On Sun, 8 May 2005, Dylan Carruthers wrote:
We have squid running as a transparent proxy server that uses a redirector process to verify that the incoming IP is enrolled. This works fine but we're getting more and more (misconfigured) OWA servers that use http instead of https making the requests go through squid instead of being direct. I have had to increase the number of redirectors to 32 to cope with whatever the exchange gateways are doing but unless we actually get the user to by-pass the squid cache completely the user can kind-of login but is asked to re-login all the time until they are eventually denied.
This is fixed in Squid-2.5 to ensure the browser can not get fooled into what looks like a successful NTLM login.
There are no errors in the cache or access logs (e.g. extension_methods problem) so I'm stumped!
It is not a proxy error, is is a protocol violation by Microsoft NTLM authentication not working with HTTP compliant proxies.
Finally my real question: Is there a way to stop squid from being a proxy for certain addresses, such as an acl of acl to_exchange urlpath_regex /exchange
In transparent interception you have to configure blacklists at yuur interception point with a list of destination IP addresses known not to work with the proxy.
In normal proxying this is best done using a proxy pac script, where you can create a rule maching exacly what you say above.
Regards Henrik
