Hi, I've recompiled squid, now 3.0 stable 16 on a non-production opensuse 10.3 server with the --enable-http-violations option I've added the following lines to my squid.conf file: acl Java browser Java/1.4 Java/1.5 Java/1.6 header_access Proxy-Authenticate deny Java header_replace Proxy-Authenticate Basic realm="XXXX" The header tags are before the http_access tags, I don't know if it is correct. I've also disable the option http_access allow Java Squid runs correctly but when i check for java, it doesn't work, it don't ask for basic auth and doesn't show the java applet page. On the access log it shows lines like this one: (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250) (tp.seg-social.es:443) text/html-2226bytes 1ms I've changed the identity of my browser from firefox to java and it browses using ntlm auth instead of asking for user/passwd Where can be the problem? Thanks again! 2009/6/30 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > > > I agree this does look like a good clean solution. I'll look at > implementing a small on/off toggle to do only this change for safer Java > bypass. May not be very soon though. What version of Squid are you using? > > Meanwhile yes, you do have to add the option to the ./configure options and > re-compile = re-install Squid. > The install process if done right should not alter existing squid.conf and > be a simple drop-in to the existing install. But a backup is worth doing > just in case. > If currently using a packages Squid, you may want to contact the package > maintainer for any help on the configure and install steps. > > Amos > > On Mon, 29 Jun 2009 10:40:06 +0200, Gontzal <gontzalp@xxxxxxxxx> wrote: >> Hi Kevin, >> >> >> Thanks for your post, I think is a very good solution to the Java > security >> hole. >> >> I've seen that for using header_access and header_replace you need to >> compile with the --enable-http-violations. My question is, if I >> compiled squid without this option, is there any way to add this >> feature or I've to compile entire squid again? In this case, should I >> save my configuration files? >> >> Where should I put these lines, after acls? >> >> Thanks again >> >> Gontzal >> >> 2009/6/27 Kevin Blackwell <akblackwel@xxxxxxxxx>: >>> This what your looking for? >>> >>> acl javaNtlmFix browser -i java >>> acl javaConnect method CONNECT >>> header_access Proxy-Authenticate deny javaNtlmFix javaConnect >>> header_replace Proxy-Authenticate Basic realm="Internet" >>> >>> now only https/ssl access from java will have basic auth and so a >>> password dialog. >>> normal http access will work with ntlm challenge response. >>> >>> thanxs again >>> >>> markus >>> >>>>-----Ursprüngliche Nachricht----- >>>>Von: Rietzler, Markus (Firma Rietzler Software / RZF) >>>>Gesendet: Dienstag, 16. Oktober 2007 18:17 >>>>An: 'Chris Robertson'; squid-users@xxxxxxxxxxxxxxx >>>>Betreff: AW: force basic NTLM-auth for certain >>>>clients/urls >>>> >>>>thanxs for that hint - it worked as a fix >>>> >>>>i have addes this to my squid.conf >>>> >>>>acl javaNtlmFix browser -i java >>>>header_access Proxy-Authenticate deny javaNtlmFix >>>>header_replace Proxy-Authenticate Basic realm="Internet Access" >>>> >>>>now any java-client (java web start, java or applets in >>>>browser) will only see the basic auth scheme. >>>>a username/password dialog pops up and i have to enter my credentials. >>>> >>>>any other client (firefox, ie) still se both NTLM and Basic >>>>scheme and use NTLM challenge response to authenticate... >>>> >>>>the little drawback is, that there is that little nasty dialog >>>>but connection via proxy is working... >>>> >>>>thanxs >>>> >>>>markus >>>> >>> >>> On Sat, May 9, 2009 at 12:13 AM, Nitin >>> Bhadauria<nitin.bhadauria@xxxxxxxxxxx> wrote: >>>> Dear All, >>>> >>>> Please reply if we have some solution for the problem. I am stuck with >>>> the >>>> problem my server is live and i can't afforded to allow the java sites >>>> to >>>> unauthorized users in the network. >>>> >>>> Regards, >>>> Nitin B. >>>> >>>> >>>> Nitin Bhadauria wrote: >>>>> >>>>> Dear All, >>>>> >>>>> >>>>> I have the same problem .. >>>>> >>>>> Everytime a browser proxying through squid tries to load a secure java >>>>> applet, it comes up with a red x where the java applet should be. >>>>> >>>>> >>>>> So I have bybass those sites for authentication, But the problem is >>>>> users >>>>> how don't have permission to access internet they are also able to >>>>> access >>>>> those sites. >>>>> >>>>> Please update if we had find any other solution for the problem. >>>>> >>>>> Thanks in advance for any reply. >>>>> >>>>> Regards, >>>>> Nitin Bhadauria >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> >
