Hi Kevin, Thanks for your post, I think is a very good solution to the Java security hole. I've seen that for using header_access and header_replace you need to compile with the --enable-http-violations. My question is, if I compiled squid without this option, is there any way to add this feature or I've to compile entire squid again? In this case, should I save my configuration files? Where should I put these lines, after acls? Thanks again Gontzal 2009/6/27 Kevin Blackwell <akblackwel@xxxxxxxxx>: > This what your looking for? > > acl javaNtlmFix browser -i java > acl javaConnect method CONNECT > header_access Proxy-Authenticate deny javaNtlmFix javaConnect > header_replace Proxy-Authenticate Basic realm="Internet" > > now only https/ssl access from java will have basic auth and so a > password dialog. > normal http access will work with ntlm challenge response. > > thanxs again > > markus > >>-----Ursprüngliche Nachricht----- >>Von: Rietzler, Markus (Firma Rietzler Software / RZF) >>Gesendet: Dienstag, 16. Oktober 2007 18:17 >>An: 'Chris Robertson'; squid-users@xxxxxxxxxxxxxxx >>Betreff: AW: force basic NTLM-auth for certain >>clients/urls >> >>thanxs for that hint - it worked as a fix >> >>i have addes this to my squid.conf >> >>acl javaNtlmFix browser -i java >>header_access Proxy-Authenticate deny javaNtlmFix >>header_replace Proxy-Authenticate Basic realm="Internet Access" >> >>now any java-client (java web start, java or applets in >>browser) will only see the basic auth scheme. >>a username/password dialog pops up and i have to enter my credentials. >> >>any other client (firefox, ie) still se both NTLM and Basic >>scheme and use NTLM challenge response to authenticate... >> >>the little drawback is, that there is that little nasty dialog >>but connection via proxy is working... >> >>thanxs >> >>markus >> > > On Sat, May 9, 2009 at 12:13 AM, Nitin > Bhadauria<nitin.bhadauria@xxxxxxxxxxx> wrote: >> Dear All, >> >> Please reply if we have some solution for the problem. I am stuck with the >> problem my server is live and i can't afforded to allow the java sites to >> unauthorized users in the network. >> >> Regards, >> Nitin B. >> >> >> Nitin Bhadauria wrote: >>> >>> Dear All, >>> >>> >>> I have the same problem .. >>> >>> Everytime a browser proxying through squid tries to load a secure java >>> applet, it comes up with a red x where the java applet should be. >>> >>> >>> So I have bybass those sites for authentication, But the problem is users >>> how don't have permission to access internet they are also able to access >>> those sites. >>> >>> Please update if we had find any other solution for the problem. >>> >>> Thanks in advance for any reply. >>> >>> Regards, >>> Nitin Bhadauria >>> >>> >>> >>> >> >> >
