Yes wbinfo_group is better for per ACL group matchings but it isn't required in my environment. I haven't found a good free http debugger although there are a few that have 14 day trials. A quick google should give you a few options. I currently just use the three I listed previously as that seems to cover Windows Media and quicktime. I haven't had any other reports from users about other streaming protocols Regards, Mathew Archibald Network/Systems Officer Reid Library University of Western Australia Telephone: (08) 6488 1161 Fax: (08) 6488 1012 Email: marchibald@xxxxxxxxxxxxxxxxxx -----Original Message----- From: Mauricio Silveira [mailto:msilveira@xxxxxxxxxxx] Sent: Thursday, 9 August 2007 12:26 PM To: Mathew Archibald Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: FW: Allowing streaming media through NTLM Authentication Interesting the "--require-membership-of", haven't noticed it at all. This parameter is interesting to check for the global presence of a user into the domain, but not for matching particular rules for specific ACLs, such as "http_access allow streaming_media STREAM_AD_GROUP" together with the external_acl and so on... About the http debugger... I was using "log_mime_hdrs on" to check the user agents... but it seems like the ones I find there are not the correct ones!? Should I really use an http debugger? Which one do you use, Mathew? Mathew, have you got the complete list of browsers you use for streaming_media? Mauricio Mathew Archibald wrote: > Whoops my copy and paste didn't go through so well. Below is formatted > properly > > acl AuthorizedUsers proxy_auth REQUIRED > acl streaming_media browser -i > "/usr/local/squid-2.6STABLE13/etc/user_agent.conf" > http_access allow streaming_media > http_access allow AuthorizedUsers > > I used to use wbinfo_group until I figured out how to match on groups > using the auth_param: > > auth_param ntlm program /usr/local/samba-3.0.25a/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > --require-membership-of="CYGNET\\staff" > auth_param ntlm children 10 > auth_param ntlm keep_alive on > > If you use a http debugger on your traffic you can see the User Agent > string of the streaming media http request and then allow this traffic > through unauthenticated > > Mat > > > -----Original Message----- > From: Mauricio Silveira [mailto:msilveira@xxxxxxxxxxx] > Sent: Wednesday, 8 August 2007 11:44 AM > To: Mathew Archibald > Subject: Re: FW: Allowing streaming media through NTLM > Authentication > > Hi Mathew, > > You're matching against authenticated users, I'm using it against > wbinfo_group. > > Anyway this should work, such as "http_access allow streaming_media > Streaming_allow" (Streaming_allow is an external acl for matching > against a group into the AD server). I didn't notice that browser regex > was case-insensitive(is it?). > Maybe the definitive solution would be using some "trickery" with > req_mime_type, req_header, rep_mime_type options. > > I'm Just getting tired of this matter. > > Mauricio > > Mathew Archibald wrote: > >> Hi Guys >> >> I was able to work around this problem by matching on the streaming >> media's User Agent string. My squid.conf looks like this: >> >> >> >> And the user_agent.conf file looks like this: >> >> nsplayer >> windows-media-player >> quicktime >> >> Mat >> >> -----Original Message----- >> From: Gavin White [mailto:white.gavin@xxxxxxxxx] >> Sent: Tuesday, 7 August 2007 8:58 PM >> To: Plant, Dean >> Cc: squid-users@xxxxxxxxxxxxxxx >> Subject: Re: FW: Allowing streaming media through NTLM >> Authentication >> >> Hi Dean, >> >> how did you disable ntlm authentication? I want to allow certain >> clients to bypass ntlm auth based on their IP address. >> >> Thanks, >> >> Gavin >> >> On 8/7/07, Plant, Dean <dean.plant@xxxxxxxxxx> wrote: >> >> >>> Mauricio Silveira wrote: >>> >>> >>>> Hi! >>>> >>>> I'm somehow "Happy" I'm not alone with this problem... >>>> >>>> I'm having this problem since squid 2.6STABLE9... (ALWAYS) >>>> >>>> I've tried everything possible without success... >>>> >>>> Let's try to get some progress on this matter, I'll dedicate some >>>> >>>> >> time >> >> >>>> to this soon (still this week or the next at most) >>>> >>>> If you have any progress, please post it here. >>>> >>>> Let's be sure of the problem... try accessing these radios: >>>> >>>> http://www.radios.com.br/emissoras/transa_prpop.htm >>>> http://www.radios.com.br/emissoras/transa_sppop.htm >>>> >>>> >>>> The former uses http as protocol, so it will ask for user/password, >>>> the latter uses mms as protocol, so it won't ask for user/password. >>>> >>>> >>> I get the same results using squid-2.6.STABLE13-1.RHEL4. >>> >>> I have had to disable NTLM authentication (easy fix) for some sites >>> >>> >> with >> >> >>> streaming media but to be honest I have not had the time to fully >>> investigate the cause. >>> >>> Dean >>> >>> >>> >>>> As far as my small brain knows... that's mms that should be giving >>>> headaches, not the http one! >>>> >>>> Please post back if you get the same results, I have to show my boss >>>> > > >>>> I'm right, I'm not alone and i DO KNOW how to configure squid. :D >>>> >>>> I'll post here if I get it working, let's flame this discussion.... >>>> >>>> >> I >> >> >>>> see everyone trying to get rid of streamings, but not trying to get >>>> >>>> >> it >> >> >>>> working without these "imperfections". >>>> >>>> Thanks, >>>> >>>> Mauricio >>>> >>>> >>>> >>>>> Hi >>>>> >>>>> Apologies if this has been discussed before but I couldn't find a >>>>> solution for my exact problem in the archives. >>>>> >>>>> I run Squid 2.6STABLE13 and have configured it to use NTLM >>>>> authentication for all client requests. This is working properly >>>>> >>>>> >> for >> >> >>>>> standard traffic but I am hitting a problem with streaming media. >>>>> >>>>> I'm aware that most streaming media can't handle NTLM >>>>> >>>>> >> authentication >> >> >>>>> automatically and therefore when a user tries to access streaming >>>>> media a login box pops up. I don't want the users being asked to >>>>> authenticate so I'm trying to come up with a solution to instruct >>>>> the proxy server to not authenticate the streaming media. >>>>> >>>>> I've tried matching on the streaming media mime types but ran into >>>>> the problem in that the mime type is in the response and not the >>>>> request and it is the request that is authenticated. >>>>> >>>>> Has anyone dealt with this issue before and how did you go about >>>>> allowing streaming media through an authenticated proxy? >>>>> >>>>> Regards, >>>>> >>>>> Mathew Archibald >>>>> >>>>> >> >> >> > > > >
