On 10/07/2012 9:59 p.m., Bruno Santos wrote:
Hi all !
I finally (sort of) manage to get squid with ntlm authentication. I now have it
working as i want it, but there's a configuration that i had to change and
that's keeping bugging me in the why.
Everything was workig fine until reaching https sites.
If i had enabled both types of authentication: ntlm and basic (for those under
Linux or not using a ntlm enabled browser):
--------
# Autenticacao NTLM - Winbind - AD
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 300
auth_param ntlm keep_alive off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 100
auth_param basic realm Por favor autentique-se!
auth_param basic credentialsttl 2 hours
acl ntlmAuth proxy_auth REQUIRED
--------------------
This configuration worked fine, but those with NTLM (windows + IE / Firefox)
were asked for authentication (that shouldn't happen). Those in Linux worked
just fine (with an authentication dialog) and every site appears as it should
be.
If i remove the basic authentication, those with windows (IE and Firefox) are
NOT asked for authentication and those using Linux are asked for authentication
(everything fine here). Here is the problem:
By "those" I assume you mean the persons/users, and not their browser
agents.
By "asked" I assume you mean the auth popup window, and not the 407
proxy challenge.
Popups are a browser feature, when it happens is decided *only* by the
browser, usually because it was unable to find any working credentials
that could be used [some browsers are broken].
Ideally no user would be asked for authentication when NTLM is used. The
grand benefit offering from NTLM is that it works from the users network
login credentials and the browser never has to ask them to type anything.
Those using Linux can't access (most) https sites. It just gives:
TCP_DENIED/407 3833 CONNECT twitter.com:443 - NONE/- text/html
And nothing happens...
Most likely your: "auth_param ntlm keep_alive off" is breaking the
fragile support CONNECT method has for NTLM.
So i've decided to do an experiment
In squid.conf, i've changed:
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
to
http_access allow CONNECT SSL_ports
And sudden all those https sites began working...
Of course. You just bypassed authentication.
Well, by question is:
Is this correect ? What would be happening with the other configuration? Is it
safe ?
No. See above. No, it allows anyone unlimited access to tunnel via
CONNECT method to SSL_ports.
HTH
Amos
