On Tue, 26 Jun 2007 00:01:38 +0200 Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> wrote: > mån 2007-06-25 klockan 17:47 +0200 skrev Joerg Schuetter: > > > Browsing the Internet is only permitted after athenticating (NTLM > > w/ ADS). This will run undetected by most users since this part is > > done by the client. > > After upgrading our system to debian Etch (squid=2.6.5-6, > > winbind=3.0.24-6etch4, samba=3.0.24-6etch4) we started having > > some problems (I'll use separate mails for each problem). > > > > When our users try to connect to > > https://keylink.ubs.com/keylink.ubs.com/client/int/startklw.html > > they will not be able to use this service. > > In the log of the proxy I have this line: > > 1182327931.205 0 x.y.z.a TCP_DENIED/400 1614 NONE \ > > error:unsupported-request-method - NONE/- text/html > > What did cache.log say here? parseHttpRequest: Unsupported method 'User-Agent:' clientReadRequest: FD 116 (a.b.c.d:3568) Invalid Request > > > Digging a little bit deeper with a sniffer I found that the > > header line CONNECT is missing. The older squid version > > (2.5.12-4) seemed to ignore this. > > ??? > > Can you provide a bit more details on that? Here is the header from the client which caused the error: User-Agent: Mozilla/4.0 (Windows 2003 5.2) Java/1.4.2_06 Host: keylink.ubs.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Proxy-authorization: NTLM ... The request before looked like this and worked w/o any problem: CONNECT keylink.ubs.com:443 HTTP/1.1 User-Agent: Mozilla/4.0 (Windows 2003 5.2) Java/1.4.2_06 Host: keylink.ubs.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Proxy-authorization: NTLM ... > > > The workaround to keep the users doing their jobs was to grant > > access to ksylink.ubs.com without userauthentication. > > But what's the clean way to solve this? > > First I need to understand the problem on the wire level.. > > But if authentication makes a difference and it worked in earlier > Squid versions using NTLM then try "auth_param ntlm keep_alive off". > This might work around some client brokenness. I'll try disabling keep_alive after office hours. Regards Jörg
