Francesco Collini wrote:
Hello,
i am experiencing problem with some remote websites that use IIS and
ntlm windows authentication.
The problems persist with 2.6 and 3.1 version, too.
I tried to add: http_port 3128 connection-auth=on but no results.
Is there a solution?
* NTLM websites assume that every piece of HTTP browser and proxy
software supports Microsoft proprietary protocols and connection pinning.
* You are assuming that your proxy is the only proxy in the chain.
Neither if those are likely to be true.
NTLM websites can work locally on a LAN where all software has a chance
of being controlled with the requirement of supporting NTLM. Over the
general Internet it's a non-starter.
Using HTTPS instead of HTTP *almost* guarantees the end-to-end
connection NTLM requires. I say almost because middle-proxies are now
also decrypting HTTPS and proxying it in some places.
The solution is to get the website to use a method of authentication
which works outside walled-garden LANs. Digest auth designed
specifically for high security over HTTP is available. Basic auth is the
'normal' low-security method.
The alternative is to find every proxy in the middle between you and
those sites, and get their admin to turn on connection pinning just for you.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.5
