Re: [squid-users] Issue with proxy auth with facebook

From: Simon Dwyer <mail_at_simmyd.net>
Date: Thu, 12 Apr 2012 11:06:36 +1000

On Thu, 2012-04-12 at 12:41 +1200, Amos Jeffries wrote:
> On 12.04.2012 11:37, Simon Dwyer wrote:
> > Hi All,
> >
> > I have setup squid to authenticate with NTLM then BASIC with the
> > ntlm_auth program.
> >
> > I believe that it is all working fine for most users but for an
> > example
> > my linux desktop with firefox i get prompted for my crendentials
> > (thats
> > fine) but when i go to https://www.facebook.com or pages that link to
> > it
> > i keep getting prompted for my password.
> >
> > the access.log shows this
> >
> > 1334186696.459 2 10.37.0.1 TCP_DENIED/407 4028 CONNECT
> > www.facebook.com:443 - NONE/- text/html
> > 1334186696.463 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
> > www.facebook.com:443 - NONE/- text/html
> > 1334186696.465 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
> > www.facebook.com:443 - NONE/- text/html
> >
> > and my browser doesnt seem to present the credentals properly. Sites
> > like https://www.westpac.com.au seems to work perfectly.
> >
> > I am now running firefox 11.
> >
> > Where would be the first place to start looking?
>
> Firefox bug reports possibly. I've been hearing strange things about
> trouble with its NTLM support recently.
>
> Also, with your Squid version. NTLM on CONNECT requests was only fixed
> recently, meaning older 3.1 and previous series do not support NTLM well
> on those requests.

Yes i have come to a conclusion that this is probably a bug with
firefox. I am moving our authentication to kerberos and basic which
will hopfully get around using NTLM too much *touch wood*
>
>
> Some unrelated hints about config optimization below...
>
> >
> >
> > Simon
> >
> > Config following
> >
> > [root_at_proxy1 ~]# cat /etc/squid/squid.conf
> > #
> > # Recommended minimum configuration:
> > #
> > cache_dir aufs /var/spool/squid 16384 32 512
> >
> > cache_mem 1024 MB
> > http_port 8080
> > snmp_port 3401
> > visible_hostname proxy1.mulawa.internal
> > acl snmppublic snmp_community ng-community-ro
> > snmp_access allow snmppublic
> > snmp_incoming_address 0.0.0.0
> > snmp_outgoing_address 255.255.255.255
> > ignore_expect_100 on
> >
> > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 30
> >
> > auth_param basic program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > auth_param basic children 30
> > auth_param basic realm TSG proxy-caching web server
> > auth_param basic credentialsttl 8 hours
> >
> >
> > url_rewrite_program /usr/local/bin/squidGuard
> > -c /usr/local/squidGuard/squidGuard.conf
> > url_rewrite_children 30
> >
> > acl BrownhouseIT src 10.37.0.0/24
> > acl GTALK_ports port 443 5222 5050 5223
> > acl GTALK_hosts dstdomain talk.google.com www.google.com
> > acl GTALK_domains dstdomain .l.google.com
> > acl GTALK_methods method CONNECT
> >
> > acl SSL_ports port 443
> > acl SSL_ports port 5222
> > acl SSL_ports port 5223
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> >
> > acl CONNECT method CONNECT
> > acl AuthorizedUsers proxy_auth REQUIRED
> > acl UnauthorizedDomains url_regex microsoft.com
> > acl UnauthorizedDomains url_regex verisign.com
> > acl UnauthorizedDomains url_regex thawte.com
> > acl UnauthorizedDomains url_regex crl.usertrust.com
>
> NP: These are all better tested as dstdomain. Use the wildcard '.'
> prefix like you do for .l.google.com.
Thanks will do

>
>
> > acl UnauthorizedServers src 10.20.0.77
> > acl UnauthorizedServers src 10.20.0.70
> > acl UnauthorizedServers src 10.20.0.191
> >
> > acl oem-gc-host src 10.20.0.144
> > acl oem-gc-domain url_regex linux-update.oracle.com
>
> NP: another best tested as dstdomain.
Thanks
>
> >
> >
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow BrownhouseIT GTALK_methods GTALK_ports GTALK_hosts
> > http_access allow BrownhouseIT GTALK_methods GTALK_ports
> > GTALK_domains
>
> Optimization:
>
> GTALK_hosts and GTALK_domains are both dstdomain type. You can
> collapse these together and remove most of the ACL tests per request to
> *.l.google.com servers.

Thanks will do.
>
> > http_access allow UnauthorizedServers
>
> Optimization:
>
> adding these IPs to the firewall to reject connections they make
> inbound to the proxy allows you to drop this ACL policy.

The point of this was to allow these servers through without having to
authenticate due to them running software that was written by people who
dont know what a proxy is.

>
> > http_access allow UnauthorizedDomains
> > http_access allow oem-gc-host oem-gc-domain
> > http_access deny !AuthorizedUsers
> > http_access allow AuthorizedUsers
> > http_access deny all
>
>
> Amos
Received on Thu Apr 12 2012 - 01:06:47 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 12 2012 - 12:00:03 MDT