Re: [squid-users] squid NTLM setup question
Andre Albsmeier wrote: On Mon, 21-Sep-2009 at 00:30:46 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. If you want something like this: no authNTLM auth clients --- squid - NTLM based proxy --- world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients --- squid --- cntlm - NTLM based proxy --- world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... Your wish is granted ;) Oh, that's good news, thanks! 3.2 will have Kerberos login to cache_peer servers. The code is already committed to the 3.HEAD alpha releases. Now I am confused: You talk about Kerberos, I thought of NTLM (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash and it authenticates happily to its upstream. With Kerberos, I always think about tickets, krb-servers and so on. To be honest, I have never been into Windoze's NTLM stuff a lot (I am just happy it works) neither used Kerberos until now. Sorry. Mea culpa. Been looking at the back-end for too long. Nevermind. Maybe one day I will hack my own NTLMv2 implementation into squid. Shouldn't be too hard... Kerberos is the one Squid is getting. The old NTLM is deprecated by MS, the NTLMv2 will go out with XP before Squid 3.2 is ready for use. So you think it will take 5 years until 3.2 will be ready? :-) Shifted again has it? :) I was thinking XP is scheduled EOL for 2011 nowdays. Maybe wrong. 18 months is our ideal release timeframe. Starting last July when 3.1 was frozen. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: [squid-users] squid NTLM setup question
On Mon, 21-Sep-2009 at 22:58:40 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Mon, 21-Sep-2009 at 00:30:46 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. If you want something like this: no authNTLM auth clients --- squid - NTLM based proxy --- world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients --- squid --- cntlm - NTLM based proxy --- world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... Your wish is granted ;) Oh, that's good news, thanks! 3.2 will have Kerberos login to cache_peer servers. The code is already committed to the 3.HEAD alpha releases. Now I am confused: You talk about Kerberos, I thought of NTLM (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash and it authenticates happily to its upstream. With Kerberos, I always think about tickets, krb-servers and so on. To be honest, I have never been into Windoze's NTLM stuff a lot (I am just happy it works) neither used Kerberos until now. Sorry. Mea culpa. Been looking at the back-end for too long. Nevermind. Maybe one day I will hack my own NTLMv2 implementation into squid. Shouldn't be too hard... Kerberos is the one Squid is getting. The old NTLM is deprecated by MS, the NTLMv2 will go out with XP before Squid 3.2 is ready for use. So you think it will take 5 years until 3.2 will be ready? :-) Shifted again has it? :) I was thinking XP is scheduled EOL for 2011 No idea, to be honest. I have heard something of an extended support until 2014... -Andre nowdays. Maybe wrong. 18 months is our ideal release timeframe. Starting last July when 3.1 was frozen. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13 -- I think there is a world market for maybe five computers. - Thomas Watson, chairman of IBM, 1943
Re: [squid-users] squid NTLM setup question
On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. If you want something like this: no authNTLM auth clients --- squid - NTLM based proxy --- world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients --- squid --- cntlm - NTLM based proxy --- world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... Your wish is granted ;) Oh, that's good news, thanks! 3.2 will have Kerberos login to cache_peer servers. The code is already committed to the 3.HEAD alpha releases. Now I am confused: You talk about Kerberos, I thought of NTLM (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash and it authenticates happily to its upstream. With Kerberos, I always think about tickets, krb-servers and so on. To be honest, I have never been into Windoze's NTLM stuff a lot (I am just happy it works) neither used Kerberos until now. Will there be some kind of How-To for using this new feature? Thanks a lot for your great work on squid, -Andre -- Note: No Micro$oft programs were used in the creation or distribution of this message. If you are using a Micro$oft program to view or forward this message, be forewarned that I am not responsible for any harm you may encounter as a result.
