Re: [squid-users] NTLM auth to remote server fails through squid

From: Amos Jeffries <>
Date: Tue, 17 Jul 2012 14:43:44 +1200

On 17.07.2012 07:35, Peter Olsson wrote:
> Hello!
> On Mon, Jul 16, 2012 at 09:03:00PM +0300, Eliezer Croitoru wrote:
>> On 7/16/2012 7:05 PM, Peter Olsson wrote:
>> > We're trying to connect to a remote server that
>> > requires authentication. This works fine when
>> > we place the browser client on the Internet, but
>> > when we place the browser client behind squid the
>> > authentication popup just returns without accepting
>> > the login.
>> can you please be more specific about the topology?
> My test setup is very easy. Just a single squid server
> in plain proxy mode, using two network interfaces.
> One interface towards Internet, the other running a
> private network.
> I have a single PC client connected to the private interface
> in the squid server. There is no connection from the private
> network to the Internet without passing through the squid proxy.
> The squid server is running, with the default
> squid.conf installed by the tarball. Only differences
> from default squid.conf are my added visible_hostname and
> changed http_port from 3128 to 80.

  visible_hostname defaults to the machine system hostname.
  port 80 is likely to have interference from any number of firewall,
IDS or other software digging its fingers into the traffic.

> There is no transparency or
> routing between interfaces configured in the squid server,
> just plain proxy from inside to outside.
> The external server I'm trying to reach is on the Internet.
> If I try to connect to this server through squid, I don't
> get authenticated. If I however move the PC client to the
> Internet, so it doesn't pass through squid, the authentication
> to the external server works fine.

There is a growing collection of known MS software which cannot handle
the HTTP/1.0<->HTTP1/.1 gateway nature of Squid-3.1 series. But this
should not be an issue with 3.2 series.

Please update to the latest beta though before doing more testing. is out and the latest snapshot has some relevant bug fixes.

3.2 would be best to test with since it provide a full HTTP header
trace at "debug_options 11,2". Those header trace will be the best
starting point to track this down.

Received on Tue Jul 17 2012 - 02:43:48 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 17 2012 - 12:00:02 MDT