[squid-users] NTLM passthru authentication
Hi, Can someone take a look at it the following issue which I ran into? Here is the details: Outline: squid 2.6 as the reverse-proxy for IIS (SharePoint) site. IIS uses the NTLM authentication. Regarding the squid document, squid 2.6+ or squid 3.1+ support NTLM passthru authentication by Connection Pinning. My problem is it always shows the 404 error code. No NTLM prompt window is shown. 16.178.121.18 my desktop IP 192.57.84.244 squid reverse proxy IP 16.173.232.237 IIS(SharePoint) site. Red Hat Enterprise Linux Server release 5.7 (Tikanga) (64bit) /usr/sbin/squid -v Squid Cache: Version 2.6.STABLE21 The following packets are captured by tshark. 1 0.00 16.178.121.18 -> 192.57.84.244 TCP 64833 > http [SYN] Seq=0 Win=8 192 Len=0 MSS=1380 WS=2 00 50 56 ac 00 c6 00 22 0c d5 bc 00 08 00 45 00 .PV"..E. 0010 00 34 3a 59 40 00 76 06 2b 79 10 b2 79 12 c0 39 .4:Y@.v.+y..y..9 0020 54 f4 fd 41 00 50 e8 0d e1 a5 00 00 00 00 80 02 T..A.P.. 0030 20 00 e9 2e 00 00 02 04 05 64 01 03 03 02 01 01d.. 0040 04 02 .. 2 0.16 192.57.84.244 -> 16.178.121.18 TCP http > 64833 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7 00 22 0c d5 bc 00 00 50 56 ac 00 c6 08 00 45 00 .".PV.E. 0010 00 34 00 00 40 00 40 06 9b d2 c0 39 54 f4 10 b2 .4..@.@9T... 0020 79 12 00 50 fd 41 eb ce 13 67 e8 0d e1 a6 80 12 y..P.A...g.. 0030 16 d0 f2 c2 00 00 02 04 05 b4 01 01 04 02 01 03 0040 03 07 .. 3 0.258861 16.178.121.18 -> 192.57.84.244 TCP 64833 > http [ACK] Seq=1 Ack=1 Win=66240 Len=0 00 50 56 ac 00 c6 00 22 0c d5 bc 00 08 00 45 00 .PV"..E. 0010 00 28 3a 5a 40 00 76 06 2b 84 10 b2 79 12 c0 39 .(:Z@.v.+...y..9 0020 54 f4 fd 41 00 50 e8 0d e1 a6 eb ce 13 68 50 10 T..A.P...hP. 0030 40 b0 09 b5 00 00 ff ff ff ff ff ff @... 4 0.260075 16.178.121.18 -> 192.57.84.244 HTTP GET /SitePages/Square.aspx HT TP/1.1 00 50 56 ac 00 c6 00 22 0c d5 bc 00 08 00 45 00 .PV"..E. 0010 02 63 3a 5b 40 00 76 06 29 48 10 b2 79 12 c0 39 .c:[@.v.)H..y..9 0020 54 f4 fd 41 00 50 e8 0d e1 a6 eb ce 13 68 50 18 T..A.P...hP. 0030 40 b0 01 21 00 00 47 45 54 20 2f 53 69 74 65 50 @..!..GET /SiteP 0040 61 67 65 73 2f 53 71 75 61 72 65 2e 61 73 70 78 ages/Square.aspx 0050 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70HTTP/1.1..Accep 0060 74 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 t: application/x 0070 2d 6d 73 2d 61 70 70 6c 69 63 61 74 69 6f 6e 2c -ms-application, 0080 20 69 6d 61 67 65 2f 6a 70 65 67 2c 20 61 70 70image/jpeg, app 0090 6c 69 63 61 74 69 6f 6e 2f 78 61 6d 6c 2b 78 6d lication/xaml+xm 00a0 6c 2c 20 69 6d 61 67 65 2f 67 69 66 2c 20 69 6d l, image/gif, im 00b0 61 67 65 2f 70 6a 70 65 67 2c 20 61 70 70 6c 69 age/pjpeg, appli 00c0 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 78 62 61 70 cation/x-ms-xbap 00d0 2c 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 76 6e , application/vn 00e0 64 2e 6d 73 2d 65 78 63 65 6c 2c 20 61 70 70 6c d.ms-excel, appl 00f0 69 63 61 74 69 6f 6e 2f 76 6e 64 2e 6d 73 2d 70 ication/vnd.ms-p 0100 6f 77 65 72 70 6f 69 6e 74 2c 20 61 70 70 6c 69 owerpoint, appli 0110 63 61 74 69 6f 6e 2f 6d 73 77 6f 72 64 2c 20 2a cation/msword, * 0120 2f 2a 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 /*..Accept-Langu 0130 61 67 65 3a 20 65 6e 2d 55 53 0d 0a 55 73 65 72 age: en-US..User 0140 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f -Agent: Mozilla/ 0150 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 4.0 (compatible; 0160 20 4d 53 49 45 20 37 2e 30 3b 20 57 69 6e 64 6fMSIE 7.0; Windo 0170 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 ws NT 6.1; WOW64 0180 3b 20 54 72 69 64 65 6e 74 2f 34 2e 30 3b 20 53 ; Trident/4.0; S 0190 4c 43 43 32 3b 20 2e 4e 45 54 20 43 4c 52 20 32 LCC2; .NET CLR 2 01a0 2e 30 2e 35 30 37 32 37 3b 20 2e 4e 45 54 20 43 .0.50727; .NET C 01b0 4c 52 20 33 2e 35 2e 33 30 37 32 39 3b 20 2e 4e LR 3.5.30729; .N 01c0 45 54 20 43 4c 52 20 33 2e 30 2e 33 30 37 32 39 ET CLR 3.0.30729 01d0 3b 20 4d 65 64 69 61 20 43 65 6e 74 65 72 20 50 ; Media Center P 01e0 43 20 36 2e 30 3b 20 49 6e 66 6f 50 61 74 68 2e C 6.0; InfoPath. 01f0 32 3b 20 2e 4e 45 54 34 2e 30 43 3b 20 41 73 6b 2; .NET4.0C; Ask 0200 54 62 50 54 56 2f 35 2e 31 34 2e 31 2e 32 30 30 TbPTV/5.14.1.200 0210 30 37 29 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 07)..Accept-Enco 0220 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c ding: gzip, defl 0230 61 74 65 0d 0a 48 6f 73 74 3a 20 75 6b 77 74 73 ate..Host: ukwts 0240 76 75 6c 78 33 38 30 2e 65 6c 61 62 73 2e 65 64 vulx380.elabs.ed 0250 73 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74 69 6f s.com..Connectio 0260 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 0d n: Keep-Alive... 0270 0a. 5 0.260125 192.57.84.244
Re: [squid-users] Any idea to configure squid as a reverse-proxy to work with IIS/SharePoint plus NTLM
Hi Henrik, Thanks for your reply first. I did the try on two versions. Here is the details including squid.conf and log information. 1. squid 2.6.23 /usr/local/squid2.6.23/sbin/squid -v Squid Cache: Version 2.6.STABLE23 configure options: '--prefix=/usr/local/squid2.6.23' '--enable-storeio=ufs,aufs,diskd' '--enable-arp-acl' '--enable-linux-netfilter' a. squid.conf: http_access allow all icp_access allow all http_port 192.85.142.88:80 accel defaultsite=usplsvulx104.elabs.eds.com cache_dir aufs /home/squid/cache 1200 64 256 cache_peer wtestsm1.asiapacific.hpqcorp.net parent 80 0 no-query originserver name=main cache_peer_access main allow all dns_nameservers 192.85.245.66 130.175.204.140 hierarchy_stoplist cgi-bin ? access_log /usr/local/squid2.6.23/var/logs/access.log squid acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache check_hostnames off coredump_dir /usr/local/squid2.6.23/var/cache b. access.log 1327979646.010 0 16.212.0.105 TCP_NEGATIVE_HIT/404 598 GET http://usplsvulx104.elabs.eds.com/ - NONE/- text/html 1327979675.084 0 16.178.121.18 TCP_NEGATIVE_HIT/404 598 GET http://usplsvulx104.elabs.eds.com/ - NONE/- text/html 1327979985.763390 16.178.121.18 TCP_MISS/404 600 GET http://usplsvulx104.elabs.eds.com/ - FIRST_UP_PARENT/main text/html 2. squid 3.1.18 ./squid -v Squid Cache: Version 3.1.18-20120110-r10420 configure options: '--prefix=/usr/local/squid3.1.18' '--disable-inline' '--disable-optimizations' '--enable-storeio=ufs,aufs,diskd' '--enable-arp-acl' '--with-dfault-user=squid' '--disable-ipv6' --with-squid=/home/kimi/squid-3.1.18-20120110-r10420 --enable-ltdl-convenience a squid.conf http_access allow all http_port 192.85.142.88:80 accel defaultsite=usplsvulx104.elabs.eds.com connection-auth=on cache_peer wtestsm1.asiapacific.hpqcorp.net parent 80 0 no-query originserver name=main cache_peer_domain