Search squid archive

Re: Issue with proxy auth with facebook

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2012-04-12 at 13:15 +1200, Amos Jeffries wrote:
> On 12.04.2012 13:06, Simon Dwyer wrote:
> > On Thu, 2012-04-12 at 12:41 +1200, Amos Jeffries wrote:
> >> On 12.04.2012 11:37, Simon Dwyer wrote:
> >> > Hi All,
> >> >
> >> > I have setup squid to authenticate with NTLM then BASIC with the
> >> > ntlm_auth program.
> >> >
> >> > I believe that it is all working fine for most users but for an
> >> > example
> >> > my linux desktop with firefox i get prompted for my crendentials
> >> > (thats
> >> > fine) but when i go to https://www.facebook.com or pages that link 
> >> to
> >> > it
> >> > i keep getting prompted for my password.
> >> >
> >> > the access.log shows this
> >> >
> >> > 1334186696.459      2 10.37.0.1 TCP_DENIED/407 4028 CONNECT
> >> > www.facebook.com:443 - NONE/- text/html
> >> > 1334186696.463      3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
> >> > www.facebook.com:443 - NONE/- text/html
> >> > 1334186696.465      3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
> >> > www.facebook.com:443 - NONE/- text/html
> >> >
> >> > and my browser doesnt seem to present the credentals properly.  
> >> Sites
> >> > like https://www.westpac.com.au seems to work perfectly.
> >> >
> >> > I am now running firefox 11.
> >> >
> >> > Where would be the first place to start looking?
> >>
> >> Firefox bug reports possibly. I've been hearing strange things about
> >> trouble with its NTLM support recently.
> >>
> >> Also, with your Squid version. NTLM on CONNECT requests was only 
> >> fixed
> >> recently, meaning older 3.1 and previous series do not support NTLM 
> >> well
> >> on those requests.
> >
> > Yes i have come to a conclusion that this is probably a bug with
> > firefox.  I am moving our authentication to kerberos and basic which
> > will hopfully get around using NTLM too much *touch wood*
> >>
> >>
> >> Some unrelated hints about config optimization below...
> >>
> >> >
> >> >
> >> > Simon
> >> >
> >> > Config following
> >> >
> >> > [root@proxy1 ~]# cat /etc/squid/squid.conf
> >> > #
> >> > # Recommended minimum configuration:
> >> > #
> >> > cache_dir aufs /var/spool/squid 16384 32 512
> >> >
> >> > cache_mem 1024 MB
> >> > http_port 8080
> >> > snmp_port 3401
> >> > visible_hostname proxy1.mulawa.internal
> >> > acl snmppublic snmp_community ng-community-ro
> >> > snmp_access allow snmppublic
> >> > snmp_incoming_address 0.0.0.0
> >> > snmp_outgoing_address 255.255.255.255
> >> > ignore_expect_100 on
> >> >
> >> > auth_param ntlm program /usr/bin/ntlm_auth
> >> > --helper-protocol=squid-2.5-ntlmssp
> >> > auth_param ntlm children 30
> >> >
> >> > auth_param basic program /usr/bin/ntlm_auth
> >> > --helper-protocol=squid-2.5-basic
> >> > auth_param basic children 30
> >> > auth_param basic realm TSG proxy-caching web server
> >> > auth_param basic credentialsttl 8 hours
> >> >
> >> >
> >> > url_rewrite_program /usr/local/bin/squidGuard
> >> > -c /usr/local/squidGuard/squidGuard.conf
> >> > url_rewrite_children 30
> >> >
> >> > acl BrownhouseIT src 10.37.0.0/24
> >> > acl GTALK_ports port 443 5222 5050 5223
> >> > acl GTALK_hosts dstdomain talk.google.com www.google.com
> >> > acl GTALK_domains dstdomain .l.google.com
> >> > acl GTALK_methods method CONNECT
> >> >
> >> > acl SSL_ports port 443
> >> > acl SSL_ports port 5222
> >> > acl SSL_ports port 5223
> >> > acl Safe_ports port 80          # http
> >> > acl Safe_ports port 21          # ftp
> >> > acl Safe_ports port 443         # https
> >> > acl Safe_ports port 70          # gopher
> >> > acl Safe_ports port 210         # wais
> >> > acl Safe_ports port 1025-65535  # unregistered ports
> >> > acl Safe_ports port 280         # http-mgmt
> >> > acl Safe_ports port 488         # gss-http
> >> > acl Safe_ports port 591         # filemaker
> >> > acl Safe_ports port 777         # multiling http
> >> >
> >> > acl CONNECT method CONNECT
> >> > acl AuthorizedUsers proxy_auth REQUIRED
> >> > acl UnauthorizedDomains url_regex microsoft.com
> >> > acl UnauthorizedDomains url_regex verisign.com
> >> > acl UnauthorizedDomains url_regex thawte.com
> >> > acl UnauthorizedDomains url_regex crl.usertrust.com
> >>
> >> NP: These are all better tested as dstdomain. Use the wildcard '.'
> >> prefix like you do for .l.google.com.
> > Thanks will do
> >
> >>
> >>
> >> > acl UnauthorizedServers src 10.20.0.77
> >> > acl UnauthorizedServers src 10.20.0.70
> >> > acl UnauthorizedServers src 10.20.0.191
> >> >
> >> > acl oem-gc-host src 10.20.0.144
> >> > acl oem-gc-domain url_regex linux-update.oracle.com
> >>
> >> NP: another best tested as dstdomain.
> > Thanks
> >>
> >> >
> >> >
> >> > http_access deny !Safe_ports
> >> > http_access deny CONNECT !SSL_ports
> >> > http_access allow BrownhouseIT GTALK_methods GTALK_ports 
> >> GTALK_hosts
> >> > http_access allow BrownhouseIT GTALK_methods GTALK_ports
> >> > GTALK_domains
> >>
> >> Optimization:
> >>
> >>    GTALK_hosts and GTALK_domains are both dstdomain type. You can
> >> collapse these together and remove most of the ACL tests per request 
> >> to
> >> *.l.google.com servers.
> >
> > Thanks will do.
> >>
> >> > http_access allow UnauthorizedServers
> >>
> >> Optimization:
> >>
> >>    adding these IPs to the firewall to reject connections they make
> >> inbound to the proxy allows you to drop this ACL policy.
> >
> > The point of this was to allow these servers through without having 
> > to
> > authenticate due to them running software that was written by people 
> > who
> > dont know what a proxy is.
> 
> Sorry. never mind that. Reading "unauthorized" as meaning well, 
> non-authorized, instead of bypass-authentication.
> 
> It is a bit tricky on the naming there since access control 
> terminology:
>    allow == authorized access,
>    deny == unauthorized.
> 
> 
> ... so "authorize access for UnauthorizedServers" mind bender.

Yea my first run through setting this up so not everything is worded
correctly yet.

Thanks for you help Amos i see you helping so much on this list.
> 
> 
> Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux