Hi,
I noticed a few people have downloaded my logs - has anyone found
anything useful? It does appear to be a bug to me, but if it is a change
in behaviour I'd be happy of any hints to fix my config.
All the best
Alex
Further to my original post, I've found that NTLM auth does not work
with CONNECT requests from clients in 3.2. I use a similar config to
that I'm using in production in 2.7.
I have disabled ssl-bump and dynamic SSL until I can resolve this.
I do *not* have to "add http_access allow CONNECT" before "http_access
deny CONNECT !SSL_ports " in my production config, which seems correct
as otherwise unauthorised users could use CONNECT.
Here is the config I am testing, which works fine for plain HTTP traffic:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 30
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type nt_group ttl=20 children=40 %LOGIN
/usr/lib/squid3/ext_wbinfo_group_acl
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
always_direct allow all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access allow AuthorizedUsers
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow all AuthorizedUsers
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_mem 2048 MB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir diskd /var/spool/squid3 360000 64 512
debug_options ALL,3
coredump_dir /var/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
dns_defnames on
However CONNECT requests do not work, the client sits forever waiting
for data while squid does not match against "AuthorizedUsers" and
attempts to return an error page:
Logs are available here:
http;//www.nanogherkin.com/nonssl_cache.log.gz
http;//www.nanogherkin.com/ssl_cache.log.gz
Any help much appreciated.
Regards
Alex
