On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal <gontzalp@xxxxxxxxx> wrote: > Hi, > > I've recompiled squid, now 3.0 stable 16 on a non-production opensuse > 10.3 server with the --enable-http-violations option > I've added the following lines to my squid.conf file: > > acl Java browser Java/1.4 Java/1.5 Java/1.6 > > header_access Proxy-Authenticate deny Java > header_replace Proxy-Authenticate Basic realm="XXXX" > > The header tags are before the http_access tags, I don't know if it is > correct. I've also disable the option http_access allow Java > > Squid runs correctly but when i check for java, it doesn't work, it > don't ask for basic auth and doesn't show the java applet page. > > On the access log it shows lines like this one: > > (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250) > (tp.seg-social.es:443) text/html-2226bytes 1ms > > I've changed the identity of my browser from firefox to java and it > browses using ntlm auth instead of asking for user/passwd > > Where can be the problem? In squid-3 the header_access has been broken in half. I believe you are needing to use reply_header_access. Amos > > Thanks again! > > 2009/6/30 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >> >> >> I agree this does look like a good clean solution. I'll look at >> implementing a small on/off toggle to do only this change for safer Java >> bypass. May not be very soon though. What version of Squid are you using? >> >> Meanwhile yes, you do have to add the option to the ./configure options >> and >> re-compile = re-install Squid. >> The install process if done right should not alter existing squid.conf >> and >> be a simple drop-in to the existing install. But a backup is worth doing >> just in case. >> If currently using a packages Squid, you may want to contact the package >> maintainer for any help on the configure and install steps. >> >> Amos >> >> On Mon, 29 Jun 2009 10:40:06 +0200, Gontzal <gontzalp@xxxxxxxxx> wrote: >>> Hi Kevin, >>> >>> >>> Thanks for your post, I think is a very good solution to the Java >> security >>> hole. >>> >>> I've seen that for using header_access and header_replace you need to >>> compile with the --enable-http-violations. My question is, if I >>> compiled squid without this option, is there any way to add this >>> feature or I've to compile entire squid again? In this case, should I >>> save my configuration files? >>> >>> Where should I put these lines, after acls? >>> >>> Thanks again >>> >>> Gontzal >>> >>> 2009/6/27 Kevin Blackwell <akblackwel@xxxxxxxxx>: >>>> This what your looking for? >>>> >>>> acl javaNtlmFix browser -i java >>>> acl javaConnect method CONNECT >>>> header_access Proxy-Authenticate deny javaNtlmFix javaConnect >>>> header_replace Proxy-Authenticate Basic realm="Internet" >>>> >>>> now only https/ssl access from java will have basic auth and so a >>>> password dialog. >>>> normal http access will work with ntlm challenge response. >>>> >>>> thanxs again >>>> >>>> markus >>>> >>>>>-----Ursprüngliche Nachricht----- >>>>>Von: Rietzler, Markus (Firma Rietzler Software / RZF) >>>>>Gesendet: Dienstag, 16. Oktober 2007 18:17 >>>>>An: 'Chris Robertson'; squid-users@xxxxxxxxxxxxxxx >>>>>Betreff: AW: force basic NTLM-auth for certain >>>>>clients/urls >>>>> >>>>>thanxs for that hint - it worked as a fix >>>>> >>>>>i have addes this to my squid.conf >>>>> >>>>>acl javaNtlmFix browser -i java >>>>>header_access Proxy-Authenticate deny javaNtlmFix >>>>>header_replace Proxy-Authenticate Basic realm="Internet Access" >>>>> >>>>>now any java-client (java web start, java or applets in >>>>>browser) will only see the basic auth scheme. >>>>>a username/password dialog pops up and i have to enter my credentials. >>>>> >>>>>any other client (firefox, ie) still se both NTLM and Basic >>>>>scheme and use NTLM challenge response to authenticate... >>>>> >>>>>the little drawback is, that there is that little nasty dialog >>>>>but connection via proxy is working... >>>>> >>>>>thanxs >>>>> >>>>>markus >>>>> >>>> >>>> On Sat, May 9, 2009 at 12:13 AM, Nitin >>>> Bhadauria<nitin.bhadauria@xxxxxxxxxxx> wrote: >>>>> Dear All, >>>>> >>>>> Please reply if we have some solution for the problem. I am stuck with >>>>> the >>>>> problem my server is live and i can't afforded to allow the java sites >>>>> to >>>>> unauthorized users in the network. >>>>> >>>>> Regards, >>>>> Nitin B. >>>>> >>>>> >>>>> Nitin Bhadauria wrote: >>>>>> >>>>>> Dear All, >>>>>> >>>>>> >>>>>> I have the same problem .. >>>>>> >>>>>> Everytime a browser proxying through squid tries to load a secure >>>>>> java >>>>>> applet, it comes up with a red x where the java applet should be. >>>>>> >>>>>> >>>>>> So I have bybass those sites for authentication, But the problem is >>>>>> users >>>>>> how don't have permission to access internet they are also able to >>>>>> access >>>>>> those sites. >>>>>> >>>>>> Please update if we had find any other solution for the problem. >>>>>> >>>>>> Thanks in advance for any reply. >>>>>> >>>>>> Regards, >>>>>> Nitin Bhadauria >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>
