Search squid archive

Re: Squid3 authentification proxy and method CONNECT SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Amos;

Thanks you for this complete response.
You're true, I have to upgrade my Debian :) soon !

For the conf, I have put this value in my squid.conf

 auth_param ntlm keep_alive off
 auth_param negotiate keep_alive off

but it seems it's not working (one user have call me).... to be sure, i'm waiting more user's return.

Alex



Le 01/07/2015 13:58, Amos Jeffries a écrit :
On 1/07/2015 8:55 p.m., Alexandre Magnat wrote:
Hello,

I use Squid3 (3.1.20)
Please upgrade.

with Squidguard filtering linked with an user 's
authentication  on a OpenLDAP.
But, recurrently, Firefox, Thunderbird, Chrome (certainly IE) ask again
frequently the login and password in a popup.

It seem, the popup authentication appear when the browser try a request
on a CONNECT method like this:
172.16.1.215 - - [01/Jul/2015:10:40:18 +0200] "CONNECT
fhr.data.mozilla.com:443 HTTP/1.1" 407 3812 TCP_DENIED:NONE
or like this:
172.16.1.207 - - [01/Jul/2015:10:39:40 +0200] "CONNECT
safebrowsing.google.com:443 HTTP/1.1" 407 3824 TCP_DENIED:NONE

1) no credentials were presented. Thus 407 - Auth required.

OR

2) credentials presented were rejected by the auth system. Thus 407 -
Auth requires different credentials (or scheme).

OR

3) NTLM or Negotiate handshake underway. Thus 407 - Auth requires
handshake completion.


But, I think, I have configured correctly Squid3 for accept this kind of
request:

acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports

Those lines have nothing to do with auth. They are for rejecting non-
port 443 connection attempts.

It's a boring problem for my user to have 4 or 5 times per day this kind
of popup :-(
Anybody have an idea for helping me to resolve this ?

Firefox and Thunderbird it may be
<https://bugzilla.mozilla.org/show_bug.cgi?id=318253>. I'm not sure how
long it will take Mozilla to get a fixed version of their software out.
At least they have now finally found the problem.

Chrome and IE may have similar issues. They all tend to copy each others
behaviour with things like this.

Meanwhile there is a workaround that should work - add whichever is
relavant to your config:
  auth_param ntlm keep_alive off
  auth_param negotiate keep_alive off

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux