We are using a debian-Package of Squid 2.7 Stable3 on a Debian Lenny machine with ncsa-auth configured, acting as a central Internet-Proxy. All Users/Passwords are stored in /etc/squid/passwd on localhost and only authenticated users are allowed to surf on sites outside the intranet. There are no problems with authentication so far. But we have a problem playing videos from the side http://www.wdr.de, they do provide media-streams based on flash, for example: http://www.wdr.de/mediathek/html/regional/2009/07/30/aktuelle-stunde-kuendigung.xml Those pages can be accessed without problems and the starting picture of the video is displayed. When we try to play the video we are receiving "network error" and "file not found" within the flasharea-window after a few seconds. There is no problem playing an audio stream from this site or flash-videos for example from youtube.com or golem.de Our Clients, always with flashplugin installed: Firefox 3.5 (Win), Firefox 3.6 (Linux) and Chrome (Linux) . In the access.log we can see an authenticated user "test" surfin on www.wdr.de. When starting the video it would seem that he lost his authentication information and then ends in tcp-denied/407. When disabling NCSA-AUTH in squid, we can play the videos without any problems. extract of our squid.conf ======================= http_port 8080 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 32 MB cache_dir ufs /var/spool/squid 1024 16 16 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log mime_table /etc/squid/mime.conf log_mime_hdrs on ftp_user anonymous@xxxxxxxxxxxx dns_nameservers 192.xxx.y.z redirect_program /usr/local/bin/squidGuard -c /etc/squid/squidguard.conf redirect_children 10 auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Anmeldung am internen Proxy auth_param basic credentialsttl 2 hours acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 1494 2598 1604 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 1025-65535 acl CONNECT method CONNECT acl anwender proxy_auth REQUIRED acl sysadmins proxy_auth "/etc/squid/sysadmins" acl intranet src 172.16.10.0/24 acl wochentag time SMTWHFA http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow sysadmins http_access deny !wochentag http_access deny !anwender http_access allow intranet http_access allow localhost http_access deny all icp_access deny all cache_effective_user proxy cache_effective_group proxy logfile_rotate 0 cachemgr_passwd none info menu icon_directory /usr/share/squid/icons forwarded_for off icp_port 0 ================================= extract of access.log: ================================= 1278570915.514 39 172.16.19.222 TCP_MISS/200 647 GET http://www.wdr.de/mediathek/codebase/img/icon/pfeil-im-kreis-reiterdunkel.gif;jsessionid=4799D61CDD27EBD84D4961AD11F40B09.mediathek4 test DIRECT/149.219.195.51 image/gif [Host: www.wdr.de\r\nProxy-Connection: keep-alive\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4\r\nReferer: http://www.wdr.de/mediathek/html/regional/rueckschau/lokalzeit_ruhr.xml\r\nProxy-Authorization: Basic dGVzdDp0c3N0YXJ0\r\nAccept: */*\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: JSESSIONID=4799D61CDD27EBD84D4961AD11F40B09.mediathek4\r\n] [HTTP/1.0 200 OK\r\nDate: Thu, 08 Jul 2010 06:35:15 GMT\r\nServer: Apache\r\nLast-Modified: Tue, 28 Aug 2007 17:55:02 GMT\r\nETag: "3df1eb-f8-438c62c22c980"\r\nAccept-Ranges: bytes\r\nContent-Length: 248\r\nContent-Type: image/gif\r\nX-Cache: MISS from proxy.local\r\nX-Cache-Lookup: MISS from proxy.local:8080\r\nVia: 1.1 proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: keep-alive\r\nProxy-Connection: keep-alive\r\n\r] 1278570915.534 64 172.16.19.222 TCP_MISS/302 524 GET http://wdr.ivwbox.de/cgi-bin/ivw/CP/;www.wdr.de/mediathek/html/regional/rueckschau/2010/07/07/lokalzeit_ruhr.xml?r=http%3A//www.wdr.de/studio/essen/lokalzeit/beitrag02.html test DIRECT/149.219.195.195 text/plain [Host: wdr.ivwbox.de\r\nProxy-Connection: keep-alive\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4\r\nReferer: http://www.wdr.de/mediathek/html/regional/rueckschau/lokalzeit_ruhr.xml\r\nProxy-Authorization: Basic dGVzdDp0c3N0YXJ0\r\nAccept: */*\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: srp=00e54c35718a85c20006\r\n] [HTTP/1.0 302 Moved Temporarily\r\nServer: srp/2ac\r\nDate: Thu, 08 Jul 2010 06:35:14 GMT\r\nLast-Modified: Tue, 22 Aug 2000 15:05:01 GMT\r\nPragma: no-cache\r\nCache-Control: no-cache, must-revalidate\r\nExpires: 0\r\nP3P: policyref="http://www.ivwbox.de/p3p.xml";, CP="NOI DSP PSAo OUR NOR UNI"\r\nSet-Cookie: srp=00e54c35718a85c20006; path=/\r\nLocation: /blank.gif\r\nContent-Type: text/plain\r\nX-Cache: MISS from proxy.local\r\nX-Cache-Lookup: MISS from proxy.local:8080\r\nVia: 1.0 proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: