Hi all Browsing the Internet is only permitted after athenticating (NTLM w/ ADS). This will run undetected by most users since this part is done by the client. After upgrading our system to debian Etch (squid=2.6.5-6, winbind=3.0.24-6etch4, samba=3.0.24-6etch4) we started having some problems (I'll use separate mails for each problem). When our users try to connect to https://keylink.ubs.com/keylink.ubs.com/client/int/startklw.html they will not be able to use this service. In the log of the proxy I have this line: 1182327931.205 0 x.y.z.a TCP_DENIED/400 1614 NONE \ error:unsupported-request-method - NONE/- text/html Digging a little bit deeper with a sniffer I found that the header line CONNECT is missing. The older squid version (2.5.12-4) seemed to ignore this. The workaround to keep the users doing their jobs was to grant access to ksylink.ubs.com without userauthentication. But what's the clean way to solve this? acl AuthorizedUsers proxy_auth REQUIRED acl SSL_ports port 443 acl Safe_ports port 80 8080 443 acl CONNECT method CONNECT acl our_networks src 10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0 192.168.0.0/255.255.0.0 ... http_access allow our_networks AuthorizedUsers Safe_ports http_access allow our_networks AuthorizedUsers CONNECT SSL_ports ... auth_param ntlm program /usr/bin/ntlm_auth \ --helper-protocol=squid-2.5-ntlmssp \ --require-membership-of=S-.... auth_param ntlm children 60 auth_param ntlm keep_alive on ... auth_param basic program /usr/bin/ntlm_auth \ --helper-protocol=squid-2.5-basic \ --require-membership-of=S-..... auth_param basic children 10 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Best regards Jörg
