On 15/05/2012 5:28 p.m., infernalis wrote:
Hi all,
I'm having considerable trouble getting Squid to work well with
NTLM/Kerberos and was hoping someone here would be able to help.
My ultimate goal is to be able to connect to an IIS server through Squid
using a computer that is not a member of the AD domain. I would like to
enter my credentials once to the proxy, and then have Squid save the
authentication token in order to use it against other servers that require
authentication.
Token re-use in this form is not what happens in NTLM. It uses a code
specific to the TCP connection and a hash.
The problem I'm facing is that no matter what I've tried, I'm forced to
authenticate manually six times while loading sites requiring
authentication. This is much worse than the behavior prior to adding Squid.
6 times is a problem. You should at most be asked once. But there are
some software (IE primarily) which are known to ask for manual
authentication when it should not need to.
First, is it possible for Squid to cache the credentials and then
authenticate on behalf of the client to an upstream server? If this isn't
the best way to go about doing this, what would you suggest?
Squid *does* cache the credentials. In a specific way that NTLM
requires. Re-using the same credentials for other TCP connections out of
a normal cache causes a major security vulnerability with NTLM.
Second, what could be the problem with my configuration?
I'm running Squid 3.1.10.
Please try an upgrade; 3.1.19 is current, 3.1.15 at oldest is
recommended. The hacks disabling certain HTTP features in order to get
NTLM to operate were improved incrementally across 3.1 series, so the
later the release you can get the better NTLM will work. Up to a point.
However, be aware this multiple-login is known to still occur with IE +
Squid even in the latest releases. It is IE behaviour.
Thanks in advance!
Here is my current config:
http_port 80 accel defaultsite=webservername connection-auth=on
Ah, so by "sites" which login is failing for you mean
"http://webservername/";.
NP: NTLM is *not* a good protocol to use for website authentication
over the general Internet. It is extremely fragile, resource intensive,
and not supported by most of the software spread through the middle of
the Internet.
cache_peer x.x.x.x parent 80 0 no-query login=PASS originserver
connection-auth=on name=serv
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
Turning this one off might help reduce your popups. It does not disable
connection persistence, but enables a hack to get around some of the IE
multiple-popup behaviour.
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl auth proxy_auth REQUIRED
http_access allow auth
http_access deny all
At this "deny all" any following http_access lines are ignored.
acl our_sites dstdomain webservername proxy_auth REQUIRED
client_persistent_connections on
server_persistent_connections on
debug_options ALL,2
http_access allow our_sites
cache_peer_access serv allow our_sites
cache_peer_access serv deny all
Amos
