Dear All,
I have the same problem ..
Everytime a browser proxying through squid tries to load a secure java
applet, it comes up with a red x where the java applet should be.
So I have bybass those sites for authentication, But the problem is
users how don't have permission to access internet
Dear All,
Please reply if we have some solution for the problem. I am stuck with
the problem my server is live and i can't afforded to allow the java
sites to unauthorized users in the network.
Regards,
Nitin B.
Nitin Bhadauria wrote:
Dear All,
I have the same problem ..
Everytime a bro
This what your looking for?
acl javaNtlmFix browser -i java
acl javaConnect method CONNECT
header_access Proxy-Authenticate deny javaNtlmFix javaConnect
header_replace Proxy-Authenticate Basic realm="Internet"
now only https/ssl access from java will have basic auth and so a
password dialog.
norm
Hi Kevin,
Thanks for your post, I think is a very good solution to the Java security hole.
I've seen that for using header_access and header_replace you need to
compile with the --enable-http-violations. My question is, if I
compiled squid without this option, is there any way to add this
featur
I agree this does look like a good clean solution. I'll look at
implementing a small on/off toggle to do only this change for safer Java
bypass. May not be very soon though. What version of Squid are you using?
Meanwhile yes, you do have to add the option to the ./configure options and
re-compil
Hi,
I've recompiled squid, now 3.0 stable 16 on a non-production opensuse
10.3 server with the --enable-http-violations option
I've added the following lines to my squid.conf file:
acl Java browser Java/1.4 Java/1.5 Java/1.6
header_access Proxy-Authenticate deny Java
header_replace Proxy-Authent
On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal wrote:
> Hi,
>
> I've recompiled squid, now 3.0 stable 16 on a non-production opensuse
> 10.3 server with the --enable-http-violations option
> I've added the following lines to my squid.conf file:
>
> acl Java browser Java/1.4 Java/1.5 Java/1.6
>
> he
Hi Amos,
First of all sorry for the delay.
Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried
with reply_header_access with the same result: none. Same entries on
access.log:
172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] "CONNECT
tp.seg-social.es:443 HTTP/1.1" 407 2015 TCP_DENIE
Gontzal wrote:
Hi Amos,
First of all sorry for the delay.
Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried
with reply_header_access with the same result: none.
By "none" you mean Java still getting the NTLM Proxy_auth header?
Do you have a trace of the 407 reply from Squid
Responses in the message.
2009/7/20 Amos Jeffries :
> Gontzal wrote:
>>
>> Hi Amos,
>>
>> First of all sorry for the delay.
>>
>> Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried
>> with reply_header_access with the same result: none.
>
> By "none" you mean Java still getting t
Hi Amos,
I send the trace as requested, yesterday I just came back from
holidays and I was "out":
CONNECT tp.seg-social.es:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES;
rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Proxy-Connection: keep-alive
Host: tp.s
mån 2009-07-20 klockan 12:30 +0200 skrev Gontzal:
> In the access.log of the parent proxy I get:
>
> 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT
> tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 -
Which says the request as successfully forwarded to the parent
172.16.100.2
12 matches
Mail list logo