Responses in the message. 2009/7/20 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > Gontzal wrote: >> >> Hi Amos, >> >> First of all sorry for the delay. >> >> Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried >> with reply_header_access with the same result: none. > > By "none" you mean Java still getting the NTLM Proxy_auth header? I think so, because it is not starting the java applet, neither asking for basic auth > Do you have a trace of the 407 reply from Squid to be sure of that? I don't know how to get the trace, if you can give me more info to get the trace i would appreciate. I just have the information from the acces.log > >> Same entries on >> access.log: >> 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] "CONNECT >> tp.seg-social.es:443 HTTP/1.1" 407 2015 TCP_DENIED:NONE >> >> In the access.log of the parent proxy I get: >> >> 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT >> tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 - >> >> >> This is part of my conf: >> >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 50 >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic >> auth_param basic children 5 >> auth_param basic realm ProxySquid >> auth_param basic credentialsttl 2 hours >> external_acl_type winbind_group children=10 %LOGIN >> /usr/sbin/wbinfo_group.pl >> >> acl Java browser Java/1.4 Java/1.5 Java/1.6 >> acl javaConnect method CONNECT >> >> reply_header_access Proxy-Authenticate deny Java javaConnect >> header_replace Proxy-Authenticate basic realm=ProxySquid >> >> and after that the http_access tags >> >> Another question, the realm value must be the same as defined on >> "auth_param basic realm ProxySquid " or may be the domain name as >> defined on smb.conf? In my case it's not the same value. > > The realm returned by Squid should always be the one configured in > squid.conf auth_param the value of realm must be between " " or not? Thanks again. Gontzal > Amos > >> >> >> 2009/7/2 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>> >>> On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal <gontzalp@xxxxxxxxx> wrote: >>>> >>>> Hi, >>>> >>>> I've recompiled squid, now 3.0 stable 16 on a non-production opensuse >>>> 10.3 server with the --enable-http-violations option >>>> I've added the following lines to my squid.conf file: >>>> >>>> acl Java browser Java/1.4 Java/1.5 Java/1.6 >>>> >>>> header_access Proxy-Authenticate deny Java >>>> header_replace Proxy-Authenticate Basic realm="XXXX" >>>> >>>> The header tags are before the http_access tags, I don't know if it is >>>> correct. I've also disable the option http_access allow Java >>>> >>>> Squid runs correctly but when i check for java, it doesn't work, it >>>> don't ask for basic auth and doesn't show the java applet page. >>>> >>>> On the access log it shows lines like this one: >>>> >>>> (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250) >>>> (tp.seg-social.es:443) text/html-2226bytes 1ms >>>> >>>> I've changed the identity of my browser from firefox to java and it >>>> browses using ntlm auth instead of asking for user/passwd >>>> >>>> Where can be the problem? >>> >>> In squid-3 the header_access has been broken in half. >>> >>> I believe you are needing to use reply_header_access. >>> >>> Amos >>> >>>> Thanks again! >>>> > > > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 > Current Beta Squid 3.1.0.10 or 3.1.0.11 >
