Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
mån 2009-07-20 klockan 12:30 +0200 skrev Gontzal: > In the access.log of the parent proxy I get: > > 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT > tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 - Which says the request as successfully forwarded to the parent 172.16.100.230, but apparently no response at all was seen. > Another question, the realm value must be the same as defined on > "auth_param basic realm ProxySquid " or may be the domain name as > defined on smb.conf? In my case it's not the same value. It's preferably the same as auth_param, but doesn't really matter. Mostly for presentation to the user so they have a chance of understanding what kind of resource they need to login for.. Regards Henrik
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
Hi Amos, I send the trace as requested, yesterday I just came back from holidays and I was "out": CONNECT tp.seg-social.es:443 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729) Proxy-Connection: keep-alive Host: tp.seg-social.es HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE16 Mime-Version: 1.0 Date: Tue, 21 Jul 2009 10:28:20 GMT Content-Type: text/html Content-Length: 1681 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: NTLM Proxy-Authenticate: Basic realm="ProxySquid " X-Cache: MISS from deil-trinity2 X-Cache-Lookup: NONE from deil-trinity2:3128 Via: 1.0 deil-trinity2 (squid/3.0.STABLE16) Proxy-Connection: close http://www.w3.org/TR/html4/strict.dtd";> ERROR: Cache Access Denied ERROR Cache Access Denied. The following error was encountered while trying to retrieve the URL: https://tp.seg-social.es/*";>https://tp.seg-social.es/* Cache Access Denied. Sorry, you are not currently allowed to request https://tp.seg-social.es/* from this cache until you have authenticated yourself. Please contact the mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIED&body=CacheHost%3A%20deil-trinity2%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2021%20Jul%202009%2010%3A28%3A20%20GMT%0D%0A%0D%0AClientIP%3A%20172.28.3.186%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20Mozilla%2F5.0%20(Windows%3B%20U%3B%20Windows%20NT%205.1%3B%20es-ES%3B%20rv%3A1.9.1.1)%20Gecko%2F20090715%20Firefox%2F3.5.1%20(.NET%20CLR%203.5.30729)%0D%0AProxy-Connection%3A%20keep-alive%0D%0AHost%3A%20tp.seg-social.es%0D%0A%0D%0A%0D%0A">cache administrator if you have difficulties authenticating yourself or http://deil-trinity2/cgi-bin/chpasswd.cgi";>change your default password. Generated Tue, 21 Jul 2009 10:28:20 GMT by deil-trinity2 (squid/3.0.STABLE16) Thanks a lot 2009/7/20 Gontzal : > Responses in the message. > > 2009/7/20 Amos Jeffries : >> Gontzal wrote: >>> >>> Hi Amos, >>> >>> First of all sorry for the delay. >>> >>> Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried >>> with reply_header_access with the same result: none. >> >> By "none" you mean Java still getting the NTLM Proxy_auth header? > > I think so, because it is not starting the java applet, neither asking > for basic auth > >> Do you have a trace of the 407 reply from Squid to be sure of that? > > I don't know how to get the trace, if you can give me more info to get > the trace i would appreciate. I just have the information from the > acces.log > >> >>> Same entries on >>> access.log: >>> 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] "CONNECT >>> tp.seg-social.es:443 HTTP/1.1" 407 2015 TCP_DENIED:NONE >>> >>> In the access.log of the parent proxy I get: >>> >>> 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT >>> tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 - >>> >>> >>> This is part of my conf: >>> >>> auth_param ntlm program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-ntlmssp >>> auth_param ntlm children 50 >>> auth_param basic program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-basic >>> auth_param basic children 5 >>> auth_param basic realm ProxySquid >>> auth_param basic credentialsttl 2 hours >>> external_acl_type winbind_group children=10 %LOGIN >>> /usr/sbin/wbinfo_group.pl >>> >>> acl Java browser Java/1.4 Java/1.5 Java/1.6 >>> acl javaConnect method CONNECT >>> >>> reply_header_access Proxy-Authenticate deny Java javaConnect >>> header_replace Proxy-Authenticate basic realm=ProxySquid >>> >>> and after that the http_access tags >>> >>> Another question, the realm value must be the same as defined on >>> "auth_param basic realm ProxySquid " or may be the domain name as >>> defined on smb.conf? In my case it's not the same value. >> >> The realm returned by Squid should always be the one configured in >> squid.conf auth_param > > the value of realm must be between " " or not? > > Thanks again. > > Gontzal > >> Amos >> >>> >>> >>> 2009/7/2 Amos Jeffries : On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal wrote: > > Hi, > > I've recompiled squid, now 3.0 stable 16 on a non-production opensuse > 10.3 server with the --enable-http-violations option > I've added the following lines to my squid.conf file: > > acl Java browser Java/1.4 Java/1.5 Java/1.6 > > header_access Proxy-Authenticate deny Java > header_replace Proxy-Authenticate Basic realm="" > > The header tags are before the http_access tags, I don't know if it is > correct. I've also disable the option http_access allow Java > > Squid runs correctly but when i check for java, it doesn't work, it > don't ask for basic auth and doesn't show the java applet pag
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
Responses in the message. 2009/7/20 Amos Jeffries : > Gontzal wrote: >> >> Hi Amos, >> >> First of all sorry for the delay. >> >> Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried >> with reply_header_access with the same result: none. > > By "none" you mean Java still getting the NTLM Proxy_auth header? I think so, because it is not starting the java applet, neither asking for basic auth > Do you have a trace of the 407 reply from Squid to be sure of that? I don't know how to get the trace, if you can give me more info to get the trace i would appreciate. I just have the information from the acces.log > >> Same entries on >> access.log: >> 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] "CONNECT >> tp.seg-social.es:443 HTTP/1.1" 407 2015 TCP_DENIED:NONE >> >> In the access.log of the parent proxy I get: >> >> 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT >> tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 - >> >> >> This is part of my conf: >> >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 50 >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic >> auth_param basic children 5 >> auth_param basic realm ProxySquid >> auth_param basic credentialsttl 2 hours >> external_acl_type winbind_group children=10 %LOGIN >> /usr/sbin/wbinfo_group.pl >> >> acl Java browser Java/1.4 Java/1.5 Java/1.6 >> acl javaConnect method CONNECT >> >> reply_header_access Proxy-Authenticate deny Java javaConnect >> header_replace Proxy-Authenticate basic realm=ProxySquid >> >> and after that the http_access tags >> >> Another question, the realm value must be the same as defined on >> "auth_param basic realm ProxySquid " or may be the domain name as >> defined on smb.conf? In my case it's not the same value. > > The realm returned by Squid should always be the one configured in > squid.conf auth_param the value of realm must be between " " or not? Thanks again. Gontzal > Amos > >> >> >> 2009/7/2 Amos Jeffries : >>> >>> On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal wrote: Hi, I've recompiled squid, now 3.0 stable 16 on a non-production opensuse 10.3 server with the --enable-http-violations option I've added the following lines to my squid.conf file: acl Java browser Java/1.4 Java/1.5 Java/1.6 header_access Proxy-Authenticate deny Java header_replace Proxy-Authenticate Basic realm="" The header tags are before the http_access tags, I don't know if it is correct. I've also disable the option http_access allow Java Squid runs correctly but when i check for java, it doesn't work, it don't ask for basic auth and doesn't show the java applet page. On the access log it shows lines like this one: (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250) (tp.seg-social.es:443) text/html-2226bytes 1ms I've changed the identity of my browser from firefox to java and it browses using ntlm auth instead of asking for user/passwd Where can be the problem? >>> >>> In squid-3 the header_access has been broken in half. >>> >>> I believe you are needing to use reply_header_access. >>> >>> Amos >>> Thanks again! > > > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 > Current Beta Squid 3.1.0.10 or 3.1.0.11 >
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
Gontzal wrote: Hi Amos, First of all sorry for the delay. Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried with reply_header_access with the same result: none. By "none" you mean Java still getting the NTLM Proxy_auth header? Do you have a trace of the 407 reply from Squid to be sure of that? Same entries on access.log: 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] "CONNECT tp.seg-social.es:443 HTTP/1.1" 407 2015 TCP_DENIED:NONE In the access.log of the parent proxy I get: 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 - This is part of my conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm ProxySquid auth_param basic credentialsttl 2 hours external_acl_type winbind_group children=10 %LOGIN /usr/sbin/wbinfo_group.pl acl Java browser Java/1.4 Java/1.5 Java/1.6 acl javaConnect method CONNECT reply_header_access Proxy-Authenticate deny Java javaConnect header_replace Proxy-Authenticate basic realm=ProxySquid and after that the http_access tags Another question, the realm value must be the same as defined on "auth_param basic realm ProxySquid " or may be the domain name as defined on smb.conf? In my case it's not the same value. The realm returned by Squid should always be the one configured in squid.conf auth_param Amos 2009/7/2 Amos Jeffries : On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal wrote: Hi, I've recompiled squid, now 3.0 stable 16 on a non-production opensuse 10.3 server with the --enable-http-violations option I've added the following lines to my squid.conf file: acl Java browser Java/1.4 Java/1.5 Java/1.6 header_access Proxy-Authenticate deny Java header_replace Proxy-Authenticate Basic realm="" The header tags are before the http_access tags, I don't know if it is correct. I've also disable the option http_access allow Java Squid runs correctly but when i check for java, it doesn't work, it don't ask for basic auth and doesn't show the java applet page. On the access log it shows lines like this one: (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250) (tp.seg-social.es:443) text/html-2226bytes 1ms I've changed the identity of my browser from firefox to java and it browses using ntlm auth instead of asking for user/passwd Where can be the problem? In squid-3 the header_access has been broken in half. I believe you are needing to use reply_header_access. Amos Thanks again! -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
Hi Amos, First of all sorry for the delay. Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried with reply_header_access with the same result: none. Same entries on access.log: 172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] "CONNECT tp.seg-social.es:443 HTTP/1.1" 407 2015 TCP_DENIED:NONE In the access.log of the parent proxy I get: 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 - This is part of my conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm ProxySquid auth_param basic credentialsttl 2 hours external_acl_type winbind_group children=10 %LOGIN /usr/sbin/wbinfo_group.pl acl Java browser Java/1.4 Java/1.5 Java/1.6 acl javaConnect method CONNECT reply_header_access Proxy-Authenticate deny Java javaConnect header_replace Proxy-Authenticate basic realm=ProxySquid and after that the http_access tags Another question, the realm value must be the same as defined on "auth_param basic realm ProxySquid " or may be the domain name as defined on smb.conf? In my case it's not the same value. 2009/7/2 Amos Jeffries : > On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal wrote: >> Hi, >> >> I've recompiled squid, now 3.0 stable 16 on a non-production opensuse >> 10.3 server with the --enable-http-violations option >> I've added the following lines to my squid.conf file: >> >> acl Java browser Java/1.4 Java/1.5 Java/1.6 >> >> header_access Proxy-Authenticate deny Java >> header_replace Proxy-Authenticate Basic realm="" >> >> The header tags are before the http_access tags, I don't know if it is >> correct. I've also disable the option http_access allow Java >> >> Squid runs correctly but when i check for java, it doesn't work, it >> don't ask for basic auth and doesn't show the java applet page. >> >> On the access log it shows lines like this one: >> >> (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250) >> (tp.seg-social.es:443) text/html-2226bytes 1ms >> >> I've changed the identity of my browser from firefox to java and it >> browses using ntlm auth instead of asking for user/passwd >> >> Where can be the problem? > > In squid-3 the header_access has been broken in half. > > I believe you are needing to use reply_header_access. > > Amos > >> >> Thanks again! >>
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal wrote: > Hi, > > I've recompiled squid, now 3.0 stable 16 on a non-production opensuse > 10.3 server with the --enable-http-violations option > I've added the following lines to my squid.conf file: > > acl Java browser Java/1.4 Java/1.5 Java/1.6 > > header_access Proxy-Authenticate deny Java > header_replace Proxy-Authenticate Basic realm="" > > The header tags are before the http_access tags, I don't know if it is > correct. I've also disable the option http_access allow Java > > Squid runs correctly but when i check for java, it doesn't work, it > don't ask for basic auth and doesn't show the java applet page. > > On the access log it shows lines like this one: > > (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250) > (tp.seg-social.es:443) text/html-2226bytes 1ms > > I've changed the identity of my browser from firefox to java and it > browses using ntlm auth instead of asking for user/passwd > > Where can be the problem? In squid-3 the header_access has been broken in half. I believe you are needing to use reply_header_access. Amos > > Thanks again! > > 2009/6/30 Amos Jeffries : >> >> >> I agree this does look like a good clean solution. I'll look at >> implementing a small on/off toggle to do only this change for safer Java >> bypass. May not be very soon though. What version of Squid are you using? >> >> Meanwhile yes, you do have to add the option to the ./configure options >> and >> re-compile = re-install Squid. >> The install process if done right should not alter existing squid.conf >> and >> be a simple drop-in to the existing install. But a backup is worth doing >> just in case. >> If currently using a packages Squid, you may want to contact the package >> maintainer for any help on the configure and install steps. >> >> Amos >> >> On Mon, 29 Jun 2009 10:40:06 +0200, Gontzal wrote: >>> Hi Kevin, >>> >>> >>> Thanks for your post, I think is a very good solution to the Java >> security >>> hole. >>> >>> I've seen that for using header_access and header_replace you need to >>> compile with the --enable-http-violations. My question is, if I >>> compiled squid without this option, is there any way to add this >>> feature or I've to compile entire squid again? In this case, should I >>> save my configuration files? >>> >>> Where should I put these lines, after acls? >>> >>> Thanks again >>> >>> Gontzal >>> >>> 2009/6/27 Kevin Blackwell : This what your looking for? acl javaNtlmFix browser -i java acl javaConnect method CONNECT header_access Proxy-Authenticate deny javaNtlmFix javaConnect header_replace Proxy-Authenticate Basic realm="Internet" now only https/ssl access from java will have basic auth and so a password dialog. normal http access will work with ntlm challenge response. thanxs again markus >-Ursprüngliche Nachricht- >Von: Rietzler, Markus (Firma Rietzler Software / RZF) >Gesendet: Dienstag, 16. Oktober 2007 18:17 >An: 'Chris Robertson'; squid-users@squid-cache.org >Betreff: AW: [squid-users] force basic NTLM-auth for certain >clients/urls > >thanxs for that hint - it worked as a fix > >i have addes this to my squid.conf > >acl javaNtlmFix browser -i java >header_access Proxy-Authenticate deny javaNtlmFix >header_replace Proxy-Authenticate Basic realm="Internet Access" > >now any java-client (java web start, java or applets in >browser) will only see the basic auth scheme. >a username/password dialog pops up and i have to enter my credentials. > >any other client (firefox, ie) still se both NTLM and Basic >scheme and use NTLM challenge response to authenticate... > >the little drawback is, that there is that little nasty dialog >but connection via proxy is working... > >thanxs > >markus > On Sat, May 9, 2009 at 12:13 AM, Nitin Bhadauria wrote: > Dear All, > > Please reply if we have some solution for the problem. I am stuck with > the > problem my server is live and i can't afforded to allow the java sites > to > unauthorized users in the network. > > Regards, > Nitin B. > > > Nitin Bhadauria wrote: >> >> Dear All, >> >> >> I have the same problem .. >> >> Everytime a browser proxying through squid tries to load a secure >> java >> applet, it comes up with a red x where the java applet should be. >> >> >> So I have bybass those sites for authentication, But the problem is >> users >> how don't have permission to access internet they are also able to >> access >> those sites. >> >> Please update if we had find any other solution for the problem. >> >> Thanks in advance for any reply. >> >> Regards, >> Nitin Bhadauria >> >> >> >> > >
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
Hi, I've recompiled squid, now 3.0 stable 16 on a non-production opensuse 10.3 server with the --enable-http-violations option I've added the following lines to my squid.conf file: acl Java browser Java/1.4 Java/1.5 Java/1.6 header_access Proxy-Authenticate deny Java header_replace Proxy-Authenticate Basic realm="" The header tags are before the http_access tags, I don't know if it is correct. I've also disable the option http_access allow Java Squid runs correctly but when i check for java, it doesn't work, it don't ask for basic auth and doesn't show the java applet page. On the access log it shows lines like this one: (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250) (tp.seg-social.es:443) text/html-2226bytes 1ms I've changed the identity of my browser from firefox to java and it browses using ntlm auth instead of asking for user/passwd Where can be the problem? Thanks again! 2009/6/30 Amos Jeffries : > > > I agree this does look like a good clean solution. I'll look at > implementing a small on/off toggle to do only this change for safer Java > bypass. May not be very soon though. What version of Squid are you using? > > Meanwhile yes, you do have to add the option to the ./configure options and > re-compile = re-install Squid. > The install process if done right should not alter existing squid.conf and > be a simple drop-in to the existing install. But a backup is worth doing > just in case. > If currently using a packages Squid, you may want to contact the package > maintainer for any help on the configure and install steps. > > Amos > > On Mon, 29 Jun 2009 10:40:06 +0200, Gontzal wrote: >> Hi Kevin, >> >> >> Thanks for your post, I think is a very good solution to the Java > security >> hole. >> >> I've seen that for using header_access and header_replace you need to >> compile with the --enable-http-violations. My question is, if I >> compiled squid without this option, is there any way to add this >> feature or I've to compile entire squid again? In this case, should I >> save my configuration files? >> >> Where should I put these lines, after acls? >> >> Thanks again >> >> Gontzal >> >> 2009/6/27 Kevin Blackwell : >>> This what your looking for? >>> >>> acl javaNtlmFix browser -i java >>> acl javaConnect method CONNECT >>> header_access Proxy-Authenticate deny javaNtlmFix javaConnect >>> header_replace Proxy-Authenticate Basic realm="Internet" >>> >>> now only https/ssl access from java will have basic auth and so a >>> password dialog. >>> normal http access will work with ntlm challenge response. >>> >>> thanxs again >>> >>> markus >>> -Ursprüngliche Nachricht- Von: Rietzler, Markus (Firma Rietzler Software / RZF) Gesendet: Dienstag, 16. Oktober 2007 18:17 An: 'Chris Robertson'; squid-users@squid-cache.org Betreff: AW: [squid-users] force basic NTLM-auth for certain clients/urls thanxs for that hint - it worked as a fix i have addes this to my squid.conf acl javaNtlmFix browser -i java header_access Proxy-Authenticate deny javaNtlmFix header_replace Proxy-Authenticate Basic realm="Internet Access" now any java-client (java web start, java or applets in browser) will only see the basic auth scheme. a username/password dialog pops up and i have to enter my credentials. any other client (firefox, ie) still se both NTLM and Basic scheme and use NTLM challenge response to authenticate... the little drawback is, that there is that little nasty dialog but connection via proxy is working... thanxs markus >>> >>> On Sat, May 9, 2009 at 12:13 AM, Nitin >>> Bhadauria wrote: Dear All, Please reply if we have some solution for the problem. I am stuck with the problem my server is live and i can't afforded to allow the java sites to unauthorized users in the network. Regards, Nitin B. Nitin Bhadauria wrote: > > Dear All, > > > I have the same problem .. > > Everytime a browser proxying through squid tries to load a secure java > applet, it comes up with a red x where the java applet should be. > > > So I have bybass those sites for authentication, But the problem is > users > how don't have permission to access internet they are also able to > access > those sites. > > Please update if we had find any other solution for the problem. > > Thanks in advance for any reply. > > Regards, > Nitin Bhadauria > > > > >>> >
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
