On 20/07/2012 7:47 a.m., Rick Chisholm wrote:
I have an NTLM auth proxy, but a number of apps do not seem to be smart
enough to pass credentials and this generates numerous squid
authentication pop-ups for users. I'm trying to eliminate this.
NTLM is inefficient and now deprecated as well. A bunch of those apps
you will find happy to use Negotiate/Kerberos authentication, any
Windows 7 and Vista client software will be in that group. Upgrade to
Kerberos is recommended.
Anyways...
I was thinking of creating a browser ACL with entries the will cover the
browsers in use on the network and then try to use a NOT operator like
http_access allow !known_browsers
before the auth required setting.
thoughts?
That particular logic is a bit tricky and allows users through the proxy
without auth if you make any mistakes in the browser regex pattern (or
they fake their UA string).
I would pick a whitelist style of known-ok agents to send the auth
challenge to.
http_access allow known_browsers authAcl
That way any mistakes will result in visible auth popups, not a silent
allow.
Amos
