Re: [squid-users] squid NTLM setup question
Andre Albsmeier wrote: On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. If you want something like this: no authNTLM auth clients ---> squid -> NTLM based proxy ---> world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients ---> squid ---> cntlm -> NTLM based proxy ---> world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... Your wish is granted ;) 3.2 will have Kerberos login to cache_peer servers. The code is already committed to the 3.HEAD alpha releases. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: [squid-users] squid NTLM setup question
On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: > We have been using squid in our development environment. Squid has > been forwarding all the internet bound traffic to a proxy server that > did not need any authentication until now. But that has changed now > and now we have use another proxy server that uses NTLM based > authentication. Now our servers in this development environment only > have local users (users logging in are not authenticated Windows AD). > Does the Squid NTLM authentication setup still work in this setup? Can > the NTLM setup be configured to use specified user (and password > hopefully encrypted ) that can be specified in some configuration > file. This is needed as many of our applications (Tomcat, ESB etc ) > are headless (i mean not just a web browser) and they now need to go > thru this new proxy server. If you want something like this: no authNTLM auth clients ---> squid -> NTLM based proxy ---> world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients ---> squid ---> cntlm -> NTLM based proxy ---> world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... -Andre -- Failure is not an option -- it comes bundled with Windows.
Re: [squid-users] Cache MISS and HIT
Squid caches the content following the key of URL. Squid won't cache the headers only under that URL, but cache a full page. 2009/9/19 andre wang : > hi all: > > I have an issue. > My squid is running on my localhost at port 3128, when i make > http request with squidclient: > squidclient -m HEAD http://example.com/ it returns : > X-Cache: MISS from localhost > X-Cache-Lookup: MISS from localhost:3128 (it's normal as the cache > is empty now) > > Trying send the same http request many times, squid returns MISS. > Then I make the same HTTP request using GET method instead of HEAD. > After done GET request, i come back sending squid HEAD request: > squidclient -m HEAD http://example.com/, Squid alway return HIT. > > I'm confused, is that normal, can anyone help? > > thanks > andre.ease >
Re: [squid-users] NTLM passthrough over https breaks during NTLM handshake
On 19.09.2009, at 04:40, Henrik Nordstrom wrote: fre 2009-09-18 klockan 17:23 +0200 skrev Benjamin Indermühle: 2009/09/18 09:05:38| fwdNegotiateSSL: Error negotiating SSL I doubt that. ntlm breaks during the handshake and not when starting the connection. the ssl connection is established. The errormessage says otherwise. fwdNegotiateSSL is when Squid negotiates the SSL over a new connection to the requested server. Regards Henrik I think that is the where problem lays. Why does squid try to negotiate SSL over a connection which is not new but already established ? Looking at the tcpdump shows me this. [squid] open tcp connection [squid] Client Hello ( open ssl tunnel ) [Exchange] Server Hello, Certificate, Server Hello Done [Squid] Client Key Exchange [Exchange] Change Cipher Spec, Finished [Squid] HTTPS GET NTLM Negotiate [Exchange] HTTPS NTLM Challenge [Squid] sends another Client Hello [Exchange] terminates the TCP Connection In my eyes the problem is that Squid resends a Client Hello into an already negotiated SSL Tunnel. I am guessing that somehow it must invalidate the persisting tunnel. Maybe there is something wrong with the certifcate, I dont know. The fact is that this problem only appears during the NTLM handshake. Basic Auth or owa over the same setup does not cause any of this behavior. I can just guess what the problem is. Maybe there is some additional validation on the tunnel when Squid wants to send the password. Regards Benjamin