On 11/08/11 00:04, Christian Gregoire wrote:
Hello, I use Squid 3.1.9 + ICAP + ClamAV with NTLM authentication on a CentOS box. It works pretty well, except in one particular case. Here, the HTTP client is a third-party software on Windows, not a standard navigator, which makes a few HTTP requests when it is launched. Most of the requests show the NTLM challenge/response steps correctly, but not the last one which is denied by the Squid service. The only special thing I can see is that the content length of that request is set to zero (see the traces and the headers below).
Maybe. I recall some talk about 0-length POST a while back. But there have been no patches related to it submitted yet.
I also notice that the failed attempt has a much longer blob tag than the successful one.
Check cache.log for any mentions of problems. Perhapse enable debugging with -d on the helper to see if there is an issue with the validation.
Please note: if NTLM auth is disabled on the Squid server, it works fine. 1312956350.701 0 10.1.100.5 TCP_DENIED/407 3837 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956350.702 0 10.1.100.5 TCP_DENIED/407 4219 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956351.543 841 10.1.100.5 TCP_MISS/200 721 POST http://www.colis-logistique.com/expeditor/updateReference/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956351.559 0 10.1.100.5 TCP_DENIED/407 3837 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956351.560 0 10.1.100.5 TCP_DENIED/407 4219 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956352.390 830 10.1.100.5 TCP_MISS/200 720 POST http://www.colis-logistique.com/expeditor/updateReference/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956352.407 0 10.1.100.5 TCP_DENIED/407 3837 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956352.408 0 10.1.100.5 TCP_DENIED/407 4219 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956353.281 873 10.1.100.5 TCP_MISS/200 716 POST http://www.colis-logistique.com/expeditor/updateReference/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956353.296 0 10.1.100.5 TCP_DENIED/407 3837 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956353.298 0 10.1.100.5 TCP_DENIED/407 4219 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956354.165 868 10.1.100.5 TCP_MISS/200 715 POST http://www.colis-logistique.com/expeditor/updateReference/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956354.189 0 10.1.100.5 TCP_DENIED/407 3845 POST http://www.colis-logistique.com/expeditor/updateApplication/servlet - NONE/- text/html 1312956354.190 0 10.1.100.5 TCP_DENIED/407 4227 POST http://www.colis-logistique.com/expeditor/updateApplication/servlet - NONE/- text/html 1312956355.005 814 10.1.100.5 TCP_MISS/200 719 POST http://www.colis-logistique.com/expeditor/updateApplication/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956355.016 0 10.1.100.5 TCP_DENIED/407 3773 GET http://www.colis-logistique.com/updatesite? - NONE/- text/html 1312956355.017 0 10.1.100.5 TCP_DENIED/407 4155 GET http://www.colis-logistique.com/updatesite? - NONE/- text/html 1312956355.579 561 10.1.100.5 TCP_MISS/200 765 GET http://www.colis-logistique.com/updatesite? expinet.colissimo DIRECT/84.37.93.36 APPLICATION/OCTET-STREAM 1312956356.570 430 10.1.100.5 TCP_MISS/200 4599 POST http://www.colis-logistique.com/expeditor/updateaccount/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956357.437 769 10.1.100.5 TCP_MISS/200 720 POST http://www.colis-logistique.com/expeditor/updateReference/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956357.452 0 10.1.100.5 TCP_DENIED/407 3837 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956357.454 0 10.1.100.5 TCP_DENIED/407 4219 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html 1312956358.267 814 10.1.100.5 TCP_MISS/200 715 POST http://www.colis-logistique.com/expeditor/updateReference/servlet expinet.colissimo DIRECT/84.37.93.36 text/xml 1312956359.448 0 10.1.100.5 TCP_DENIED/407 3835 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html<---- STEP 1 1312956359.449 0 10.1.100.5 TCP_DENIED/407 4217 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html<---- STEP 2 1312956359.451 0 10.1.100.5 TCP_DENIED/407 4193 POST http://www.colis-logistique.com/expeditor/updateReference/servlet - NONE/- text/html<---- STILL DENIED !!!!!! ------------------- Headers of the HTTP session for the denied request : POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: TELINTRANSCOM Host: www.colis-logistique.com Content-Length: 0 Pragma: no-cache HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.9 Mime-Version: 1.0 Date: Wed, 10 Aug 2011 11:41:16 GMT Content-Type: text/html Content-Length: 3469 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Proxy-Authenticate: NTLM X-Cache: MISS from fw-master Via: 1.0 fw-master (squid/3.1.9) Connection: close POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: TELINTRANSCOM Host: www.colis-logistique.com Content-Length: 0 Pragma: no-cache Proxy-Connection: Keep-Alive Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
What application is this? there are two bugs in those headers that need reporting. Not related to your NTLM problems though. "TELINTRANSCOM" appears to be a company name rather than a software product name so I have no way to contact them myself to do it.
* Pragma: no-cache only works (sometimes) for HTTP/1.0 software, and should not be sent without a matching Cache-Control: no-cache for HTTP/1.1 softwares.
* Proxy-Connection: is not a correct header. It should be just Connection:
HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.9 Mime-Version: 1.0 Date: Wed, 10 Aug 2011 11:41:16 GMT Content-Type: text/html Content-Length: 3605 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADAAAAAFgomifYF1+R0dG4gAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA== X-Cache: MISS from fw-master Via: 1.0 fw-master (squid/3.1.9) Connection: keep-alive POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: TELINTRANSCOM Host: www.colis-logistique.com Content-Length: 0 Pragma: no-cache Proxy-Connection: Keep-Alive Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAKIAAAAYABgAugAAAAwADABIAAAARgBGAFQAAAAIAAgAmgAAAAAAAADSAAAABYKIogUCzg4AAAAPUABJAEMASABPAE4AZQB4AHAAaQBuAGUAdAAuAGMAbwBsAGkAcwBzAGkAbQBvACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFQAUwBFADEAFnMeVH6eNxAAAAAAAAAAAAAAAAAAAAAAEueFV9XBLGkb2/4/sGwqnNiuOXFXC5lA HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.9 Mime-Version: 1.0 Date: Wed, 10 Aug 2011 11:41:16 GMT Content-Type: text/html Content-Length: 3829 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Proxy-Authenticate: NTLM X-Cache: MISS from fw-master Via: 1.0 fw-master (squid/3.1.9) Connection: close ------------------- Headers for an accepted one : POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: TELINTRANSCOM Host: www.colis-logistique.com Content-Length: 587 Pragma: no-cache HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.9 Mime-Version: 1.0 Date: Wed, 10 Aug 2011 11:40:40 GMT Content-Type: text/html Content-Length: 3471 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Proxy-Authenticate: NTLM X-Cache: MISS from fw-master Via: 1.0 fw-master (squid/3.1.9) Connection: close POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: TELINTRANSCOM Host: www.colis-logistique.com Content-Length: 587 Pragma: no-cache Proxy-Connection: Keep-Alive Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw== HTTP/1.0 407 Proxy Authentication Required Server: squid/3.1.9 Mime-Version: 1.0 Date: Wed, 10 Aug 2011 11:40:40 GMT Content-Type: text/html Content-Length: 3607 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADAAAAAFgomiNP/Vxjp4/tAAAAAAAAAAAHYAdgA8AAAAUABJAEMASABPAE4AAgAMAFAASQBDAEgATwBOAAEAEgBGAFcALQBNAEEAUwBUAEUAUgAEABgAcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAwAsAGYAdwAtAG0AYQBzAHQAZQByAC4AcABpAGMAaABvAG4ALgBsAG8AYwBhAGwAAAAAAA== X-Cache: MISS from fw-master Via: 1.0 fw-master (squid/3.1.9) Connection: keep-alive POST http://www.colis-logistique.com/expeditor/updateReference/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: TELINTRANSCOM Host: www.colis-logistique.com Content-Length: 587 Pragma: no-cache Proxy-Connection: Keep-Alive Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAAAwADABIAAAAIgAiAFQAAAAIAAgAdgAAAAAAAACuAAAABYKIogUCzg4AAAAPUABJAEMASABPAE4AZQB4AHAAaQBuAGUAdAAuAGMAbwBsAGkAcwBzAGkAbQBvAFQAUwBFADEAuyOcnxnMyogAAAAAAAAAAAAAAAAAAAAAGvDfkb4KZM8Lkgec9ot0QL5qpUrN+xaa HTTP/1.0 200 OK Date: Wed, 10 Aug 2011 11:34:59 GMT Server: Apache Vary: User-Agent Content-Type: text/xml X-Cache: MISS from fw-master Via: ICAP/1.0 fw-master.domain.local (C-ICAP/0.1.3 SquidClamav/Antivirus service ), 1.0 fw-master (squid/3.1.9) Connection: close ------------------- Squid configuration file : http_port 3129 cache_access_log /servers/squid/logs/access.log cache_store_log /servers/squid/logs/store.log icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 external_acl_type GroupeInternet %LOGIN /usr/local/squid/libexec/wbinfo_group.pl acl AccesInternetOK external GroupeInternet gg_internet acl CONNECT method CONNECT http_access allow CONNECT
Sigh. Your proxy has no security. NTLM is an illusion. Try this: squidclient -P request.txt -m CONNECT google.com:80 Where request.txt contains: " GET / HTTP/1.1 Host: google.com " Poof. No login. This is why Safe_ports and SSL_Ports exists. Please use them.
http_access allow AccesInternetOK http_access deny all Any idea ? Christian
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.10
