Hi Amos, I send the trace as requested, yesterday I just came back from holidays and I was "out": CONNECT tp.seg-social.es:443 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729) Proxy-Connection: keep-alive Host: tp.seg-social.es HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE16 Mime-Version: 1.0 Date: Tue, 21 Jul 2009 10:28:20 GMT Content-Type: text/html Content-Length: 1681 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: NTLM Proxy-Authenticate: Basic realm="ProxySquid " X-Cache: MISS from deil-trinity2 X-Cache-Lookup: NONE from deil-trinity2:3128 Via: 1.0 deil-trinity2 (squid/3.0.STABLE16) Proxy-Connection: close <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd";> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>ERROR: Cache Access Denied</title> <style type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></style> </head> <body> <h1>ERROR</h1> <h2>Cache Access Denied.</h2> <hr> <p>The following error was encountered while trying to retrieve the URL: <a href="https://tp.seg-social.es/*";>https://tp.seg-social.es/*</a></p> <blockquote> <p><b>Cache Access Denied.</b></p> </blockquote> <p>Sorry, you are not currently allowed to request https://tp.seg-social.es/* from this cache until you have authenticated yourself.</p> <p>Please contact the <a href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIED&body=CacheHost%3A%20deil-trinity2%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2021%20Jul%202009%2010%3A28%3A20%20GMT%0D%0A%0D%0AClientIP%3A%20172.28.3.186%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20Mozilla%2F5.0%20(Windows%3B%20U%3B%20Windows%20NT%205.1%3B%20es-ES%3B%20rv%3A1.9.1.1)%20Gecko%2F20090715%20Firefox%2F3.5.1%20(.NET%20CLR%203.5.30729)%0D%0AProxy-Connection%3A%20keep-alive%0D%0AHost%3A%20tp.seg-social.es%0D%0A%0D%0A%0D%0A">cache administrator</a> if you have difficulties authenticating yourself or <a href="http://deil-trinity2/cgi-bin/chpasswd.cgi";>change</a> your default password.</p> <br> <hr> <div id="footer">Generated Tue, 21 Jul 2009 10:28:20 GMT by deil-trinity2 (squid/3.0.STABLE16)</div> </body></html> Thanks a lot 2009/7/20 Gontzal <gontzalp@xxxxxxxxx>: > Responses in the message. > > 2009/7/20 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >> Gontzal wrote: >>> >>> Hi Amos, >>> >>> First of all sorry for the delay. >>> >>> Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried >>> with reply_header_access with the same result: none. >> >> By "none" you mean Java still getting the NTLM Proxy_auth header? > > I think so, because it is not starting the java applet, neither asking > for basic auth > >> Do you have a trace of the 407 reply from Squid to be sure of that? > > I don't know how to get the trace, if you can give me more info to get > the trace i would appreciate. I just have the information from the > acces.log > >> >>> Same entries on >>> access.log: >>> 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] "CONNECT >>> tp.seg-social.es:443 HTTP/1.1" 407 2015 TCP_DENIED:NONE >>> >>> In the access.log of the parent proxy I get: >>> >>> 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT >>> tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 - >>> >>> >>> This is part of my conf: >>> >>> auth_param ntlm program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-ntlmssp >>> auth_param ntlm children 50 >>> auth_param basic program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-basic >>> auth_param basic children 5 >>> auth_param basic realm ProxySquid >>> auth_param basic credentialsttl 2 hours >>> external_acl_type winbind_group children=10 %LOGIN >>> /usr/sbin/wbinfo_group.pl >>> >>> acl Java browser Java/1.4 Java/1.5 Java/1.6 >>> acl javaConnect method CONNECT >>> >>> reply_header_access Proxy-Authenticate deny Java javaConnect >>> header_replace Proxy-Authenticate basic realm=ProxySquid >>> >>> and after that the http_access tags >>> >>> Another question, the realm value must be the same as defined on >>> "auth_param basic realm ProxySquid " or may be the domain name as >>> defined on smb.conf? In my case it's not the same value. >> >> The realm returned by Squid should always be the one configured in >> squid.conf auth_param > > the value of realm must be between " " or not? > > Thanks again. > > Gontzal > >> Amos >> >>> >>> >>> 2009/7/2 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>>> >>>> On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal <gontzalp@xxxxxxxxx> wrote: >>>>> >>>>> Hi, >>>>> >>>>> I've recompiled squid, now 3.0 stable 16 on a non-production opensuse >>>>> 10.3 server with the --enable-http-violations option >>>>> I've added the following lines to my squid.conf file: >>>>> >>>>> acl Java browser Java/1.4 Java/1.5 Java/1.6 >>>>> >>>>> header_access Proxy-Authenticate deny Java >>>>> header_replace Proxy-Authenticate Basic realm="XXXX" >>>>> >>>>> The header tags are before the http_access tags, I don't know if it is >>>>> correct. I've also disable the option http_access allow Java >>>>> >>>>> Squid runs correctly but when i check for java, it doesn't work, it >>>>> don't ask for basic auth and doesn't show the java applet page. >>>>> >>>>> On the access log it shows lines like this one: >>>>> >>>>> (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250) >>>>> (tp.seg-social.es:443) text/html-2226bytes 1ms >>>>> >>>>> I've changed the identity of my browser from firefox to java and it >>>>> browses using ntlm auth instead of asking for user/passwd >>>>> >>>>> Where can be the problem? >>>> >>>> In squid-3 the header_access has been broken in half. >>>> >>>> I believe you are needing to use reply_header_access. >>>> >>>> Amos >>>> >>>>> Thanks again! >>>>> >> >> >> -- >> Please be using >> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 >> Current Beta Squid 3.1.0.10 or 3.1.0.11 >> >
