Thanks Amos, I understand the problems and i will analyze the alternative, but for while I need to configure the reverse NTLM. My squid version is: squid 3.2.1 The configuration file have a http_access allow. Sorry, but i forget to copy! Any suggestion? tks ________________________________________________________ root@proxy:/usr/local/squid/etc# more squid.conf ### pure ntlm authentication auth_param ntlm program /usr/lib/squid/ntlm_auth auth_param ntlm children 10 auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerb eros/ntlm #auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=example,dc= local" -D squid@example.local -W /etc/squid3/ldappass.txt -f sAMAccountName=%s - h dc1.example.local #auth_param basic children 10 #auth_param basic realm Internet Proxy #auth_param basic credentialsttl 1 minute acl warp dstdomain warpx.uninet.com.br acl xymon dstdomain monitorx.uninet.com.br acl uninet dstdomain www.uninet.com.br acl admin src 200.220.1.0/24 acl admin src 200.220.102.0/24 acl unisys src 129.222.0.0/16 acl unisys src 129.224.0.0/16 acl unisysvpn src 172.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_port 80 accel https_port 443 accel cert=/usr/local/squid/CA/cacert.pem key=/usr/local/squid/CA /cakey.pem cache_peer 200.220.0.103 parent 80 0 no-query no-digest connection-auth=on origi nserver proxy-only no-netdb-exchange login=PASS name=warpsite cache_peer_access warpsite allow warp cache_peer 200.220.0.139 parent 443 0 no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=xymonsite cache_peer_access xymonsite allow xymon cache_peer 200.220.0.120 parent 80 0 no-query no-digest originserver name=uninet site cache_peer_access uninetsite allow uninet #http_access allow all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow admin http_access allow warp http_access allow uninet http_access allow xymon http_access deny all coredump_dir /var/spool/squid3 cache deny all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user proxy ____________________________________________________ ----- Original Message ----- De: Amos Jeffries <squid3@xxxxxxxxxxxxx> Para: <squid-users@xxxxxxxxxxxxxxx> Assunto: Re: Squid3 reverse proxy ntlm authentication Data: Thu, 04 Oct 2012 11:40:16 +1300 > On 04.10.2012 09:53, muno wrote: > > I need to configure the Squid3 to authenticate via NTLM > > reverse proxy authentication. I have instaled and > > configured the squid but the browser requires the > > password again and again. > > NTLM on a reverse proxy or web server is a very bad idea. > It was designed for LAN usage end-to-end without any > proxies or other software in the middle. It adds a huge > amount of traffic overheads and requires some hacks which > severely limit the proxy and network capacity. Besides > even the small details of being vulnerable to downgrade > attacks. > > For a reverse-proxy you can get better security, > efficiency and reliability using Kerberos in Negotiate > auth. > > > > > Anyone have a clue to help me? > > > > > Squid version: 3.?.? > > > > > Here my configuration: > > > > ./configure --prefix=/usr/local/squid > > --exec_prefix=/usr/local/squid --enable-ssl > > --enable-auth-ntlm="ntlm,basic" > > --enable-basic-auth-helpers="winbind" > > --enable-ntlm-auth-helpers="winbind" > > --enable-external-aclhelpers="winbind_group > > ,wbinfo_group" --enable-delay-pools > > --enable-removal-policies --enable-underscores > > --enable-cache-digests --disable-ident-lookups > > --enable-truncate --with-winbind-auth-challenge > > > > ------------------------------- > > squid.conf > > > > ### pure ntlm authentication > > auth_param ntlm program /usr/lib/squid/ntlm_auth > > auth_param ntlm children 10 > > auth_param ntlm keep_alive off > > > > ### provide basic authentication via ldap for clients > > not authenticated via kerberos/ntlm > > #auth_param basic program > > /usr/lib/squid3/squid_ldap_auth -R -b "dc=example > > ,dc=local" -D squid@example.local -W > > /etc/squid3/ldappass.txt -f sAMAccountName=%s -h > > dc1.example.loc al > > #auth_param basic children 10 > > #auth_param basic realm Internet Proxy > > #auth_param basic credentialsttl 1 minute > > > > > > acl warp dstdomain warpx.uninet.com.br > > acl xymon dstdomain monitorx.uninet.com.br > > acl uninet dstdomain www.uninet.com.br > > acl admin src 200.220.1.0/24 > > acl admin src 200.220.102.0/24 > > acl unisys src 129.222.0.0/16 > > acl unisys src 129.224.0.0/16 > > acl unisysvpn src 172.0.0.0/8 > > > > acl SSL_ports port 443 > > acl Safe_ports port 80 # http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 443 # https > > acl Safe_ports port 70 # gopher > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > acl CONNECT method CONNECT > > > > http_port 80 accel > > https_port 443 accel cert=/usr/local/squid/CA/cacert.pem > > key=/usr/local/squid/CA/cakey.pem > > > > cache_peer 200.220.0.103 parent 80 0 no-query no-digest > > connection-auth=on originserver proxy-only > > no-netdb-exchange login=PASS name=warpsite > > cache_peer_access warpsite allow warp > > > > cache_peer 200.220.0.139 parent 443 0 no-query no-digest > > originserver login=PASS ssl sslflags=DONT_VERIFY_PEER > > name=xymonsite > > cache_peer_access xymonsite allow xymon > > > > cache_peer 200.220.0.120 parent 80 0 no-query no-digest > > originserver name=uninetsite > > cache_peer_access uninetsite allow uninet > > > > #http_access allow all > > > > http_access allow manager localhost > > http_access deny manager > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > > > http_access deny all > > Um, you don't seem to have any http_access allow rules. Or > even anything testing the auth credentials. ?? > > > Amos
