Search squid archive

Re: NTLM auth and ContentLength = 0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/08/11 00:04, Christian Gregoire wrote:
Hello,

I use Squid 3.1.9 + ICAP + ClamAV with NTLM authentication on a CentOS box. It
works pretty well, except in one particular case.

Here, the HTTP client is a third-party software on Windows, not a standard
navigator, which makes a few HTTP requests when it is launched.

Most of the requests show the NTLM challenge/response steps correctly, but not
the last one which is denied by the Squid service. The only special thing I can
see is that the content length of that request is set to zero (see the traces
and the headers below).

Maybe. I recall some talk about 0-length POST a while back. But there have been no patches related to it submitted yet.

I also notice that the failed attempt has a much longer blob tag than the successful one.

Check cache.log for any mentions of problems. Perhapse enable debugging with -d on the helper to see if there is an issue with the validation.


Please note: if NTLM auth is disabled on the Squid server, it works fine.


1312956350.701      0 10.1.100.5 TCP_DENIED/407 3837 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html
1312956350.702      0 10.1.100.5 TCP_DENIED/407 4219 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html
1312956351.543    841 10.1.100.5 TCP_MISS/200 721 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet
expinet.colissimo DIRECT/84.37.93.36 text/xml
1312956351.559      0 10.1.100.5 TCP_DENIED/407 3837 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html
1312956351.560      0 10.1.100.5 TCP_DENIED/407 4219 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html
1312956352.390    830 10.1.100.5 TCP_MISS/200 720 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet
expinet.colissimo DIRECT/84.37.93.36 text/xml
1312956352.407      0 10.1.100.5 TCP_DENIED/407 3837 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html
1312956352.408      0 10.1.100.5 TCP_DENIED/407 4219 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html
1312956353.281    873 10.1.100.5 TCP_MISS/200 716 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet
expinet.colissimo DIRECT/84.37.93.36 text/xml
1312956353.296      0 10.1.100.5 TCP_DENIED/407 3837 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html
1312956353.298      0 10.1.100.5 TCP_DENIED/407 4219 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html
1312956354.165    868 10.1.100.5 TCP_MISS/200 715 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet
expinet.colissimo DIRECT/84.37.93.36 text/xml
1312956354.189      0 10.1.100.5 TCP_DENIED/407 3845 POST
http://www.colis-logistique.com/expeditor/updateApplication/servlet - NONE/-
text/html
1312956354.190      0 10.1.100.5 TCP_DENIED/407 4227 POST
http://www.colis-logistique.com/expeditor/updateApplication/servlet - NONE/-
text/html
1312956355.005    814 10.1.100.5 TCP_MISS/200 719 POST
http://www.colis-logistique.com/expeditor/updateApplication/servlet
expinet.colissimo DIRECT/84.37.93.36 text/xml
1312956355.016      0 10.1.100.5 TCP_DENIED/407 3773 GET
http://www.colis-logistique.com/updatesite? - NONE/- text/html
1312956355.017      0 10.1.100.5 TCP_DENIED/407 4155 GET
http://www.colis-logistique.com/updatesite? - NONE/- text/html
1312956355.579    561 10.1.100.5 TCP_MISS/200 765 GET
http://www.colis-logistique.com/updatesite? expinet.colissimo DIRECT/84.37.93.36
APPLICATION/OCTET-STREAM
1312956356.570    430 10.1.100.5 TCP_MISS/200 4599 POST
http://www.colis-logistique.com/expeditor/updateaccount/servlet
expinet.colissimo DIRECT/84.37.93.36 text/xml
1312956357.437    769 10.1.100.5 TCP_MISS/200 720 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet
expinet.colissimo DIRECT/84.37.93.36 text/xml
1312956357.452      0 10.1.100.5 TCP_DENIED/407 3837 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html
1312956357.454      0 10.1.100.5 TCP_DENIED/407 4219 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html
1312956358.267    814 10.1.100.5 TCP_MISS/200 715 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet
expinet.colissimo DIRECT/84.37.93.36 text/xml
1312956359.448      0 10.1.100.5 TCP_DENIED/407 3835 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html<---- STEP 1
1312956359.449      0 10.1.100.5 TCP_DENIED/407 4217 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html<---- STEP 2
1312956359.451      0 10.1.100.5 TCP_DENIED/407 4193 POST
http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/-
text/html<---- STILL DENIED !!!!!!

------------------- Headers of the HTTP session for the denied request  :

POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: TELINTRANSCOM
Host: www.colis-logistique.com
Content-Length: 0
Pragma: no-cache

HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.1.9
Mime-Version: 1.0
Date: Wed, 10 Aug 2011 11:41:16 GMT
Content-Type: text/html
Content-Length: 3469
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: NTLM
X-Cache: MISS from fw-master
Via: 1.0 fw-master (squid/3.1.9)
Connection: close

POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: TELINTRANSCOM
Host: www.colis-logistique.com
Content-Length: 0
Pragma: no-cache
Proxy-Connection: Keep-Alive
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==


What application is this? there are two bugs in those headers that need reporting. Not related to your NTLM problems though. "TELINTRANSCOM" appears to be a company name rather than a software product name so I have no way to contact them myself to do it.

