On 10/07/2012 9:59 p.m., Bruno Santos wrote:
Hi all ! I finally (sort of) manage to get squid with ntlm authentication. I now have it working as i want it, but there's a configuration that i had to change and that's keeping bugging me in the why. Everything was workig fine until reaching https sites. If i had enabled both types of authentication: ntlm and basic (for those under Linux or not using a ntlm enabled browser): -------- # Autenticacao NTLM - Winbind - AD auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 300 auth_param ntlm keep_alive off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 100 auth_param basic realm Por favor autentique-se! auth_param basic credentialsttl 2 hours acl ntlmAuth proxy_auth REQUIRED -------------------- This configuration worked fine, but those with NTLM (windows + IE / Firefox) were asked for authentication (that shouldn't happen). Those in Linux worked just fine (with an authentication dialog) and every site appears as it should be. If i remove the basic authentication, those with windows (IE and Firefox) are NOT asked for authentication and those using Linux are asked for authentication (everything fine here). Here is the problem:
By "those" I assume you mean the persons/users, and not their browser agents.
By "asked" I assume you mean the auth popup window, and not the 407 proxy challenge.
Popups are a browser feature, when it happens is decided *only* by the browser, usually because it was unable to find any working credentials that could be used [some browsers are broken].
Ideally no user would be asked for authentication when NTLM is used. The grand benefit offering from NTLM is that it works from the users network login credentials and the browser never has to ask them to type anything.
Those using Linux can't access (most) https sites. It just gives: TCP_DENIED/407 3833 CONNECT twitter.com:443 - NONE/- text/html And nothing happens...
Most likely your: "auth_param ntlm keep_alive off" is breaking the fragile support CONNECT method has for NTLM.
So i've decided to do an experiment In squid.conf, i've changed: # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports to http_access allow CONNECT SSL_ports And sudden all those https sites began working...
Of course. You just bypassed authentication.
Well, by question is: Is this correect ? What would be happening with the other configuration? Is it safe ?
No. See above. No, it allows anyone unlimited access to tunnel via CONNECT method to SSL_ports.
HTH Amos
