Hi there,
We've got 2.6 stable running as logging only server, no caching going on.
Users are authenticated via NTLM if they're on Windows, works fine in FF and
IE with one exception. Uploading a file prompts a second auth dialogue
(regardless of which browser) and entering credentials to that only causes
the browser to hork. I've tested this on XP and 2k3, various browser
versions.
What I find interesting about this is that if I set the Internet Connection
Settings in the control panel to "auto-detect" I will get the failure even
if I explicitly configure FireFox (via about:config) to not do NTLM
pass-through. My current working guess is that Flickr (and the work-related
site that uses a somewhat similar ajaxy/flashy uploader) is making a call to
Flash and Flash is barfing on the NTLM pass-through, but that's really only
a guess.
Steps to reproduce:
Setup NTLM auth
Connect through the proxy
Attempt to upload a photo to Flickr
Steps to work around:
Disable "automatically connect" on the client control panel and auth by
hand, or use a non-windows client and also auth by hand.
Squid.conf here:
# Generic stuff
visible_hostname proxy
http_port 3128
cache_mgr [redacted]
# Don't cache ANYTHING
cache_dir null /tmp
# Custom error messages are nice
error_directory /etc/squid/customerrors/amys
# ShoreTel Client Badly Broken:
request_entities on
# Further workarounds for broken ShoreTel:
acl shoretel url_regex CSISISAPI\.dll/\?
http_access allow shoretel
always_direct allow shoretel
# In Squid 2.6, you have to explicitly declare this:
access_log /var/log/squid/access.log squid
# Let's not take forever to shutdown the server, OK?
shutdown_lifetime 15 seconds
# Even smart people get confused when their web browser fails
# trying to find http://bart
dns_defnames on
# Let's let some stuff pass unhassled:
acl directaccess dstdomain "/etc/squid/direct.squid"
acl unrestricted dstdomain "/etc/squid/unrestricted.squid"
always_direct allow directaccess
http_access allow unrestricted
# NTLM User Authentication
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
# LDAP User Authentication
auth_param basic program /usr/lib64/squid/squid_ldap_auth \
-b "dc=[redacted],dc=net" \
-D "cn=[redacted],cn=Users,dc=[redacted],dc=net" \
-w "[redacted]" \
-f "sAMAccountName=%s" \
-h ldap
auth_param basic children 5
auth_param basic realm Amy's Intranet Login
auth_param basic credentialsttl 2 hours
# More generic stuff
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl snmp_manager src [redacted]/255.255.255.255
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl Safe_ports port 5440 # ShoreTel
acl Safe_ports port 8000 # Oracle EBS
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl purge method PURGE
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
acl FTP proto FTP
http_access deny !Safe_ports
#SNMP Config
snmp_port 3401
acl snmppublic snmp_community [redacted]
snmp_access allow snmppublic snmp_manager
snmp_access allow snmppublic localhost
snmp_access deny all
#This prevents squid from even trying to cache
cache deny all
# Set up group queries against AD. Don't monkey with the OU.
external_acl_type InetGroup %LOGIN /usr/lib64/squid/squid_ldap_group \
-b "dc=[redacted],dc=net" -D "cn=[redacted],cn=Users,dc=[redacted],dc=net" \
-s sub \
-w "[redacted]" \
-f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=WebAccess,dc=[r
edacted],dc=net))" \
-h ldap
# Destinations here
acl fedex dstdomain .fedex.com
# User groups here
acl localnet proxy_auth REQUIRED src 10.0.0.0/8