On 2/19/10 6:11 PM, "Amos Jeffries" <squid3@xxxxxxxxxxxxx> wrote: > Mike Ely wrote: >> On 2/17/10 4:10 PM, "Mike Ely" <mikeely@xxxxxxxxxxxxxxx> wrote: >> >>> Hi there, >>> >>> We've got 2.6 stable running as logging only server, no caching going on. >>> Users are authenticated via NTLM if they're on Windows, works fine in FF and >>> IE with one exception. Uploading a file prompts a second auth dialogue >>> (regardless of which browser) and entering credentials to that only causes >>> the browser to hork. I've tested this on XP and 2k3, various browser >>> versions. >>> >>> What I find interesting about this is that if I set the Internet Connection >>> Settings in the control panel to "auto-detect" I will get the failure even >>> if I explicitly configure FireFox (via about:config) to not do NTLM >>> pass-through. My current working guess is that Flickr (and the work-related >>> site that uses a somewhat similar ajaxy/flashy uploader) is making a call to >>> Flash and Flash is barfing on the NTLM pass-through, but that's really only >>> a guess. >>> >>> Steps to reproduce: >>> Setup NTLM auth >>> Connect through the proxy >>> Attempt to upload a photo to Flickr >>> >>> Steps to work around: >>> Disable "automatically connect" on the client control panel and auth by >>> hand, or use a non-windows client and also auth by hand. >>> >>> >>> >>> Squid.conf here: > > <snip> > >>> >>> # Destinations here >>> acl fedex dstdomain .fedex.com >>> >>> # User groups here >>> acl localnet proxy_auth REQUIRED src 10.0.0.0/8 > > 1) "proxy_auth" ACL type accepts a list of usernames OR the word > "REQUIRED" to accept any valid username. > > 2) "proxy_auth REQUIRED src" has never been valid AFAICT. The "src ..." > bit has silently been discarded by all Squid 2.6+ I'm aware of. > > 3) If I'm wrong about (2) being discarded then the effect will be that > the username "src" or "10.0.0.0/8" with no password might possibly be > used to login on your Squid. > > 4) Without IP address range checks there is no restriction on where the > logins may be done from. > > >>> http_access allow CONNECT wuCONNECT localnet > > 'localnet Requires authentication and will challenge. > >>> http_access allow windowsupdate localnet > > 'localnet Requires authentication and will challenge. > > NOTE: 'localnet' being one of the default Squid-3 ACL all documentation > you will find anywhere will assume that it retains that default type > (which is to match source IP address only). > > > SOLUTION: > Create a new name for your login ACL and use that where login is needed. > Revert localnet to IP range "src" type and use that where appropriate > as well. > > <snip again> > > The notes I've added above in your config should help out a LOT. > Get those corrected and we can work on the additional fix after that. > > Amos Hi Amos, Thanks for the reply. Per your suggestions, I¹ve created a test server running 2.7.STABLE7 and rebuilt the config (which I¹ll append below). Unfortunately this doesn¹t change the original issue with file uploads client machine thinks it¹s getting regular proxy stuff due to edited hosts file and I¹m verifying through logs that it¹s hitting the test server I want it to use. Then again, maybe I simply misunderstood you and misconfigured it again... Cheers, Mike Revised squid.conf (and includes): # Generic stuff visible_hostname proxy http_port 3128 cache_mgr support@domain # Don't cache ANYTHING cache_dir null /tmp # Custom error messages are nice error_directory /etc/squid/customerrors/amys # ShoreTel Client Badly Broken: request_entities on # Further workarounds for broken ShoreTel: acl shoretel url_regex CSISISAPI\.dll/\? http_access allow shoretel always_direct allow shoretel # You have to explicitly declare these: access_log /var/log/squid/access.log squid pid_filename /var/run/squid.pid # Let's not take forever to shutdown the server, OK? shutdown_lifetime 15 seconds # Even smart people get confused when their web browser fails # trying to find http://bart dns_defnames on # Let's let some stuff pass unhassled: acl directaccess dstdomain "/etc/squid/direct.squid" acl unrestricted dstdomain "/etc/squid/unrestricted.squid" always_direct allow directaccess http_access allow unrestricted # NTLM User Authentication (ntlm stuff here) # LDAP User Authentication (ldap stuff here) # Include the ACLs (I'm putting them in-line here for clarity) include /etc/squid/acls/generic.acl include /etc/squid/acls/ports.acl include /etc/squid/acls/dests.acl (generic.acl) acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl snmp_manager src 10.1.6.81/255.255.255.255 acl localhost src 127.0.0.1/255.255.255.255 acl purge method PURGE acl CONNECT method CONNECT acl FTP proto FTP (ports.acl) acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 5440 # ShoreTel acl Safe_ports port 8000 # Oracle EBS (dests.acl) acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com auth_param basic children 5 auth_param basic realm "Amy's Intranet Login" auth_param basic credentialsttl 2 hours # Some sanity-checking for outbound port selection http_access deny !Safe_ports #SNMP Config (snmp stuff here) #This prevents squid from even trying to cache cache deny all # Set up group queries against AD. Don't monkey with the OU. (more ldap stuff here) # Destinations here acl fedex dstdomain .fedex.com # Start allowing things out http_access allow CONNECT wuCONNECT all http_access allow windowsupdate all acl amysnet proxy_auth REQUIRED src 10.0.0.0/8 acl AllWebAccess external InetGroup allweb acl FedexWebAccess external InetGroup fedexweb acl BlockedWebAccess external InetGroup blockedweb http_access allow fedex FedexWebAccess http_access allow AllWebAccess http_access allow !BlockedWebAccess http_access deny all