[squid-users] Re: Squid 3.2 CONNECT not working with NTLM - logs

[gutter]

Hi Alex!

I'm stuck on the same situation.
You've solved it?

Thanks in advance!
Alex 

--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/3-2-0-8-SSLBump-Dynamic-SSL-NTLM-browser-prompts-for-username-password-for-every-https-connection-tp3577638p4107446.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Re: Squid 3.2 CONNECT not working with NTLM - logs

[Amos Jeffries]

On 26/11/2011 3:21 a.m., gutter wrote:

Hi Alex!

I'm stuck on the same situation.
You've solved it?



Part of the thread is missing but it sounds like this:
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11284.patch

also manifests in 3.2.0.8 as hung filedescriptors after HTTPS requests.

Amos

[squid-users] Re: Squid 3.2 CONNECT not working with NTLM - logs

[gutter]

Hi Amos!

Thanks for your answer!
What's happening to me is exactly this:

http://www.squid-cache.org/mail-archive/squid-users/201106/0088.html

On squid 3.2.0.13...

Thanks in advance!
Alex

--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/3-2-0-8-SSLBump-Dynamic-SSL-NTLM-browser-prompts-for-username-password-for-every-https-connection-tp3577638p4107548.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: Squid 3.2 CONNECT not working with NTLM - logs

[gutter]

Or more accurate, what is happening is this:

http://www.squid-cache.org/mail-archive/squid-users/201106/0095.html

That's not solved on 3.2.0.13?

Thanks for all!
Alex

--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/3-2-0-8-SSLBump-Dynamic-SSL-NTLM-browser-prompts-for-username-password-for-every-https-connection-tp3577638p4107573.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: Squid 3.2 CONNECT not working with NTLM - logs

[Alex Crow]

Hi,

I noticed a few people have downloaded my logs - has anyone found 
anything useful? It does appear to be a bug to me, but if it is a change 
in behaviour I'd be happy of any hints to fix my config.


All the best

Alex




Further to my original post, I've found that NTLM auth does not work 
with CONNECT requests from clients in 3.2. I use a similar config to 
that I'm using in production in 2.7.


I have disabled ssl-bump and dynamic SSL until I can resolve this.

I do *not* have to add http_access allow CONNECT before http_access 
deny CONNECT !SSL_ports  in my production config, which seems correct 
as otherwise unauthorised users could use CONNECT.


Here is the config I am testing, which works fine for plain HTTP traffic:

auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp

auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic

auth_param basic children 30
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type nt_group ttl=20 children=40 %LOGIN 
/usr/lib/squid3/ext_wbinfo_group_acl

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl localnet src 192.168.0.0/16# RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly 
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
always_direct allow all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access allow AuthorizedUsers
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow all AuthorizedUsers
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_mem 2048 MB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir diskd /var/spool/squid3 36 64 512
debug_options ALL,3
coredump_dir /var/cache
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320
dns_defnames on

However CONNECT requests do not work, the client sits forever waiting 
for data while squid does not match against AuthorizedUsers and 
attempts to return an error page:


Logs are available here:

http;//www.nanogherkin.com/nonssl_cache.log.gz
http;//www.nanogherkin.com/ssl_cache.log.gz

Any help much appreciated.

Regards

Alex