Hi Everybody, Firstly thank-you all for your awesome help to date!! I'm sorry to repost this q but I'm hoping someone will be able to tell me what I'm doing wrong. I'm at the frustratingly-close stage of getting this working... oh the bitter-sweet taste :/ I have one Squid proxy which uses NTLMSSP auth and uses another Squid proxy as it's parent cache. The 'parent' will have several 'children' squid caches when this pilot is finished. My aim is to use a content filtering product at the parent cache to vet the browsing of our LAN users and report on them from a central location.
child cache's access.log TCP_MISS/407 1751 GET http://www.nzherald.co.nz/ USERDOM\ANDREW FIRST_UP_PARENT/192.168.0.23 text/html parent cache's access.log TCP_DENIED/407 1710 GET http://www.nzherald.co.nz/ USERDOM\ANDREW parent cache's cache.log <snip> 2003/10/06 14:48:57| aclCheck: checking 'http_access allow user_passwords ' 2003/10/06 14:48:57| aclMatchAclList: checking user_passwords 2003/10/06 14:48:57| aclMatchAcl: checking 'acl user_passwords proxy_auth /tmp/user_passwords' 2003/10/06 14:48:57| authenticateAuthenticate: header Basic QIUlSTsdflotTlpcV3023lMU0hBOg==. 2003/10/06 14:48:57| authenticateAuthenticate: This is a new checklist test on FD:17 2003/10/06 14:48:57| authenticateAuthenticate: no connection authentication type 2003/10/06 14:48:57| aclMatchAcl: returning 0 sending authentication challenge. 2003/10/06 14:48:57| aclMatchAclList: no match, returning 0 2003/10/06 14:48:57| aclCheck: requiring Proxy Auth header. 2003/10/06 14:48:57| aclCheck: match found, returning 2 2003/10/06 14:48:57| aclCheckCallback: answer=2 </snip> Now when I try to browse thru the 'child' cache I get prompted with IE "Enter Network Password" dialog, and even though the 'Firewall' field in this box refers to the child cache (, the realm states "Squid Proxy Tier-2" - and this config line is only on the parent cache. I am passing the username/password to the parent from the child cache using this syntax on the child - cache_peer 192.168.0.23 parent 3128 3130 login=*: no-query I've tried re-ordering my http_access statements on the parent (see snip of squid.conf below) to allow the child cache before the proxy_auth acl, however then the usernames don't show up in the log :(. I've tried running fakeauth_auth from the command line, but either I don't know the syntax or it's broken becuase I never seem to be able to get it to return an error code. I'm kinda hoping it just goes "OK" with any syntax, as that's exactly what I'm looking for (hence if this is the case my IE session should stop prompting for password!) I'm so close, I can smell it : \ Andrew. -----Original Message----- Sent: Wednesday, 24 September 2003 14:30 Subject: RE: [squid-users] Logging username at parent cache using ntlm_auth Thanks Henrik! Ok I have done what you suggested and now I see the usernames in access.log on the 2nd tier proxy... however I am consistently denied access (my IE session brings up a login/password box).. </snip> The 2nd Tier Proxy's squid.conf auth_param basic program /libexec/fakeauth_auth auth_param basic children 5 auth_param basic realm Squid Proxy Tier-2 auth_param basic credentialsttl 1 minute acl nzproxyauth proxy_auth REQUIRED http_access allow nzproxyauth http_access allow proxytier1.fqdn.co.nz Any ideas on what I have gotten wrong? Many thanks :) Andrew. -----Original Message----- Sent: Wednesday, 24 September 2003 12:47 Subject: Re: [squid-users] Logging username at parent cache using ntlm_auth On Wed, 24 Sep 2003, Wilshire, Andrew wrote: > When I look inside access.log on the PARENT (2nd tier) cache of the > first-tier cache I see > > 1064290276.165 4844 eee.fff.ggg.hhh TCP_MISS/200 10100 GET > http://www.nzherald.co.nz/pics/ACFNAA.Taimy.JPG - > FIRST_UP_PARENT/3rdtiercache.fqdn.co.nz image/jpeg > > What I need to accomplish is to get the domain/username passed through to > the PARENT cache so that I may use a filtering product on our 2nd tier > proxy. Then you need to set up a system where "faked" logins are used to the 2nd tier proxy. You can set up the first proxy to log in with the same username but a static password. See the login= cache_peer option. This also requires reconfiguring the parent proxy to require basic authentication and know about the static password assigned to the first proxy. > Do I need to recompile Squid on the 2nd tier cache with ntlm_auth support? Won't help. You can't proxy ntlm_auth due to the nature of NTLM. Regards Henrik ____________________________________________________________________ CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify Air New Zealand immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Air New Zealand. _____________________________________________________________________ For more information on the Air New Zealand Group, visit us online at http://www.airnewzealand.com _____________________________________________________________________
