On 12.04.2012 11:37, Simon Dwyer wrote:
Hi All,
I have setup squid to authenticate with NTLM then BASIC with the
ntlm_auth program.
I believe that it is all working fine for most users but for an
example
my linux desktop with firefox i get prompted for my crendentials
(thats
fine) but when i go to https://www.facebook.com or pages that link to
it
i keep getting prompted for my password.
the access.log shows this
1334186696.459 2 10.37.0.1 TCP_DENIED/407 4028 CONNECT
www.facebook.com:443 - NONE/- text/html
1334186696.463 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
www.facebook.com:443 - NONE/- text/html
1334186696.465 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
www.facebook.com:443 - NONE/- text/html
and my browser doesnt seem to present the credentals properly. Sites
like https://www.westpac.com.au seems to work perfectly.
I am now running firefox 11.
Where would be the first place to start looking?
Firefox bug reports possibly. I've been hearing strange things about
trouble with its NTLM support recently.
Also, with your Squid version. NTLM on CONNECT requests was only fixed
recently, meaning older 3.1 and previous series do not support NTLM well
on those requests.
Some unrelated hints about config optimization below...
Simon
Config following
[root@proxy1 ~]# cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
cache_dir aufs /var/spool/squid 16384 32 512
cache_mem 1024 MB
http_port 8080
snmp_port 3401
visible_hostname proxy1.mulawa.internal
acl snmppublic snmp_community ng-community-ro
snmp_access allow snmppublic
snmp_incoming_address 0.0.0.0
snmp_outgoing_address 255.255.255.255
ignore_expect_100 on
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 30
auth_param basic realm TSG proxy-caching web server
auth_param basic credentialsttl 8 hours
url_rewrite_program /usr/local/bin/squidGuard
-c /usr/local/squidGuard/squidGuard.conf
url_rewrite_children 30
acl BrownhouseIT src 10.37.0.0/24
acl GTALK_ports port 443 5222 5050 5223
acl GTALK_hosts dstdomain talk.google.com www.google.com
acl GTALK_domains dstdomain .l.google.com
acl GTALK_methods method CONNECT
acl SSL_ports port 443
acl SSL_ports port 5222
acl SSL_ports port 5223
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
acl UnauthorizedDomains url_regex microsoft.com
acl UnauthorizedDomains url_regex verisign.com
acl UnauthorizedDomains url_regex thawte.com
acl UnauthorizedDomains url_regex crl.usertrust.com
NP: These are all better tested as dstdomain. Use the wildcard '.'
prefix like you do for .l.google.com.
acl UnauthorizedServers src 10.20.0.77
acl UnauthorizedServers src 10.20.0.70
acl UnauthorizedServers src 10.20.0.191
acl oem-gc-host src 10.20.0.144
acl oem-gc-domain url_regex linux-update.oracle.com
NP: another best tested as dstdomain.
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow BrownhouseIT GTALK_methods GTALK_ports GTALK_hosts
http_access allow BrownhouseIT GTALK_methods GTALK_ports
GTALK_domains
Optimization:
GTALK_hosts and GTALK_domains are both dstdomain type. You can
collapse these together and remove most of the ACL tests per request to
*.l.google.com servers.
http_access allow UnauthorizedServers
Optimization:
adding these IPs to the firewall to reject connections they make
inbound to the proxy allows you to drop this ACL policy.
http_access allow UnauthorizedDomains
http_access allow oem-gc-host oem-gc-domain
http_access deny !AuthorizedUsers
http_access allow AuthorizedUsers
http_access deny all
Amos