main .elabs.eds.com cache_peer_access main allow all hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_dir aufs /home/squid/cache 1200 64 256 cache_mem 1024 MB maximum_object_size_in_memory 1024 KB maximum_object_size 51200 KB debug_options ALL,5 cache_effective_user squid b. access.log 1327980594.156 72 16.212.0.105 TCP_MISS/503 4098 GET http://usplsvulx104.elabs.eds.com/ - FIRST_UP_PARENT/main text/html Except the relevant configurations, I am not sure I miss any other factors. Thanks, Kimi On 31/01/2012, Henrik Nordström wrote: > mån 2012-01-30 klockan 11:48 +0800 skrev kimi ge(巍俊葛): > >> Could anyone give any suggestion to configure squid as a reverse-proxy >> to work with IIS/SharePoint plus NTLM? > > The normal recommended setup should just work. > > http_port 80 accel vhost > cache_peer ip.of.iss.server 80 0 no-query originserver > > If it fails then please provide a little more data > > * Version of Squid used > * What does access.log say? > > Regards > Henrik > >
[squid-users] Any idea to configure squid as a reverse-proxy to work with IIS/SharePoint plus NTLM
Hi, Could anyone give any suggestion to configure squid as a reverse-proxy to work with IIS/SharePoint plus NTLM? If it doesn't work, any other suggestion to setup the similar environment. I mean to improve the web access performance with reverse-proxy ( cache server )? Thanks, Kimi
Re: [squid-users] squid 3.1.x with IIS SharePoint as back-end.
Thanks Amos, Currently, we use a VM ( vmware) to host a RHEL with squid running. I change the back-end site with only an IIS test web site which is hosted on the same IIS system. And it's just a png image file. And it seem working. On RHEL side, there is no limitations on outgoing on iptables rules. Regards, ~Kimi On 12/01/2012, Amos Jeffries wrote: > On 12.01.2012 02:28, kimi ge wrote: >> Hi Amos, >> >> Really appreciate your help. >> >> I did changes with your sugguestion. >> >> Some debug logs are here: >> >> 2012/01/11 13:21:58.167| The request GET >> http://ids-ams.elabs.eds.com/ >> is ALLOWED, because it matched 'origin_servers' >> >> 2012/01/11 13:21:58.168| client_side_request.cc(547) >> clientAccessCheck2: No adapted_http_access configuration. >> >> 2012/01/11 13:21:58.168| The request GET >> http://ids-ams.elabs.eds.com/ >> is ALLOWED, because it matched 'origin_servers' >> >> 2012/01/11 13:21:58.170| ipcacheMarkBadAddr: >> wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 >> >> 2012/01/11 13:21:58.171| TCP connection to >> wtestsm1.asiapacific.hpqcorp.net/80 failed >> > > There you go. Squid unable to even connect to the IIS server using TCP. > > Bit strange that it should use 404 instead of 500 status. But that TCP > connection failure is the problem. > > >> My squid environment information: >> RHEL6.0 64bit. >> squid v 3.1.4 > > A very outdated Squid release version, even for RHEL (which are on > 3.1.8 or so now). > > * start with checking your firewall and packet routing configurations > to ensure that Squid outgoing traffic is actually allowed and able to > connect to IIS. > > * if that does not resolve the problem, please try a newer 3.1 > release. You will likely have to self-build or use non-RHEL RPM, there > seem to be no recent packages for RHEL. > > > Amos > >
Re: [squid-users] squid 3.1.x with IIS SharePoint as back-end.
matched 'origin_servers' 2012/01/11 13:22:09.383| ipcacheMarkBadAddr: wtestsm1.asiapacific.hpqcorp.net 16.173.232.237:80 2012/01/11 13:22:09.384| Failed to select source for 'http://ids-ams.elabs.eds.com/' 2012/01/11 13:22:09.384| always_direct = 0 2012/01/11 13:22:09.384|never_direct = 0 2012/01/11 13:22:09.384|timedout = 0 2012/01/11 13:22:09.386| The reply for GET http://ids-ams.elabs.eds.com/ is ALLOWED, because it matched 'all' 2012/01/11 13:22:09.386| TCP connection to wtestsm1.asiapacific.hpqcorp.net/80 dead 2012/01/11 13:22:09.387| ConnStateData::swanSong: FD 9 My squid environment information: RHEL6.0 64bit. squid v 3.1.4 Thanks, ~Kimi On 11/01/2012, Amos Jeffries wrote: > On 11/01/2012 8:46 p.m., kimi ge(巍俊葛) wrote: >> Thanks Amos. >> >> I did the lynx test on back-end web site on squid system like this: >> sudo lynx http://wtestsm1.asiapacific.hpqcorp.net >> >> First, it show the message: >> Alert!: Invalid header 'WWW-Authenticate: NTLM' >> >> Then it show the following message. >> Show the 401 message body? (y/n) > > Aha. NTLM authentication. Very probaby that login=PASS then. > >> >> For the domain auth, I mean the back-end web site need corp domain >> user to be accessed. >> I put this in this way, if I log on with my corp domain on my laptop, >> then I could acces IIS Share Point without any credentials window pop >> up. If not, I have to input my domain account on credentials window to >> access the Share Point Site. >> >> >> The following is my squid configuration about this case which I ignore >> some default sections. >> #added by kimi >> acl hpnet src 16.0.0.0/8# RFC1918 possible internal network >> #added by kimi >> acl origin_servers dstdomain ids-ams.elabs.eds.com >> http_access allow origin_servers >> http_access allow hpnet >> >> http_port 192.85.142.88:80 accel defaultsite=ids-ams.elabs.eds.com >> connection-auth=on >> >> forwarded_for on >> >> request_header_access WWW-Authenticate allow all > > This is not needed. The Squid default is to relay www-auth headers > through. www-authenticate is a reply header anyway, to inform the client > agent what types of auth it can use. > >> >> cache_peer wtestsm1.asiapacific.hpqcorp.net parent 80 0 no-query >> no-digest originserver name=main connection-auth=on login=PASS > > "connection-auth=on" should be enough. Try without login=PASS. > >> >> cache_peer_domain main .elabs.eds.com >> >> hierarchy_stoplist cgi-bin ? >> >> coredump_dir /var/spool/squid >> >> # Add any of your own refresh_pattern entries above these. >> refresh_pattern ^ftp: 144020% 10080 >> refresh_pattern ^gopher:14400% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern . 0 20% 4320 >> >> cache_dir aufs /data/squid/cache 12000 64 256 >> cache_mem 1024 MB >> maximum_object_size_in_memory 1024 KB >> maximum_object_size 51200 KB >> >> visible_hostname ids-ams.elabs.eds.com >> debug_options ALL,5 >> http_access deny all >> >> While let squid be running, I do test like this >> http://ids-ams.elabs.eds.com >> >> The 404 error page is shown. > > Okay. Which error page? Squid sends three different ones with that > status code. Invalid request or Invalid URL or something else? > >> That's why I am wondering squid could be as reverse-proxy with IIS >> SharePoint as back-end? > > It can be. There is normally no trouble. But the newer features MS have > been adding for IPv6 and cloud support recently are not widely tested yet. > > Amos >
Re: [squid-users] squid 3.1.x with IIS SharePoint as back-end.
Thanks Amos. I did the lynx test on back-end web site on squid system like this: sudo lynx http://wtestsm1.asiapacific.hpqcorp.net First, it show the message: Alert!: Invalid header 'WWW-Authenticate: NTLM' Then it show the following message. Show the 401 message body? (y/n) For the domain auth, I mean the back-end web site need corp domain user to be accessed. I put this in this way, if I log on with my corp domain on my laptop, then I could acces IIS Share Point without any credentials window pop up. If not, I have to input my domain account on credentials window to access the Share Point Site. The following is my squid configuration about this case which I ignore some default sections. #added by kimi acl hpnet src 16.0.0.0/8# RFC1918 possible internal network #added by kimi acl origin_servers dstdomain ids-ams.elabs.eds.com http_access allow origin_servers http_access allow hpnet http_port 192.85.142.88:80 accel defaultsite=ids-ams.elabs.eds.com connection-auth=on forwarded_for on request_header_access WWW-Authenticate allow all cache_peer wtestsm1.asiapacific.hpqcorp.net parent 80 0 no-query no-digest originserver name=main connection-auth=on login=PASS cache_peer_domain main .elabs.eds.com hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_dir aufs /data/squid/cache 12000 64 256 cache_mem 1024 MB maximum_object_size_in_memory 1024 KB maximum_object_size 51200 KB visible_hostname ids-ams.elabs.eds.com debug_options ALL,5 http_access deny all While let squid be running, I do test like this http://ids-ams.elabs.eds.com The 404 error page is shown. That's why I am wondering squid could be as reverse-proxy with IIS SharePoint as back-end? Thanks, ~Kimi On 11/01/2012, Amos Jeffries wrote: > On 11/01/2012 6:28 p.m., kimi ge(巍俊葛) wrote: >> Hi, >> >> I have an issue to make squid 3.1.x to work with IIS SharePoint as the >> back-end. >> The details are listed below. >> >> 1. squid 3.1.x is running as a reverse-proxy. >> 2. The back-end is IIS SharePoint Site with domain authentication >> required. >> That means only the valid domain user could access this SharePoint site. >> The issue is it always return 404 error page. And the logon window is >> not prompted. > > What is this "domain authentication" you mention? All of the HTTP auth > mechanisms count as "domain auth" to a reverse proxy, and none of them > are named "Domain". > >> >> My question is whether squid supports this kind of case or not? >> If supports, how should I do configuration on squid.conf file? >> >> Thanks in advance. >> ~Kimi > > 404 status is about the resource being requested _not existing_. Login > only operates when there is something to be authorized fetching. So I > think auth is not relevant at this point in your testing. > > Probably the URL being passed to IIS is not what you are expecting to be > passed and IIS is not setup to handle it. You will need to share your > squid.conf details for more help. > > Amos >
[squid-users] squid 3.1.x with IIS SharePoint as back-end.
Hi, I have an issue to make squid 3.1.x to work with IIS SharePoint as the back-end. The details are listed below. 1. squid 3.1.x is running as a reverse-proxy. 2. The back-end is IIS SharePoint Site with domain authentication required. That means only the valid domain user could access this SharePoint site. The issue is it always return 404 error page. And the logon window is not prompted. My question is whether squid supports this kind of case or not? If supports, how should I do configuration on squid.conf file? Thanks in advance. ~Kimi
