Gontzal wrote:
Hi Amos,
First of all sorry for the delay.
Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried
with reply_header_access with the same result: none.
By "none" you mean Java still getting the NTLM Proxy_auth header?
Do you have a trace of the 407 reply from Squid to be sure of that?
Same entries on
access.log:
172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] "CONNECT
tp.seg-social.es:443 HTTP/1.1" 407 2015 TCP_DENIED:NONE
In the access.log of the parent proxy I get:
1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT
tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 -
This is part of my conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm ProxySquid
auth_param basic credentialsttl 2 hours
external_acl_type winbind_group children=10 %LOGIN /usr/sbin/wbinfo_group.pl
acl Java browser Java/1.4 Java/1.5 Java/1.6
acl javaConnect method CONNECT
reply_header_access Proxy-Authenticate deny Java javaConnect
header_replace Proxy-Authenticate basic realm=ProxySquid
and after that the http_access tags
Another question, the realm value must be the same as defined on
"auth_param basic realm ProxySquid " or may be the domain name as
defined on smb.conf? In my case it's not the same value.
The realm returned by Squid should always be the one configured in
squid.conf auth_param
Amos
2009/7/2 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal <gontzalp@xxxxxxxxx> wrote:
Hi,
I've recompiled squid, now 3.0 stable 16 on a non-production opensuse
10.3 server with the --enable-http-violations option
I've added the following lines to my squid.conf file:
acl Java browser Java/1.4 Java/1.5 Java/1.6
header_access Proxy-Authenticate deny Java
header_replace Proxy-Authenticate Basic realm="XXXX"
The header tags are before the http_access tags, I don't know if it is
correct. I've also disable the option http_access allow Java
Squid runs correctly but when i check for java, it doesn't work, it
don't ask for basic auth and doesn't show the java applet page.
On the access log it shows lines like this one:
(01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250)
(tp.seg-social.es:443) text/html-2226bytes 1ms
I've changed the identity of my browser from firefox to java and it
browses using ntlm auth instead of asking for user/passwd
Where can be the problem?
In squid-3 the header_access has been broken in half.
I believe you are needing to use reply_header_access.
Amos
Thanks again!
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
Current Beta Squid 3.1.0.10 or 3.1.0.11