I agree this does look like a good clean solution. I'll look at implementing a small on/off toggle to do only this change for safer Java bypass. May not be very soon though. What version of Squid are you using? Meanwhile yes, you do have to add the option to the ./configure options and re-compile = re-install Squid. The install process if done right should not alter existing squid.conf and be a simple drop-in to the existing install. But a backup is worth doing just in case. If currently using a packages Squid, you may want to contact the package maintainer for any help on the configure and install steps. Amos On Mon, 29 Jun 2009 10:40:06 +0200, Gontzal wrote: > Hi Kevin, > > > Thanks for your post, I think is a very good solution to the Java security > hole. > > I've seen that for using header_access and header_replace you need to > compile with the --enable-http-violations. My question is, if I > compiled squid without this option, is there any way to add this > feature or I've to compile entire squid again? In this case, should I > save my configuration files? > > Where should I put these lines, after acls? > > Thanks again > > Gontzal > > 2009/6/27 Kevin Blackwell : >> This what your looking for? >> >> acl javaNtlmFix browser -i java >> acl javaConnect method CONNECT >> header_access Proxy-Authenticate deny javaNtlmFix javaConnect >> header_replace Proxy-Authenticate Basic realm="Internet" >> >> now only https/ssl access from java will have basic auth and so a >> password dialog. >> normal http access will work with ntlm challenge response. >> >> thanxs again >> >> markus >> >>>-Ursprüngliche Nachricht- >>>Von: Rietzler, Markus (Firma Rietzler Software / RZF) >>>Gesendet: Dienstag, 16. Oktober 2007 18:17 >>>An: 'Chris Robertson'; squid-users@squid-cache.org >>>Betreff: AW: [squid-users] force basic NTLM-auth for certain >>>clients/urls >>> >>>thanxs for that hint - it worked as a fix >>> >>>i have addes this to my squid.conf >>> >>>acl javaNtlmFix browser -i java >>>header_access Proxy-Authenticate deny javaNtlmFix >>>header_replace Proxy-Authenticate Basic realm="Internet Access" >>> >>>now any java-client (java web start, java or applets in >>>browser) will only see the basic auth scheme. >>>a username/password dialog pops up and i have to enter my credentials. >>> >>>any other client (firefox, ie) still se both NTLM and Basic >>>scheme and use NTLM challenge response to authenticate... >>> >>>the little drawback is, that there is that little nasty dialog >>>but connection via proxy is working... >>> >>>thanxs >>> >>>markus >>> >> >> On Sat, May 9, 2009 at 12:13 AM, Nitin >> Bhadauria wrote: >>> Dear All, >>> >>> Please reply if we have some solution for the problem. I am stuck with >>> the >>> problem my server is live and i can't afforded to allow the java sites >>> to >>> unauthorized users in the network. >>> >>> Regards, >>> Nitin B. >>> >>> >>> Nitin Bhadauria wrote: Dear All, I have the same problem .. Everytime a browser proxying through squid tries to load a secure java applet, it comes up with a red x where the java applet should be. So I have bybass those sites for authentication, But the problem is users how don't have permission to access internet they are also able to access those sites. Please update if we had find any other solution for the problem. Thanks in advance for any reply. Regards, Nitin Bhadauria >>> >>> >>
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
Hi Kevin, Thanks for your post, I think is a very good solution to the Java security hole. I've seen that for using header_access and header_replace you need to compile with the --enable-http-violations. My question is, if I compiled squid without this option, is there any way to add this feature or I've to compile entire squid again? In this case, should I save my configuration files? Where should I put these lines, after acls? Thanks again Gontzal 2009/6/27 Kevin Blackwell : > This what your looking for? > > acl javaNtlmFix browser -i java > acl javaConnect method CONNECT > header_access Proxy-Authenticate deny javaNtlmFix javaConnect > header_replace Proxy-Authenticate Basic realm="Internet" > > now only https/ssl access from java will have basic auth and so a > password dialog. > normal http access will work with ntlm challenge response. > > thanxs again > > markus > >>-Ursprüngliche Nachricht- >>Von: Rietzler, Markus (Firma Rietzler Software / RZF) >>Gesendet: Dienstag, 16. Oktober 2007 18:17 >>An: 'Chris Robertson'; squid-users@squid-cache.org >>Betreff: AW: [squid-users] force basic NTLM-auth for certain >>clients/urls >> >>thanxs for that