Hi there, We've got 2.6 stable running as logging only server, no caching going on. Users are authenticated via NTLM if they're on Windows, works fine in FF and IE with one exception. Uploading a file prompts a second auth dialogue (regardless of which browser) and entering credentials to that only causes the browser to hork. I've tested this on XP and 2k3, various browser versions. What I find interesting about this is that if I set the Internet Connection Settings in the control panel to "auto-detect" I will get the failure even if I explicitly configure FireFox (via about:config) to not do NTLM pass-through. My current working guess is that Flickr (and the work-related site that uses a somewhat similar ajaxy/flashy uploader) is making a call to Flash and Flash is barfing on the NTLM pass-through, but that's really only a guess. Steps to reproduce: Setup NTLM auth Connect through the proxy Attempt to upload a photo to Flickr Steps to work around: Disable "automatically connect" on the client control panel and auth by hand, or use a non-windows client and also auth by hand. Squid.conf here: # Generic stuff visible_hostname proxy http_port 3128 cache_mgr [redacted] # Don't cache ANYTHING cache_dir null /tmp # Custom error messages are nice error_directory /etc/squid/customerrors/amys # ShoreTel Client Badly Broken: request_entities on # Further workarounds for broken ShoreTel: acl shoretel url_regex CSISISAPI\.dll/\? http_access allow shoretel always_direct allow shoretel # In Squid 2.6, you have to explicitly declare this: access_log /var/log/squid/access.log squid # Let's not take forever to shutdown the server, OK? shutdown_lifetime 15 seconds # Even smart people get confused when their web browser fails # trying to find http://bart dns_defnames on # Let's let some stuff pass unhassled: acl directaccess dstdomain "/etc/squid/direct.squid" acl unrestricted dstdomain "/etc/squid/unrestricted.squid" always_direct allow directaccess http_access allow unrestricted # NTLM User Authentication auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param ntlm keep_alive on # LDAP User Authentication auth_param basic program /usr/lib64/squid/squid_ldap_auth \ -b "dc=[redacted],dc=net" \ -D "cn=[redacted],cn=Users,dc=[redacted],dc=net" \ -w "[redacted]" \ -f "sAMAccountName=%s" \ -h ldap auth_param basic children 5 auth_param basic realm Amy's Intranet Login auth_param basic credentialsttl 2 hours # More generic stuff acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl snmp_manager src [redacted]/255.255.255.255 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 631 # cups acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl Safe_ports port 5440 # ShoreTel acl Safe_ports port 8000 # Oracle EBS acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl purge method PURGE acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com acl FTP proto FTP http_access deny !Safe_ports #SNMP Config snmp_port 3401 acl snmppublic snmp_community [redacted] snmp_access allow snmppublic snmp_manager snmp_access allow snmppublic localhost snmp_access deny all #This prevents squid from even trying to cache cache deny all # Set up group queries against AD. Don't monkey with the OU. external_acl_type InetGroup %LOGIN /usr/lib64/squid/squid_ldap_group \ -b "dc=[redacted],dc=net" -D "cn=[redacted],cn=Users,dc=[redacted],dc=net" \ -s sub \ -w "[redacted]" \ -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=WebAccess,dc=[r edacted],dc=net))" \ -h ldap # Destinations here acl fedex dstdomain .fedex.com # User groups here acl localnet proxy_auth REQUIRED src 10.0.0.0/8 http_access allow CONNECT wuCONNECT localnet http_access allow windowsupdate localnet acl AllWebAccess external InetGroup allweb acl FedexWebAccess external InetGroup fedexweb acl BlockedWebAccess external InetGroup blockedweb http_access allow fedex FedexWebAccess http_access allow AllWebAccess http_access allow !BlockedWebAccess http_access deny all
