[squid-users] strange behavior with https sites and ntlm/basic authentication

From: Bruno Santos <bvsantos_at_ulscb.min-saude.pt>
Date: Tue, 10 Jul 2012 10:59:23 +0100 (WEST)

Hi all !

I finally (sort of) manage to get squid with ntlm authentication. I now have it working as i want it, but there's a configuration that i had to change and that's keeping bugging me in the why.

Everything was workig fine until reaching https sites.

If i had enabled both types of authentication: ntlm and basic (for those under Linux or not using a ntlm enabled browser):
# Autenticacao NTLM - Winbind - AD
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 300
auth_param ntlm keep_alive off

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 100
auth_param basic realm Por favor autentique-se!
auth_param basic credentialsttl 2 hours

acl ntlmAuth proxy_auth REQUIRED


This configuration worked fine, but those with NTLM (windows + IE / Firefox) were asked for authentication (that shouldn't happen). Those in Linux worked just fine (with an authentication dialog) and every site appears as it should be.

If i remove the basic authentication, those with windows (IE and Firefox) are NOT asked for authentication and those using Linux are asked for authentication (everything fine here). Here is the problem:

Those using Linux can't access (most) https sites. It just gives:

 TCP_DENIED/407 3833 CONNECT twitter.com:443 - NONE/- text/html

And nothing happens...

So i've decided to do an experiment

In squid.conf, i've changed:

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports


http_access allow CONNECT SSL_ports

And sudden all those https sites began working...

Well, by question is:

Is this correect ? What would be happening with the other configuration? Is it safe ?

hope someone can shed some light in this matter.

Thank you all

	Use Open Source Software 
Human knowledge belongs to the world 
	Bruno Santos 
Tel: +351 962 753 053 
	Divisão de Informática 
Tel: +351 272 000 155 
Fax: +351 272 000 257 
	Unidade Local de Saúde de Castelo Branco, E.P.E. 
Tel: +351 272 000 272 
Fax: +351 272 000 257 
Linux registered user #349448
LPIC-1 Certification
Received on Tue Jul 10 2012 - 10:00:04 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 10 2012 - 12:00:02 MDT