?
Firefox bug reports possibly. I've been hearing strange things about
trouble with its NTLM support recently.
Also, with your Squid version. NTLM on CONNECT requests was only fixed
recently, meaning older 3.1 and previous series do not support NTLM well
on those requests.
Some unrelated hints about config optimization below...
>
>
> Simon
>
> Config following
>
> [root_at_proxy1 ~]# cat /etc/squid/squid.conf
> #
> # Recommended minimum configuration:
> #
> cache_dir aufs /var/spool/squid 16384 32 512
>
> cache_mem 1024 MB
> http_port 8080
> snmp_port 3401
> visible_hostname proxy1.mulawa.internal
> acl snmppublic snmp_community ng-community-ro
> snmp_access allow snmppublic
> snmp_incoming_address 0.0.0.0
> snmp_outgoing_address 255.255.255.255
> ignore_expect_100 on
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 30
> auth_param basic realm TSG proxy-caching web server
> auth_param basic credentialsttl 8 hours
>
>
> url_rewrite_program /usr/local/bin/squidGuard
> -c /usr/local/squidGuard/squidGuard.conf
> url_rewrite_children 30
>
> acl BrownhouseIT src 10.37.0.0/24
> acl GTALK_ports port 443 5222 5050 5223
> acl GTALK_hosts dstdomain talk.google.com www.google.com
> acl GTALK_domains dstdomain .l.google.com
> acl GTALK_methods method CONNECT
>
> acl SSL_ports port 443
> acl SSL_ports port 5222
> acl SSL_ports port 5223
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
> acl CONNECT method CONNECT
> acl AuthorizedUsers proxy_auth REQUIRED
> acl UnauthorizedDomains url_regex microsoft.com
> acl UnauthorizedDomains url_regex verisign.com
> acl UnauthorizedDomains url_regex thawte.com
> acl UnauthorizedDomains url_regex crl.usertrust.com
NP: These are all better tested as dstdomain. Use the wildcard '.'
prefix like you do for .l.google.com.
> acl UnauthorizedServers src 10.20.0.77
> acl UnauthorizedServers src 10.20.0.70
> acl UnauthorizedServers src 10.20.0.191
>
> acl oem-gc-host src 10.20.0.144
> acl oem-gc-domain url_regex linux-update.oracle.com
NP: another best tested as dstdomain.
>
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow BrownhouseIT GTALK_methods GTALK_ports GTALK_hosts
> http_access allow BrownhouseIT GTALK_methods GTALK_ports
> GTALK_domains
Optimization:
GTALK_hosts and GTALK_domains are both dstdomain type. You can
collapse these together and remove most of the ACL tests per request to
*.l.google.com servers.
> http_access allow UnauthorizedServers
Optimization:
adding these IPs to the firewall to reject connections they make
inbound to the proxy allows you to drop this ACL policy.
> http_access allow UnauthorizedDomains
> http_access allow oem-gc-host oem-gc-domain
> http_access deny !AuthorizedUsers
> http_access allow AuthorizedUsers
> http_access deny all
Amos
Received on Thu Apr 12 2012 - 00:41:09 MDT
This archive was generated by hypermail 2.2.0 : Thu Apr 12 2012 - 12:00:03 MDT