Search squid archive

RE: problem accessing a certain website using 2.5.STABLEx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 12 Aug 2005, Tay Teck Wee wrote:

1) But it would be most strange that squid on version
2.4 could serve up the pop-up auth box while version
2.5 cannot.

Not at all.

2.4 does not know about the HTTP breakage introduced by Microsoft in their NTLM & Negotiate authentication schemes, and will happily forward the messages as seen resulting in total caos after a while (including major security issues on the server).

2.5 knows both NTLM and Negotiate violates HTTP and can not be proxied in a good manner.

Also newer versions of MSIE and IIS also knows this and will automatically disable the use of NTLM and Negotiate when a proxy is detected.

This said Micriosoft some time ago documented a method whereby proxies can announce that they know how to proxy NTLM and Negotiate. This unofficial HTTP extension is not supported by Squid or likely to ever become an official part of the HTTP specifications.

NTLM and it's successor Negotiate was never intended by Microsoft to be used outside a local LAN. The whole protocol is a quick hack to get the transparent authentication used for Windows file sharing with clients logged on to a domain also working for intranet access on the local LAN. Other uses of these authentication mechanisms is outside their intended scope.

2) Besides suggesting Basic authentication or Digest
authentication for the web site, is there any
workaround on squid side? This is because we are an
ISP and have no control over the webserver concerned.

You could additionally try vonvince the site owner that if the data is sensitive requiring authentication then perhaps it is also a good idea to protect the transfers by using https.

A "workaround" on the Squid side would see to have the Microsoft HTTP extension including it's delicate implications on HTTP connection management implemented in Squid. The extension is found in the same Internet-Draft document documenting the Negotiate (Kerberos over HTTP) authentication scheme ("draft-jaganathan-kerberos-http-01", section "6. Security Considerations").

Regards
Henrik

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux