[squid-users] FW: Allowing streaming media through NTLM Authentication
Hi Apologies if this has been discussed before but I couldn't find a solution for my exact problem in the archives. I run Squid 2.6STABLE13 and have configured it to use NTLM authentication for all client requests. This is working properly for standard traffic but I am hitting a problem with streaming media. I'm aware that most streaming media can't handle NTLM authentication automatically and therefore when a user tries to access streaming media a login box pops up. I don't want the users being asked to authenticate so I'm trying to come up with a solution to instruct the proxy server to not authenticate the streaming media. I've tried matching on the streaming media mime types but ran into the problem in that the mime type is in the response and not the request and it is the request that is authenticated. Has anyone dealt with this issue before and how did you go about allowing streaming media through an authenticated proxy? Regards, Mathew Archibald
RE: [squid-users] FW: Allowing streaming media through NTLM Authentication
Hi Guys I was able to work around this problem by matching on the streaming media's User Agent string. My squid.conf looks like this: acl AuthorizedUsers proxy_auth REQUIRED acl streaming_media browser -i "/usr/local/squid-2.6STABLE13/etc/user_agent.conf" http_access allow streaming_media http_access allow AuthorizedUsers And the user_agent.conf file looks like this: nsplayer windows-media-player quicktime Mat -Original Message- From: Gavin White [mailto:[EMAIL PROTECTED] Sent: Tuesday, 7 August 2007 8:58 PM To: Plant, Dean Cc: squid-users@squid-cache.org Subject: Re: [squid-users] FW: Allowing streaming media through NTLM Authentication Hi Dean, how did you disable ntlm authentication? I want to allow certain clients to bypass ntlm auth based on their IP address. Thanks, Gavin On 8/7/07, Plant, Dean <[EMAIL PROTECTED]> wrote: > Mauricio Silveira wrote: > > Hi! > > > > I'm somehow "Happy" I'm not alone with this problem... > > > > I'm having this problem since squid 2.6STABLE9... (ALWAYS) > > > > I've tried everything possible without success... > > > > Let's try to get some progress on this matter, I'll dedicate some time > > to this soon (still this week or the next at most) > > > > If you have any progress, please post it here. > > > > Let's be sure of the problem... try accessing these radios: > > > > http://www.radios.com.br/emissoras/transa_prpop.htm > > http://www.radios.com.br/emissoras/transa_sppop.htm > > > > > > The former uses http as protocol, so it will ask for user/password, > > the latter uses mms as protocol, so it won't ask for user/password. > > I get the same results using squid-2.6.STABLE13-1.RHEL4. > > I have had to disable NTLM authentication (easy fix) for some sites with > streaming media but to be honest I have not had the time to fully > investigate the cause. > > Dean > > > > > As far as my small brain knows... that's mms that should be giving > > headaches, not the http one! > > > > Please post back if you get the same results, I have to show my boss > > I'm right, I'm not alone and i DO KNOW how to configure squid. :D > > > > I'll post here if I get it working, let's flame this discussion I > > see everyone trying to get rid of streamings, but not trying to get it > > working without these "imperfections". > > > > Thanks, > > > > Mauricio > > > >> Hi > >> > >> Apologies if this has been discussed before but I couldn't find a > >> solution for my exact problem in the archives. > >> > >> I run Squid 2.6STABLE13 and have configured it to use NTLM > >> authentication for all client requests. This is working properly for > >> standard traffic but I am hitting a problem with streaming media. > >> > >> I'm aware that most streaming media can't handle NTLM authentication > >> automatically and therefore when a user tries to access streaming > >> media a login box pops up. I don't want the users being asked to > >> authenticate so I'm trying to come up with a solution to instruct > >> the proxy server to not authenticate the streaming media. > >> > >> I've tried matching on the streaming media mime types but ran into > >> the problem in that the mime type is in the response and not the > >> request and it is the request that is authenticated. > >> > >> Has anyone dealt with this issue before and how did you go about > >> allowing streaming media through an authenticated proxy? > >> > >> Regards, > >> > >> Mathew Archibald >
RE: [squid-users] FW: Allowing streaming media through NTLM Authentication
Whoops my copy and paste didn't go through so well. Below is formatted properly acl AuthorizedUsers proxy_auth REQUIRED acl streaming_media browser -i "/usr/local/squid-2.6STABLE13/etc/user_agent.conf" http_access allow streaming_media http_access allow AuthorizedUsers I used to use wbinfo_group until I figured out how to match on groups using the auth_param: auth_param ntlm program /usr/local/samba-3.0.25a/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="CYGNET\\staff" auth_param ntlm children 10 auth_param ntlm keep_alive on If you use a http debugger on your traffic you can see the User Agent string of the streaming media http request and then allow this traffic through unauthenticated Mat -Original Message- From: Mauricio Silveira [mailto:[EMAIL PROTECTED] Sent: Wednesday, 8 August 2007 11:44 AM To: Mathew Archibald Subject: Re: [squid-users] FW: Allowing streaming media through NTLM Authentication Hi Mathew, You're matching against authenticated users, I'm using it against wbinfo_group. Anyway this should work, such as "http_access allow streaming_media Streaming_allow" (Streaming_allow is an external acl for matching against a group into the AD server). I didn't notice that browser regex was case-insensitive(is it?). Maybe the definitive solution would be using some "trickery" with req_mime_type, req_header, rep_mime_type options. I'm Just getting tired of this matter. Mauricio Mathew Archibald wrote: > Hi Guys > > I was able to work around this problem by matching on the streaming > media's User Agent string. My squid.conf looks like this: > > > > And the user_agent.conf file looks like this: > > nsplayer > windows-media-player > quicktime > > Mat > > -Original Message- > From: Gavin White [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 7 August 2007 8:58 PM > To: Plant, Dean > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] FW: Allowing streaming media through NTLM > Authentication > > Hi Dean, > > how did you disable ntlm authentication? I want to allow certain > clients to bypass ntlm auth based on their IP address. > > Thanks, > > Gavin > > On 8/7/07, Plant, Dean <[EMAIL PROTECTED]> wrote: > >> Mauricio Silveira wrote: >> >>> Hi! >>> >>> I'm somehow "Happy" I'm not alone with this problem... >>> >>> I'm having this problem since squid 2.6STABLE9... (ALWAYS) >>> >>> I've tried everything possible without success... >>> >>> Let's try to get some progress on this matter, I'll dedicate some >>> > time > >>> to this soon (still this week or the next at most) >>> >>> If you have any progress, please post it here. >>> >>> Let's be sure of the problem... try accessing these radios: >>> >>> http://www.radios.com.br/emissoras/transa_prpop.htm >>> http://www.radios.com.br/emissoras/transa_sppop.htm >>> >>> >>> The former uses http as protocol, so it will ask for user/password, >>> the latter uses mms as protocol, so it won't ask for user/password. >>> >> I get the same results using squid-2.6.STABLE13-1.RHEL4. >> >> I have had to disable NTLM authentication (easy fix) for some sites >> > with > >> streaming media but to be honest I have not had the time to fully >> investigate the cause. >> >> Dean >> >> >>> As far as my small brain knows... that's mms that should be giving >>> headaches, not the http one! >>> >>> Please post back if you get the same results, I have to show my boss >>> I'm right, I'm not alone and i DO KNOW how to configure squid. :D >>> >>> I'll post here if I get it working, let's flame this discussion >>> > I > >>> see everyone trying to get rid of streamings, but not trying to get >>> > it > >>> working without these "imperfections". >>> >>> Thanks, >>> >>> Mauricio >>> >>> >>>> Hi >>>> >>>> Apologies if this has been discussed before but I couldn't find a >>>> solution for my exact problem in the archives. >>>> >>>> I run Squid 2.6STABLE13 and have configured it to use NTLM >>>> authentication for all client requests. This is working properly >>>> > for > >>>> standard traffic but I am hitting a problem with streaming media. >>>> >>>> I'm aware that most streaming media can't handle NTLM >>>> > authentication > >>>> automatically and therefore when a user tries to access streaming >>>> media a login box pops up. I don't want the users being asked to >>>> authenticate so I'm trying to come up with a solution to instruct >>>> the proxy server to not authenticate the streaming media. >>>> >>>> I've tried matching on the streaming media mime types but ran into >>>> the problem in that the mime type is in the response and not the >>>> request and it is the request that is authenticated. >>>> >>>> Has anyone dealt with this issue before and how did you go about >>>> allowing streaming media through an authenticated proxy? >>>> >>>> Regards, >>>> >>>> Mathew Archibald >>>> > > > >
RE: [squid-users] FW: Allowing streaming media through NTLM Authentication
Yes wbinfo_group is better for per ACL group matchings but it isn't required in my environment. I haven't found a good free http debugger although there are a few that have 14 day trials. A quick google should give you a few options. I currently just use the three I listed previously as that seems to cover Windows Media and quicktime. I haven't had any other reports from users about other streaming protocols Regards, Mathew Archibald Network/Systems Officer Reid Library University of Western Australia Telephone: (08) 6488 1161 Fax: (08) 6488 1012 Email: [EMAIL PROTECTED] -Original Message- From: Mauricio Silveira [mailto:[EMAIL PROTECTED] Sent: Thursday, 9 August 2007 12:26 PM To: Mathew Archibald Cc: squid-users@squid-cache.org Subject: Re: [squid-users] FW: Allowing streaming media through NTLM Authentication Interesting the "--require-membership-of", haven't noticed it at all. This parameter is interesting to check for the global presence of a user into the domain, but not for matching particular rules for specific ACLs, such as "http_access allow streaming_media STREAM_AD_GROUP" together with the external_acl and so on... About the http debugger... I was using "log_mime_hdrs on" to check the user agents... but it seems like the ones I find there are not the correct ones!? Should I really use an http debugger? Which one do you use, Mathew? Mathew, have you got the complete list of browsers you use for streaming_media? Mauricio Mathew Archibald wrote: > Whoops my copy and paste didn't go through so well. Below is formatted > properly > > acl AuthorizedUsers proxy_auth REQUIRED > acl streaming_media browser -i > "/usr/local/squid-2.6STABLE13/etc/user_agent.conf" > http_access allow streaming_media > http_access allow AuthorizedUsers > > I used to use wbinfo_group until I figured out how to match on groups > using the auth_param: > > auth_param ntlm program /usr/local/samba-3.0.25a/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > --require-membership-of="CYGNET\\staff" > auth_param ntlm children 10 > auth_param ntlm keep_alive on > > If you use a http debugger on your traffic you can see the User Agent > string of the streaming media http request and then allow this traffic > through unauthenticated > > Mat > > > -Original Message- > From: Mauricio Silveira [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 8 August 2007 11:44 AM > To: Mathew Archibald > Subject: Re: [squid-users] FW: Allowing streaming media through NTLM > Authentication > > Hi Mathew, > > You're matching against authenticated users, I'm using it against > wbinfo_group. > > Anyway this should work, such as "http_access allow streaming_media > Streaming_allow" (Streaming_allow is an external acl for matching > against a group into the AD server). I didn't notice that browser regex > was case-insensitive(is it?). > Maybe the definitive solution would be using some "trickery" with > req_mime_type, req_header, rep_mime_type options. > > I'm Just getting tired of this matter. > > Mauricio > > Mathew Archibald wrote: > >> Hi Guys >> >> I was able to work around this problem by matching on the streaming >> media's User Agent string. My squid.conf looks like this: >> >> >> >> And the user_agent.conf file looks like this: >> >> nsplayer >> windows-media-player >> quicktime >> >> Mat >> >> -Original Message- >> From: Gavin White [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, 7 August 2007 8:58 PM >> To: Plant, Dean >> Cc: squid-users@squid-cache.org >> Subject: Re: [squid-users] FW: Allowing streaming media through NTLM >> Authentication >> >> Hi Dean, >> >> how did you disable ntlm authentication? I want to allow certain >> clients to bypass ntlm auth based on their IP address. >> >> Thanks, >> >> Gavin >> >> On 8/7/07, Plant, Dean <[EMAIL PROTECTED]> wrote: >> >> >>> Mauricio Silveira wrote: >>> >>> >>>> Hi! >>>> >>>> I'm somehow "Happy" I'm not alone with this problem... >>>> >>>> I'm having this problem since squid 2.6STABLE9... (ALWAYS) >>>> >>>> I've tried everything possible without success... >>>> >>>> Let's try to get some progress on this matter, I'll dedicate some >>>> >>>> >> time >> >> >>>> to this soon
