Sure, I was going to do that at my previous mail, but didn't had access to the Squid box that time. And by the way: Yes, you got it just right. That's exactly what's happening. Here's what I've got: auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 acl autentica proxy_auth REQUIRED acl forbidden url_regex "path_for_list" acl whitelist dstdomain "path_for_domain_whitelist" (those are the main ACL's) http_access allow autentica whitelist http_access allow autentica !forbidden Explaining: Basically I have a list of forbidden terms (full of ugly names and some others) and a domain whitelists (for fake positives). I allow complete access to the domains in the whitelist and allow access to all URL's which don't match any term in the forbidden list. Here's some basic access.log output: 1233688830.613 0 192.168.1.149 TCP_DENIED/407 3189 GET http://www.osram.com.br/_resources/img/misc/iTop.gif - NONE/- text/html 1233688830.617 2 192.168.1.149 TCP_IMS_HIT/304 256 GET http://www.osram.com.br/_resources/img/misc/iTop.gif <username> NONE/- image/gif First a HTTP 407, followed by the same requisition, this time authenticated. And now here's some APT access.log output: 1233662651.716 0 192.168.1.74 TCP_DENIED/407 2451 GET http://security.debian.org/dists/etch/updates/main/source/Sources.diff/Index - NONE/- text/html 1233662651.761 0 192.168.1.74 TCP_DENIED/407 2463 GET http://security.debian.org/dists/etch/updates/contrib/source/Sources.diff/Index - NONE/- text/html 1233662651.767 0 192.168.1.74 TCP_DENIED/407 2513 GET http://security.debian.org/dists/etch/updates/main/binary-i386/Packages.gz - NONE/- text/html 1233662651.773 0 192.168.1.74 TCP_DENIED/407 2525 GET http://security.debian.org/dists/etch/updates/contrib/binary-i386/Packages.gz - NONE/- text/html 1233662651.804 0 192.168.1.74 TCP_DENIED/407 2489 GET http://security.debian.org/dists/etch/updates/main/source/Sources.gz - NONE/- text/html 1233662651.808 0 192.168.1.74 TCP_DENIED/407 2501 GET http://security.debian.org/dists/etch/updates/contrib/source/Sources.gz - NONE/- text/html As you can see, only 407 answers. Here's my apt.conf: Acquire::http::Proxy "http://me:123456@<squidbox_IP>:3128/"; And that's it. I've got no clues at all. Thanks again for the attention. Henrique 2009/2/3 James Zuelow <James_Zuelow@xxxxxxxxxxxxxxx>: > >> -----Original Message----- >> From: Henrique Machado [mailto:henrique.cicuto@xxxxxxxxx] >> Sent: Tuesday, 03 February, 2009 03:10 >> To: James Zuelow >> Cc: squid-users@xxxxxxxxxxxxxxx >> Subject: Re: Certain applications when using NTLM auth >> >> Dear James, >> >> Thanks for the attention. Yes, I´m talking about Debian APT Tool =]. >> And I´ve already configured apt.conf so to use the proxy, adding >> username and password in it, but even so it´s not working, and my >> proxy keeps returning HTTP 407. >> Tried creating a user "me" with password "123456" inside my AD domain, >> and it´s not working as well. >> Maybe something in my Squid auth configuration, but I´m not sure. >> > > Hmm. So if I understand what's going on correctly -- a normal user can authenticate through the proxy, either automatically with IE or Firefox on a Windows box, or else by providing a username/password for something like Firefox on a Linux box. Correct? If so, then the apt.conf entry should be working. > > It is easy to get strange results if the access rules are out of order. > > Can you sanitize your rules and post them? And the apt.conf file as well? >
