mån 2009-07-20 klockan 12:30 +0200 skrev Gontzal:
> In the access.log of the parent proxy I get:
>
> 1248084163.393 131533 172.28.129.250 TCP_MISS/000 2696 CONNECT
> tp.seg-social.es:443 - DEFAULT_PARENT/172.16.100.230 -
Which says the request as successfully forwarded to the parent
172.16.100.2
Hi Amos,
I send the trace as requested, yesterday I just came back from
holidays and I was "out":
CONNECT tp.seg-social.es:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES;
rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Proxy-Connection: keep-alive
Host: tp.s
Responses in the message.
2009/7/20 Amos Jeffries :
> Gontzal wrote:
>>
>> Hi Amos,
>>
>> First of all sorry for the delay.
>>
>> Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried
>> with reply_header_access with the same result: none.
>
> By "none" you mean Java still getting t
Gontzal wrote:
Hi Amos,
First of all sorry for the delay.
Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried
with reply_header_access with the same result: none.
By "none" you mean Java still getting the NTLM Proxy_auth header?
Do you have a trace of the 407 reply from Squid
Hi Amos,
First of all sorry for the delay.
Yes, the header_access tag it's not accepted on 3.0 S 16, I've tried
with reply_header_access with the same result: none. Same entries on
access.log:
172.28.3.186 - - [20/Jul/2009:12:10:26 +0200] "CONNECT
tp.seg-social.es:443 HTTP/1.1" 407 2015 TCP_DENIE
On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal wrote:
> Hi,
>
> I've recompiled squid, now 3.0 stable 16 on a non-production opensuse
> 10.3 server with the --enable-http-violations option
> I've added the following lines to my squid.conf file:
>
> acl Java browser Java/1.4 Java/1.5 Java/1.6
>
> he
Hi,
I've recompiled squid, now 3.0 stable 16 on a non-production opensuse
10.3 server with the --enable-http-violations option
I've added the following lines to my squid.conf file:
acl Java browser Java/1.4 Java/1.5 Java/1.6
header_access Proxy-Authenticate deny Java
header_replace Proxy-Authent
I agree this does look like a good clean solution. I'll look at
implementing a small on/off toggle to do only this change for safer Java
bypass. May not be very soon though. What version of Squid are you using?
Meanwhile yes, you do have to add the option to the ./configure options and
re-compil
Hi Kevin,
Thanks for your post, I think is a very good solution to the Java security hole.
I've seen that for using header_access and header_replace you need to
compile with the --enable-http-violations. My question is, if I
compiled squid without this option, is there any way to add this
featur
This what your looking for?
acl javaNtlmFix browser -i java
acl javaConnect method CONNECT
header_access Proxy-Authenticate deny javaNtlmFix javaConnect
header_replace Proxy-Authenticate Basic realm="Internet"
now only https/ssl access from java will have basic auth and so a
password dialog.
norm
Dear All,
Please reply if we have some solution for the problem. I am stuck with
the problem my server is live and i can't afforded to allow the java
sites to unauthorized users in the network.
Regards,
Nitin B.
Nitin Bhadauria wrote:
Dear All,
I have the same problem ..
Everytime a bro
11 matches
Mail list logo