* Pragma: no-cache only works (sometimes) for HTTP/1.0 software, and should not be sent without a matching Cache-Control: no-cache for HTTP/1.1 softwares.

 * Proxy-Connection: is not a correct header. It should be just Connection:


HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.1.9
Mime-Version: 1.0
Date: Wed, 10 Aug 2011 11:41:16 GMT
Content-Type: text/html
Content-Length: 3605
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAADAAMADAAAAAFgomifYF1+R0dG4gAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA==

X-Cache: MISS from fw-master
Via: 1.0 fw-master (squid/3.1.9)
Connection: keep-alive

POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: TELINTRANSCOM
Host: www.colis-logistique.com
Content-Length: 0
Pragma: no-cache
Proxy-Connection: Keep-Alive
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAKIAAAAYABgAugAAAAwADABIAAAARgBGAFQAAAAIAAgAmgAAAAAAAADSAAAABYKIogUCzg4AAAAPUABJAEMASABPAE4AZQB4AHAAaQBuAGUAdAAuAGMAbwBsAGkAcwBzAGkAbQBvACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFQAUwBFADEAFnMeVH6eNxAAAAAAAAAAAAAAAAAAAAAAEueFV9XBLGkb2/4/sGwqnNiuOXFXC5lA


HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.1.9
Mime-Version: 1.0
Date: Wed, 10 Aug 2011 11:41:16 GMT
Content-Type: text/html
Content-Length: 3829
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: NTLM
X-Cache: MISS from fw-master
Via: 1.0 fw-master (squid/3.1.9)
Connection: close

------------------- Headers for an accepted one :

POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: TELINTRANSCOM
Host: www.colis-logistique.com
Content-Length: 587
Pragma: no-cache

HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.1.9
Mime-Version: 1.0
Date: Wed, 10 Aug 2011 11:40:40 GMT
Content-Type: text/html
Content-Length: 3471
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: NTLM
X-Cache: MISS from fw-master
Via: 1.0 fw-master (squid/3.1.9)
Connection: close

POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: TELINTRANSCOM
Host: www.colis-logistique.com
Content-Length: 587
Pragma: no-cache
Proxy-Connection: Keep-Alive
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.1.9
Mime-Version: 1.0
Date: Wed, 10 Aug 2011 11:40:40 GMT
Content-Type: text/html
Content-Length: 3607
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAADAAMADAAAAAFgomiNP/Vxjp4/tAAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA==

X-Cache: MISS from fw-master
Via: 1.0 fw-master (squid/3.1.9)
Connection: keep-alive

POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: TELINTRANSCOM
Host: www.colis-logistique.com
Content-Length: 587
Pragma: no-cache
Proxy-Connection: Keep-Alive
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAAAwADABIAAAAIgAiAFQAAAAIAAgAdgAAAAAAAACuAAAABYKIogUCzg4AAAAPUABJAEMASABPAE4AZQB4AHAAaQBuAGUAdAAuAGMAbwBsAGkAcwBzAGkAbQBvAFQAUwBFADEAuyOcnxnMyogAAAAAAAAAAAAAAAAAAAAAGvDfkb4KZM8Lkgec9ot0QL5qpUrN+xaa


HTTP/1.0 200 OK
Date: Wed, 10 Aug 2011 11:34:59 GMT
Server: Apache
Vary: User-Agent
Content-Type: text/xml
X-Cache: MISS from fw-master
Via: ICAP/1.0 fw-master.domain.local (C-ICAP/0.1.3 SquidClamav/Antivirus service
), 1.0 fw-master (squid/3.1.9)
Connection: close

------------------- Squid configuration file :

http_port 3129
cache_access_log /servers/squid/logs/access.log
cache_store_log /servers/squid/logs/store.log
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
external_acl_type GroupeInternet %LOGIN /usr/local/squid/libexec/wbinfo_group.pl

acl AccesInternetOK external GroupeInternet gg_internet
acl CONNECT method CONNECT

http_access allow CONNECT

Sigh. Your proxy has no security. NTLM is an illusion.

Try this:
  squidclient -P request.txt -m CONNECT google.com:80

Where request.txt contains:
"
GET / HTTP/1.1
Host: google.com

"
Poof. No login.

This is why Safe_ports and SSL_Ports exists. Please use them.


http_access allow AccesInternetOK
http_access deny all



Any idea ?

Christian

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.14
  Beta testers wanted for 3.2.0.10


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux