Re: [squid-users] NTLM not working with HTTPS pages

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 21 Apr 2012 11:58:29 +1200

On 21/04/2012 4:01 a.m., Wladner Klimach wrote:
> Amos,
>
> what could be causing this? When I desable NTLM authentication or when
> I use Kerberos all access go just fine, but when only NTLM is able I
> can't get access to https pages and I get in the logs TCP_DENIED/407.
> How can I debug it?

You need to locate and identify what request headers are being denied.

The easiest way with 3.1 is a packet dump with full packet bodies
("tcpdump -s0 ..."). Then base-64 decode the www-authenticate headers
from the client and check the type codes. NTLM has "NTLMSSPI" then a
binary type number 1, 2 or 3.

The NTLM flow should be:

  client: makes request (no auth)
  Squid: emits 407 with NTLM advertised as available
  squid: [optionally closes the connection (due to "auth_param ntlm
keep-alive off" hack)]
  client: repeat request with type-1 NTLM proxy-auth header
  squid: 407 with type-2 NTLM proxy-auth header
  client: repeat request with type-3 NTLM proxy-auth header
  squid: HTTP response
  client: [optionally make other requests with type-3 NTLM proxy-auth
header]
  connection closes.

If you find connections opening and starting immediately with type-3
token that is Kerberos or broken NTLM from the client.

Amos

>
> regards
>
> 2012/4/20 Amos Jeffries<squid3_at_treenet.co.nz>:
>> On 21/04/2012 1:15 a.m., Harry Mills wrote:
>>> Hi Wladner,
>>>
>>> I don't think this is causing your problems, but I think you need to
>>> change the following:
>>>
>>> Instead of:
>>>
>>> http_access deny CONNECT !Safe_ports
>>>
>>> try:
>>>
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>>
>>> Also, on the last two lines of your included config you have:
>>>
>>> acl AUTENTICADO proxy_auth REQUIRED
>>> http_access allow AUTENTICADO
>>
>> This is one of several correct proxy-auth configurations.
>>
>>
>>> I simply have:
>>>
>>> http_access allow proxy_auth
>>>
>>> I have no idea if this will help, but worth giving it a try perhaps?
>>
>> ?? for that to work you require this somewhere above your http_access rule
>> ...
>>
>> acl proxy_auth proxy_auth REQUIRED
>>
>> or some other definition for an ACL *label* "proxy_auth".
>>
>> Amos
Received on Fri Apr 20 2012 - 23:58:37 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 21 2012 - 12:00:04 MDT