Hi Amos I am using squid.2.7.STABLE7. Following is my configuration. I want to allow everything. http_port 192.168.11.35:3128 transparent acl from_localhost src 192.168.11.35 http_port 10.102.79.82:3128 transparent acl from_localhost src 10.102.79.82 http_port 10.102.79.82:3128 transparent acl from_localhost src 10.102.79.82 visible_hostname hostname acl foreign_networksAux1 dst acl foreign_networksapA dst 0.0.0.0/0 tcp_outgoing_address 192.168.11.35 foreign_networksAux1 tcp_outgoing_address 10.102.79.82 foreign_networksapA access_log none cache_log /dev/null cache_mem 8 MB cache_dir aufs /squid/var/cache/small 1500 9 256 max-size=10000 cache_dir aufs /squid/var/cache/medium 4500 6 256 max-size=1000000 cache_dir aufs /squid/var/cache/large 4000 3 256 maximum_object_size 1000 MB log_mime_hdrs off max_open_disk_fds 400 maximum_object_size_in_memory 16 KB debug_options ALL,1 cache_store_log none pid_filename /squid/logs/squid.pid debug_options ALL,1 acl manager proto cache_object acl all src 0.0.0.0/0.0.0.0 acl all_dst dst 0.0.0.0/0.0.0.0 http_access allow manager from_localhost http_access deny manager http_access allow all all_dst icp_access deny all icp_port 0 htcp_port 0 #this is the directory where core-dump from squid will be kept coredump_dir /squid/var log_fqdn off fqdncache_size 8192 ipcache_size 8192 minimum_object_size 512 bytes quick_abort_min -1 KB hierarchy_stoplist cgi-bin ? acl store_rewrite_list urlpath_regex \/(get_video\?|videodownload\?|videoplayback.*id) acl store_rewrite_list1 dstdomain .youtube.com .video.google.com \/(get_video\?|videodownload\?|videoplayback.*id) storeurl_access allow store_rewrite_list store_rewrite_list1 storeurl_rewrite_program /orbital/current/squid/storeurl.pl storeurl_rewrite_children 1 storeurl_rewrite_concurrency 10 redirector_bypass on #this refresh_pattern is for caching youtube videos refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 99999999% 5259487 ignore-private ignore-no-cache override-expire refresh_pattern ^ftp: 1 50% 10080 refresh_pattern ^gopher: 1 0% 1440 refresh_pattern -i \.(gif|jpg|jpeg|tif|png|ico|bmp)$ 0 50% 6000 ignore-no-cache refresh_pattern -i \.(wma|wmv|avi|mpeg|ram|mp3|mpg|flv)$ 60 200% 10080 ignore-no-cache override-expire ignore-private refresh_pattern -i \.(3gp|mp4|rm|ram|mov|m4v|qt)$ 60 200% 10080 ignore-no-cache override-expire ignore-private refresh_pattern -i \.(cab|exe|gzip|gz|zip|rpm|bin|dat|psf|bz2)$ 0 20% 14400 refresh_pattern -i \.(swf|css|js)$ 0 50% 10000 refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 1 20% 1440 refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 1 20% 1440 refresh_pattern -i \.(htm|html|asp|jsp|shtml|dhtml|php)$ 0 0% 0 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache #extension_methods dddxxx cache_effective_user squid cache_effective_group squid client_persistent_connections on server_persistent_connections on logfile_rotate 0 ie_refresh on request_entities on pipeline_prefetch on strip_query_terms off minimum_direct_hops 0 minimum_direct_rtt 0 log_icp_queries off # Shorten timeouts negative_ttl 5 minutes connect_timeout 1 minute peer_connect_timeout 30 seconds read_timeout 15 minutes request_timeout 5 minutes half_closed_clients off pconn_timeout 1 minute Regards, Saurabh -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Tuesday, February 01, 2011 12:12 PM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: Authentication to Sharepoint not happening On 01/02/11 19:27, Saurabh Agarwal wrote: > Hi All > > I am running Squid as a transparent proxy and can't authenticate to sharepoint server. If I bypass squid then everything works fine. > > I have not compiled Squid with any of the authentication related configurables > > --enable-auth="basic,digest,ntlm,negotiate" --enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL" --enable-negotiate-auth-helpers="squid_kerb_auth" --enable-cache-digests --enable-ntlm-auth-helpers="SMB,fakeauth" --enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group". > > I see that sharepoint sends squid the following http headers in HTTP 401 response > > WWW-Authenticate: Negotiate\r\n > WWW-Authenticate: NTLM\r\n > > But squid is not forwarding these headers to the client? If I bypass squid then everything works fine. > > Can someone please help here? Negotiate and NTLM both require HTTP/1.1 persistent connections and also some major hacks called connection pinning. Not all Squid support these equally. What version of Squid are you using? and with what configuration? Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