hint - it worked as a fix >> >>i have addes this to my squid.conf >> >>acl javaNtlmFix browser -i java >>header_access Proxy-Authenticate deny javaNtlmFix >>header_replace Proxy-Authenticate Basic realm="Internet Access" >> >>now any java-client (java web start, java or applets in >>browser) will only see the basic auth scheme. >>a username/password dialog pops up and i have to enter my credentials. >> >>any other client (firefox, ie) still se both NTLM and Basic >>scheme and use NTLM challenge response to authenticate... >> >>the little drawback is, that there is that little nasty dialog >>but connection via proxy is working... >> >>thanxs >> >>markus >> > > On Sat, May 9, 2009 at 12:13 AM, Nitin > Bhadauria wrote: >> Dear All, >> >> Please reply if we have some solution for the problem. I am stuck with the >> problem my server is live and i can't afforded to allow the java sites to >> unauthorized users in the network. >> >> Regards, >> Nitin B. >> >> >> Nitin Bhadauria wrote: >>> >>> Dear All, >>> >>> >>> I have the same problem .. >>> >>> Everytime a browser proxying through squid tries to load a secure java >>> applet, it comes up with a red x where the java applet should be. >>> >>> >>> So I have bybass those sites for authentication, But the problem is users >>> how don't have permission to access internet they are also able to access >>> those sites. >>> >>> Please update if we had find any other solution for the problem. >>> >>> Thanks in advance for any reply. >>> >>> Regards, >>> Nitin Bhadauria >>> >>> >>> >>> >> >> >
Re: Fw: [squid-users] NTLM Auth and Java applets (Any update)
This what your looking for? acl javaNtlmFix browser -i java acl javaConnect method CONNECT header_access Proxy-Authenticate deny javaNtlmFix javaConnect header_replace Proxy-Authenticate Basic realm="Internet" now only https/ssl access from java will have basic auth and so a password dialog. normal http access will work with ntlm challenge response. thanxs again markus >-Ursprüngliche Nachricht- >Von: Rietzler, Markus (Firma Rietzler Software / RZF) >Gesendet: Dienstag, 16. Oktober 2007 18:17 >An: 'Chris Robertson'; squid-users@squid-cache.org >Betreff: AW: [squid-users] force basic NTLM-auth for certain >clients/urls > >thanxs for that hint - it worked as a fix > >i have addes this to my squid.conf > >acl javaNtlmFix browser -i java >header_access Proxy-Authenticate deny javaNtlmFix >header_replace Proxy-Authenticate Basic realm="Internet Access" > >now any java-client (java web start, java or applets in >browser) will only see the basic auth scheme. >a username/password dialog pops up and i have to enter my credentials. > >any other client (firefox, ie) still se both NTLM and Basic >scheme and use NTLM challenge response to authenticate... > >the little drawback is, that there is that little nasty dialog >but connection via proxy is working... > >thanxs > >markus > On Sat, May 9, 2009 at 12:13 AM, Nitin Bhadauria wrote: > Dear All, > > Please reply if we have some solution for the problem. I am stuck with the > problem my server is live and i can't afforded to allow the java sites to > unauthorized users in the network. > > Regards, > Nitin B. > > > Nitin Bhadauria wrote: >> >> Dear All, >> >> >> I have the same problem .. >> >> Everytime a browser proxying through squid tries to load a secure java >> applet, it comes up with a red x where the java applet should be. >> >> >> So I have bybass those sites for authentication, But the problem is users >> how don't have permission to access internet they are also able to access >> those sites. >> >> Please update if we had find any other solution for the problem. >> >> Thanks in advance for any reply. >> >> Regards, >> Nitin Bhadauria >> >> >> >> > >
Fw: [squid-users] NTLM Auth and Java applets (Any update)
Dear All, Please reply if we have some solution for the problem. I am stuck with the problem my server is live and i can't afforded to allow the java sites to unauthorized users in the network. Regards, Nitin B. Nitin Bhadauria wrote: Dear All, I have the same problem .. Everytime a browser proxying through squid tries to load a secure java applet, it comes up with a red x where the java applet should be. So I have bybass those sites for authentication, But the problem is users how don't have permission to access internet they are also able to access those sites. Please update if we had find any other solution for the problem. Thanks in advance for any reply. Regards, Nitin Bhadauria
