Re: TCP_DENIED/407 when using NCSA-AUTH and video streaming

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Werner Opriel wrote:
> Am Sonntag, 11. Juli 2010 schrieb Amos Jeffries:
> > Werner Opriel wrote:
> > > We are using a debian-Package of Squid 2.7 Stable3 on a Debian Lenny
> > > machine with ncsa-auth configured, acting as a central Internet-Proxy.
> > >
> > > All Users/Passwords are stored in /etc/squid/passwd on localhost and only
> > > authenticated users are allowed to surf on sites outside the intranet.
> > > There are no problems with authentication so far.
> > >
> > > But we have a problem playing videos from the side http://www.wdr.de,
> > > they do provide media-streams based on flash, for example:
> > > http://www.wdr.de/mediathek/html/regional/2009/07/30/aktuelle-stunde-kuen
> > > digung.xml
> > >
> > > Those pages can be accessed without problems and the starting picture of
> > > the video is displayed. When we try to play the video we are receiving
> > > "network error" and "file not found" within the flasharea-window after a
> > > few seconds. There is no problem playing an audio stream from this site
> > > or flash-videos for example from youtube.com or golem.de
> > >
> > > Our Clients, always with flashplugin installed:
> > > Firefox 3.5 (Win), Firefox 3.6 (Linux) and Chrome (Linux) .
> > >
> > > In the access.log we can see an authenticated user "test" surfin on
> > > www.wdr.de.
> > > When starting the video it would seem that he lost his authentication
> > > information and then ends in tcp-denied/407.
> > > When disabling NCSA-AUTH in squid, we can play the videos without any
> > > problems.
> > <snip>
> >
> > It's clear the flash player is making it's own background HTTP requests
> > and not sending credentials. This is a flash player problem.
> >
> > You have a choice of putting up with it or letting the player through
> > your Squid without authentication. The headers you log show a few things
> > like User-Agent, source website and Content-Type you could match on to
> > identify its requests.
>
> Thanks Amos. 
> But can you give me a hint how i have to configure squid for letting the 
> flashplayer through it without authentication?

Already did. The third sentence I wrote says "The headers you log show a 
few things like ... you could match on".

http://www.squid-cache.org/Doc/config/acl/  see req_header ACL type.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.5