Re: [squid-users] Non-browser applications using NTLM+Squid?

Mon, 23 Jul 2012 10:06:05 -0700 

Josh,

http_access deny requirentlmhosts

after the allow rule should do it I think.

Alex

On 23/07/12 15:08, Baird, Josh wrote:

How would I go about only forcing certain hosts to use NTLM auth, but allowing 
everyone else to use the proxy un-authenticated?

I have a ACL that contain's src's of IP's that I need to force to use NTLM:

acl requirentlm proxy_auth REQUIRED
acl requirentlmhosts src 1.1.1.1/255.255.255.255
http_acccess allow requirentlmhosts requirentlm

This takes care of forcing "requirentlmhosts" to auth, but if I have another http_access 
rule that allows everyone else, what keeps "requirentlmhosts" from getting out without 
auth?

Thanks,

Josh

-----Original Message-----
From: Baird, Josh
Sent: Thursday, July 19, 2012 9:39 PM
To: Eliezer Croitoru; [email protected]
Subject: RE: [squid-users] Non-browser applications using NTLM+Squid?

Not sure why I didn't think of that.  Thanks!

Josh
________________________________________
From: Eliezer Croitoru [[email protected]]
Sent: Thursday, July 19, 2012 6:12 PM
To: [email protected]
Subject: Re: [squid-users] Non-browser applications using NTLM+Squid?

On 7/19/2012 11:29 PM, Baird, Josh wrote:

Hi,

I'm wondering what others are doing about non-browser applications (Anti-virus 
software that fetches updates, instant messengers over HTTP, etc) that sit 
behind a Squid proxy that requires NTLM authentication?  These applications, in 
my experience, use Windows' proxy settings to proxy their outbound traffic, but 
can't speak NTLM, so the application is prevented from proxying any traffic.

Would a Kerberos integrated Squid be a possible solution to this problem?

Thanks,

Josh


very simple.. just allow them all before the authentication acls such as in:

acl updates dstdomain .windowsupdates.microsoft.com .antivirusupdates.org
acl updates1 dst 192.168.0.1/32

http_access allow localnet updates
http_access allow localnet updates1
http_access allow localnet ntlm_auth_helper
http_access deny all


Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer<at>  ngtech.co.il

Reply via email to