On Thu, 2012-04-12 at 13:15 +1200, Amos Jeffries wrote: > On 12.04.2012 13:06, Simon Dwyer wrote: > > On Thu, 2012-04-12 at 12:41 +1200, Amos Jeffries wrote: > >> On 12.04.2012 11:37, Simon Dwyer wrote: > >> > Hi All, > >> > > >> > I have setup squid to authenticate with NTLM then BASIC with the > >> > ntlm_auth program. > >> > > >> > I believe that it is all working fine for most users but for an > >> > example > >> > my linux desktop with firefox i get prompted for my crendentials > >> > (thats > >> > fine) but when i go to https://www.facebook.com or pages that link > >> to > >> > it > >> > i keep getting prompted for my password. > >> > > >> > the access.log shows this > >> > > >> > 1334186696.459 2 10.37.0.1 TCP_DENIED/407 4028 CONNECT > >> > www.facebook.com:443 - NONE/- text/html > >> > 1334186696.463 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT > >> > www.facebook.com:443 - NONE/- text/html > >> > 1334186696.465 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT > >> > www.facebook.com:443 - NONE/- text/html > >> > > >> > and my browser doesnt seem to present the credentals properly. > >> Sites > >> > like https://www.westpac.com.au seems to work perfectly. > >> > > >> > I am now running firefox 11. > >> > > >> > Where would be the first place to start looking? > >> > >> Firefox bug reports possibly. I've been hearing strange things about > >> trouble with its NTLM support recently. > >> > >> Also, with your Squid version. NTLM on CONNECT requests was only > >> fixed > >> recently, meaning older 3.1 and previous series do not support NTLM > >> well > >> on those requests. > > > > Yes i have come to a conclusion that this is probably a bug with > > firefox. I am moving our authentication to kerberos and basic which > > will hopfully get around using NTLM too much *touch wood* > >> > >> > >> Some unrelated hints about config optimization below... > >> > >> > > >> > > >> > Simon > >> > > >> > Config following > >> > > >> > [root@proxy1 ~]# cat /etc/squid/squid.conf > >> > # > >> > # Recommended minimum configuration: > >> > # > >> > cache_dir aufs /var/spool/squid 16384 32 512 > >> > > >> > cache_mem 1024 MB > >> > http_port 8080 > >> > snmp_port 3401 > >> > visible_hostname proxy1.mulawa.internal > >> > acl snmppublic snmp_community ng-community-ro > >> > snmp_access allow snmppublic > >> > snmp_incoming_address 0.0.0.0 > >> > snmp_outgoing_address 255.255.255.255 > >> > ignore_expect_100 on > >> > > >> > auth_param ntlm program /usr/bin/ntlm_auth > >> > --helper-protocol=squid-2.5-ntlmssp > >> > auth_param ntlm children 30 > >> > > >> > auth_param basic program /usr/bin/ntlm_auth > >> > --helper-protocol=squid-2.5-basic > >> > auth_param basic children 30 > >> > auth_param basic realm TSG proxy-caching web server > >> > auth_param basic credentialsttl 8 hours > >> > > >> > > >> > url_rewrite_program /usr/local/bin/squidGuard > >> > -c /usr/local/squidGuard/squidGuard.conf > >> > url_rewrite_children 30 > >> > > >> > acl BrownhouseIT src 10.37.0.0/24 > >> > acl GTALK_ports port 443 5222 5050 5223 > >> > acl GTALK_hosts dstdomain talk.google.com www.google.com > >> > acl GTALK_domains dstdomain .l.google.com > >> > acl GTALK_methods method CONNECT > >> > > >> > acl SSL_ports port 443 > >> > acl SSL_ports port 5222 > >> > acl SSL_ports port 5223 > >> > acl Safe_ports port 80 # http > >> > acl Safe_ports port 21 # ftp > >> > acl Safe_ports port 443 # https > >> > acl Safe_ports port 70 # gopher > >> > acl Safe_ports port 210 # wais > >> > acl Safe_ports port 1025-65535 # unregistered ports > >> > acl Safe_ports port 280 # http-mgmt > >> > acl Safe_ports port 488 # gss-http > >> > acl Safe_ports port 591 # filemaker > >> > acl Safe_ports port 777 # multiling http > >> > > >> > acl CONNECT method CONNECT > >> > acl AuthorizedUsers proxy_auth REQUIRED > >> > acl UnauthorizedDomains url_regex microsoft.com > >> > acl UnauthorizedDomains url_regex verisign.com > >> > acl UnauthorizedDomains url_regex thawte.com > >> > acl UnauthorizedDomains url_regex crl.usertrust.com > >> > >> NP: These are all better tested as dstdomain. Use the wildcard '.' > >> prefix like you do for .l.google.com. > > Thanks will do > > > >> > >> > >> > acl UnauthorizedServers src 10.20.0.77 > >> > acl UnauthorizedServers src 10.20.0.70 > >> > acl UnauthorizedServers src 10.20.0.191 > >> > > >> > acl oem-gc-host src 10.20.0.144 > >> > acl oem-gc-domain url_regex linux-update.oracle.com > >> > >> NP: another best tested as dstdomain. > > Thanks > >> > >> > > >> > > >> > http_access deny !Safe_ports > >> > http_access deny CONNECT !SSL_ports > >> > http_access allow BrownhouseIT GTALK_methods GTALK_ports > >> GTALK_hosts > >> > http_access allow BrownhouseIT GTALK_methods GTALK_ports > >> > GTALK_domains > >> > >> Optimization: > >> > >> GTALK_hosts and GTALK_domains are both dstdomain type. You can > >> collapse these together and remove most of the ACL tests per request > >> to > >> *.l.google.com servers. > > > > Thanks will do. > >> > >> > http_access allow UnauthorizedServers > >> > >> Optimization: > >> > >> adding these IPs to the firewall to reject connections they make > >> inbound to the proxy allows you to drop this ACL policy. > > > > The point of this was to allow these servers through without having > > to > > authenticate due to them running software that was written by people > > who > > dont know what a proxy is. > > Sorry. never mind that. Reading "unauthorized" as meaning well, > non-authorized, instead of bypass-authentication. > > It is a bit tricky on the naming there since access control > terminology: > allow == authorized access, > deny == unauthorized. > > > ... so "authorize access for UnauthorizedServers" mind bender. Yea my first run through setting this up so not everything is worded correctly yet. Thanks for you help Amos i see you helping so much on this list. > > > Amos