Re: [squid-users] squid NTLM setup question
Andre Albsmeier wrote: On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. If you want something like this: no authNTLM auth clients --- squid - NTLM based proxy --- world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients --- squid --- cntlm - NTLM based proxy --- world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... Your wish is granted ;) Oh, that's good news, thanks! 3.2 will have Kerberos login to cache_peer servers. The code is already committed to the 3.HEAD alpha releases. Now I am confused: You talk about Kerberos, I thought of NTLM (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash and it authenticates happily to its upstream. With Kerberos, I always think about tickets, krb-servers and so on. To be honest, I have never been into Windoze's NTLM stuff a lot (I am just happy it works) neither used Kerberos until now. Sorry. Mea culpa. Been looking at the back-end for too long. Kerberos is the one Squid is getting. The old NTLM is deprecated by MS, the NTLMv2 will go out with XP before Squid 3.2 is ready for use. Will there be some kind of How-To for using this new feature? Yes, its in the configuration manual login=NEGOTIATE setting for http://www.squid-cache.org/Doc/config/cache_peer Thanks a lot for your great work on squid, -Andre Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: [squid-users] squid NTLM setup question
mån 2009-09-21 klockan 00:30 +1200 skrev Amos Jeffries: Will there be some kind of How-To for using this new feature? Yes, its in the configuration manual login=NEGOTIATE setting for http://www.squid-cache.org/Doc/config/cache_peer There also needs to be a ticket in Kerberos somehow.. (not sure on the details) Regards Henrik
Re: [squid-users] squid NTLM setup question
On Mon, 21-Sep-2009 at 00:30:46 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Sun, 20-Sep-2009 at 00:29:12 +1200, Amos Jeffries wrote: Andre Albsmeier wrote: On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. If you want something like this: no authNTLM auth clients --- squid - NTLM based proxy --- world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients --- squid --- cntlm - NTLM based proxy --- world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... Your wish is granted ;) Oh, that's good news, thanks! 3.2 will have Kerberos login to cache_peer servers. The code is already committed to the 3.HEAD alpha releases. Now I am confused: You talk about Kerberos, I thought of NTLM (NTLMv2 to be exact). In cntlm I simply enter my NTLMv2 hash and it authenticates happily to its upstream. With Kerberos, I always think about tickets, krb-servers and so on. To be honest, I have never been into Windoze's NTLM stuff a lot (I am just happy it works) neither used Kerberos until now. Sorry. Mea culpa. Been looking at the back-end for too long. Nevermind. Maybe one day I will hack my own NTLMv2 implementation into squid. Shouldn't be too hard... Kerberos is the one Squid is getting. The old NTLM is deprecated by MS, the NTLMv2 will go out with XP before Squid 3.2 is ready for use. So you think it will take 5 years until 3.2 will be ready? :-) Thanks, -Andre -- In a world without walls and fences, who needs windows and gates?
Re: [squid-users] squid NTLM setup question
On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. If you want something like this: no authNTLM auth clients --- squid - NTLM based proxy --- world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients --- squid --- cntlm - NTLM based proxy --- world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... -Andre -- Failure is not an option -- it comes bundled with Windows.
Re: [squid-users] squid NTLM setup question
Andre Albsmeier wrote: On Thu, 10-Sep-2009 at 14:55:23 -0400, Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. If you want something like this: no authNTLM auth clients --- squid - NTLM based proxy --- world I think this is not possible with squid. I worked around this same problem with cntlm using: no authno authNTLM auth clients --- squid --- cntlm - NTLM based proxy --- world cntlm runs on the same machine as squid does. However, I were happy if the cntlm functionality could be brought into squid one day... Your wish is granted ;) 3.2 will have Kerberos login to cache_peer servers. The code is already committed to the 3.HEAD alpha releases. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: [squid-users] squid NTLM setup question
Navjeet wrote: We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Sort of. Squid can be placed into a passive config where it simply passes authentication to/from the upstream proxy (login=PASS and connection-auth options to cache_peer). The downside of this is that due to the nature of NTLM etc the relaying Squid is not able to be authenticating anyone itself. The very latest 3.HEAD(3.2) code is being upgraded to let Squid do Kerberos login with peers as if it was a client browser. NTLM is not an option. Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. No. Please read up on how NTLM works. Squid only ever sees encrypted hashes of the login details. Other than the HEAD version mentioned above all other Squid require the authentication method between Squid and the per to be done with Basic auth. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. Do you mean the requests they make to the Internet need to be done that way? ... or that your Squid is actually meant to be a reverse proxy to access them? Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
[squid-users] squid NTLM setup question
We have been using squid in our development environment. Squid has been forwarding all the internet bound traffic to a proxy server that did not need any authentication until now. But that has changed now and now we have use another proxy server that uses NTLM based authentication. Now our servers in this development environment only have local users (users logging in are not authenticated Windows AD). Does the Squid NTLM authentication setup still work in this setup? Can the NTLM setup be configured to use specified user (and password hopefully encrypted ) that can be specified in some configuration file. This is needed as many of our applications (Tomcat, ESB etc ) are headless (i mean not just a web browser) and they now need to go thru this new proxy server. Navjeet Blog: http://chabbewal.blogspot.com Twitter: http://twitter.com/navjeetc