Search squid archive

Re: NTLM not working with HTTPS pages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21/04/2012 4:01 a.m., Wladner Klimach wrote:
Amos,

what could be causing this? When I desable NTLM authentication or when
I use Kerberos all access go just fine, but when only NTLM is able I
can't get access to https pages and I get in the logs TCP_DENIED/407.
How can I debug it?

You need to locate and identify what request headers are being denied.

The easiest way with 3.1 is a packet dump with full packet bodies ("tcpdump -s0 ..."). Then base-64 decode the www-authenticate headers from the client and check the type codes. NTLM has "NTLMSSPI" then a binary type number 1, 2 or 3.

The NTLM flow should be:

 client: makes request (no auth)
 Squid: emits 407 with NTLM advertised as available
squid: [optionally closes the connection (due to "auth_param ntlm keep-alive off" hack)]
 client: repeat request with type-1 NTLM proxy-auth header
 squid: 407 with type-2 NTLM proxy-auth header
 client: repeat request with type-3 NTLM proxy-auth header
 squid: HTTP response
client: [optionally make other requests with type-3 NTLM proxy-auth header]
 connection closes.


If you find connections opening and starting immediately with type-3 token that is Kerberos or broken NTLM from the client.


Amos


regards

2012/4/20 Amos Jeffries<squid3@xxxxxxxxxxxxx>:
On 21/04/2012 1:15 a.m., Harry Mills wrote:
Hi Wladner,

I don't think this is causing your problems, but I think you need to
change the following:

Instead of:

http_access deny CONNECT !Safe_ports

try:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Also, on the last two lines of your included config you have:

acl AUTENTICADO proxy_auth REQUIRED
http_access allow AUTENTICADO

This is one of several correct proxy-auth configurations.


I simply have:

http_access allow proxy_auth

I have no idea if this will help, but worth giving it a try perhaps?

?? for that to work you require this somewhere above your http_access rule
...

  acl proxy_auth proxy_auth REQUIRED

or some other definition for an ACL *label* "proxy_auth".

Amos



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux