On 04.10.2012 09:53, muno wrote:
I need to configure the Squid3 to authenticate via NTLM reverse proxy authentication. I have instaled and configured the squid but the browser requires the password again and again.
NTLM on a reverse proxy or web server is a very bad idea. It was designed for LAN usage end-to-end without any proxies or other software in the middle. It adds a huge amount of traffic overheads and requires some hacks which severely limit the proxy and network capacity. Besides even the small details of being vulnerable to downgrade attacks.
For a reverse-proxy you can get better security, efficiency and reliability using Kerberos in Negotiate auth.
Anyone have a clue to help me?
Squid version: 3.?.?
Here my configuration: ./configure --prefix=/usr/local/squid --exec_prefix=/usr/local/squid --enable-ssl --enable-auth-ntlm="ntlm,basic" --enable-basic-auth-helpers="winbind" --enable-ntlm-auth-helpers="winbind" --enable-external-aclhelpers="winbind_group,wbinfo_group" --enable-delay-pools --enable-removal-policies --enable-underscores --enable-cache-digests --disable-ident-lookups --enable-truncate --with-winbind-auth-challenge ------------------------------- squid.conf ### pure ntlm authentication auth_param ntlm program /usr/lib/squid/ntlm_auth auth_param ntlm children 10 auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm #auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=example,dc=local" -D squid@example.local -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.example.loc al #auth_param basic children 10 #auth_param basic realm Internet Proxy #auth_param basic credentialsttl 1 minute acl warp dstdomain warpx.uninet.com.br acl xymon dstdomain monitorx.uninet.com.br acl uninet dstdomain www.uninet.com.br acl admin src 200.220.1.0/24 acl admin src 200.220.102.0/24 acl unisys src 129.222.0.0/16 acl unisys src 129.224.0.0/16 acl unisysvpn src 172.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_port 80 accel https_port 443 accel cert=/usr/local/squid/CA/cacert.pem key=/usr/local/squid/CA/cakey.pem cache_peer 200.220.0.103 parent 80 0 no-query no-digest connection-auth=on originserver proxy-only no-netdb-exchange login=PASS name=warpsite cache_peer_access warpsite allow warp cache_peer 200.220.0.139 parent 443 0 no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=xymonsite cache_peer_access xymonsite allow xymon cache_peer 200.220.0.120 parent 80 0 no-query no-digest originserver name=uninetsite cache_peer_access uninetsite allow uninet #http_access allow all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all
Um, you don't seem to have any http_access allow rules. Or even anything testing the auth credentials. ??
Amos
