Hello We have a squid proxy (Squid Cache: Version 2.5.STABLE9) on a Linux server (Linux hostname_of_server 2.4.19 #1 Fri Oct 4 18:36:11 EDT 2002 sparc64 GNU/Linux) which uses NTLM and Basic authentication (in this order) for access control. Web browsing w/ IE or Mozilla runs without any problem. Unfortunately a few of our customers try to use java applets or java applications which try to connect to the internet to. The users are prompted for username, password and domain. This means that NTLM scheme is used. This window appears again and again. The logfile of squid reports only 407 errors, but the credentials are correct. To find out what's wrong I sniffed the network connection. The only thing which looked strange to me was that the Java application doesn't send "Proxy-Connection: Keep-Alive". Other applications/browsers send this header information. Any ideas how to convice java to send this header or to reconfigure squid to be able to auth java applications. -- cat squid.conf -- http_port 1.2.3.4:3128 icp_port 0 hierarchy_stoplist cgi-bin ? acl all src 0.0.0.0/0.0.0.0 no_cache deny all cache_store_log none hosts_file /etc/hosts auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=S-1-1-11-1111111111-111111111-111111111-11111 auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=S-1-1-11-1111111111-111111111-111111111-11111 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours request_body_max_size 10 MB refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl AuthorizedUsers proxy_auth REQUIRED acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 # https, snews acl Safe_ports port 80 8080 443 21 # http acl purge method PURGE acl CONNECT method CONNECT acl our_networks src 10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0 192.168.0.0/255.255.0.0 acl self dst 1.2.3.4/255.255.255.255 acl deny_dst dst "/etc/squid/squid_acl.deny_dst" acl deny_dstdomain dstdomain "/etc/squid/squid_acl.deny_dstdomain" acl deny_url_regex url_regex -i "/etc/squid/squid_acl.deny_url_regex" acl allow_dst dst "/etc/squid/squid_acl.allow_dst" acl allow_dstdomain dstdomain "/etc/squid/squid_acl.allow_dstdomain" acl allow_dstdomain_kiosk dstdomain "/etc/squid/squid_acl.allow_dstdomain_kiosk" acl allow_dstdom_regex dstdom_regex -i "/etc/squid/squid_acl.allow_dstdom_regex" acl allow_dstdom_regex_kiosk dstdom_regex -i "/etc/squid/squid_acl.allow_dstdom_regex_kiosk" acl allow_dst_url_regex url_regex -i "/etc/squid/squid_acl.allow_dst_url_regex" acl allow_src src "/etc/squid/squid_acl.allow_src" acl kiosk src .... ... http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all allow_dst http_access allow all allow_dstdomain http_access allow all allow_dstdom_regex http_access allow all allow_dst_url_regex http_access allow localhost http_access allow allow_src http_access allow hsyvm01 ftp_nai http_access allow allow_src_elster allow_dst_elster_url_regex http_access allow wlse access-cisco http_access deny all deny_url_regex http_access deny all deny_dst http_access deny all deny_dstdomain http_access deny kiosk http_access allow our_networks AuthorizedUsers Safe_ports http_access allow our_networks AuthorizedUsers CONNECT SSL_ports http_access deny all http_reply_access allow all icp_access allow all cache_mgr xyz@xxxxxx forwarded_for off client_db off offline_mode on coredump_dir /var/spool/squid pipeline_prefetch on --- end of cat --- regards Jörg Schütter -- Global IT-Security & Mobility Heraeus infosystems GmbH Heraeusstr. 12-14 D-63450 Hanau Phone: +49 (0) 61 81 / 35 - 53 76 Fax: +49 (0) 61 81 / 35 16 - 53 76 E-Mail: joerg.schuetter@xxxxxxxxxxx