close\r\n\r] 1278570928.401 239 172.16.19.222 TCP_MISS/302 524 GET http://wdr.ivwbox.de/cgi-bin/ivw/CP/;www.wdr.de/mediathek/medien/videos_gffstream.fcod.llnwd.net_a792_e1_mp4:media_extern_loke_20100707_144098_web-m.mp4?r=http%3A//www.wdr.de/mediathek/html/regional/rueckschau/lokalzeit_ruhr.xml test DIRECT/149.219.195.195 text/plain [Host: wdr.ivwbox.de\r\nProxy-Connection: keep-alive\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4\r\nReferer: http://www.wdr.de/themen/global/flashplayer/wsPlayer.swf\r\nProxy-Authorization: Basic dGVzdDp0c3N0YXJ0\r\nAccept: */*\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: srp=00e54c35718a85c20006\r\n] [HTTP/1.0 302 Moved Temporarily\r\nServer: srp/2ac\r\nDate: Thu, 08 Jul 2010 06:35:27 GMT\r\nLast-Modified: Tue, 22 Aug 2000 15:05:01 GMT\r\nPragma: no-cache\r\nCache-Control: no-cache, must-revalidate\r\nExpires: 0\r\nP3P: policyref="http://www.ivwbox.de/p3p.xml";, CP="NOI DSP PSAo OUR NOR UNI"\r\nSet-Cookie: srp=00e54c35718a85c20006; path=/\r\nLocation: /blank.gif\r\nContent-Type: text/plain\r\nX-Cache: MISS from proxy.local\r\nX-Cache-Lookup: MISS from proxy.local:8080\r\nVia: 1.0 proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: close\r\n\r] 1278570929.836 0 172.16.19.222 TCP_DENIED/407 1822 POST http://gffstream.fcod.llnwd.net/fcs/ident2 - NONE/- text/html [Host: gffstream.fcod.llnwd.net\r\nPragma: no-cache\r\nAccept: */*\r\nAccept-Encoding: deflate, gzip\r\nProxy-Connection: Keep-Alive\r\nUser-Agent: Shockwave Flash\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type: application/x-fcs\r\nContent-Length: 1\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.7.STABLE3\r\nDate: Thu, 08 Jul 2010 06:35:29 GMT\r\nContent-Type: text/html\r\nContent-Length: 1360\r\nExpires: Thu, 08 Jul 2010 06:35:29 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Basic realm="Anmeldung am internen Proxy "\r\nX-Cache: MISS from proxy.local\r\nX-Cache-Lookup: NONE from proxy.local:8080\r\nVia: 1.0 proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: close\r\n\r] 1278570929.843 0 172.16.19.222 TCP_DENIED/407 1810 POST http://gffstream.fcod.llnwd.net/open/1 - NONE/- text/html [Host: gffstream.fcod.llnwd.net\r\nPragma: no-cache\r\nAccept: */*\r\nAccept-Encoding: deflate, gzip\r\nProxy-Connection: Keep-Alive\r\nUser-Agent: Shockwave Flash\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type: application/x-fcs\r\nUser-Agent: Shockwave Flash\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type: application/x-fcs\r\nContent-Length: 1\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.7.STABLE3\r\nDate: Thu, 08 Jul 2010 06:35:29 GMT\r\nContent-Type: text/html\r\nContent-Length: 1348\r\nExpires: Thu, 08 Jul 2010 06:35:29 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Basic realm="Anmeldung am internen Proxy "\r\nX-Cache: MISS from proxy.local\r\nX-Cache-Lookup: NONE from proxy.local:8080\r\nVia: 1.0 proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: close\r\n\r] 1278570931.992 0 172.16.19.222 TCP_DENIED/407 1822 POST http://gffstream.fcod.llnwd.net/fcs/ident2 - NONE/- text/html [Host: gffstream.fcod.llnwd.net\r\nPragma: no-cache\r\nAccept: */*\r\nAccept-Encoding: deflate, gzip\r\nProxy-Connection: Keep-Alive\r\nUser-Agent: Shockwave Flash\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type: application/x-fcs\r\nContent-Length: 1\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.7.STABLE3\r\nDate: Thu, 08 Jul 2010 06:35:31 GMT\r\nContent-Type: text/html\r\nContent-Length: 1360\r\nExpires: Thu, 08 Jul 2010 06:35:31 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Basic realm="Anmeldung am internen Proxy "\r\nX-Cache: MISS from proxy.local\r\nX-Cache-Lookup: NONE from proxy.local:8080\r\nVia: 1.0 proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: close\r\n\r] 1278570931.996 0 172.16.19.222 TCP_DENIED/407 1810 POST http://gffstream.fcod.llnwd.net/open/1 - NONE/- text/html [Host: gffstream.fcod.llnwd.net\r\nPragma: no-cache\r\nAccept: */*\r\nAccept-Encoding: deflate, gzip\r\nProxy-Connection: Keep-Alive\r\nUser-Agent: Shockwave Flash\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type: application/x-fcs\r\nUser-Agent: Shockwave Flash\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nContent-Type: application/x-fcs\r\nContent-Length: 1\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.7.STABLE3\r\nDate: Thu, 08 Jul 2010 06:35:31 GMT\r\nContent-Type: text/html\r\nContent-Length: 1348\r\nExpires: Thu, 08 Jul 2010 06:35:31 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Basic realm="Anmeldung am internen Proxy "\r\nX-Cache: MISS from proxy.local\r\nX-Cache-Lookup: NONE from proxy.local:8080\r\nVia: 1.0 proxy.local:8080 (squid/2.7.STABLE3)\r\nConnection: close\r\n\r] ================
