Thank you very much for your help. Yes, I agree it's not the approach I would like to take. I believe it may be something to do with the MDM and/or the IOS. I'm setting up a tcpdump to look at the packets. What I see is the authentication "pop-up" occurs on the iphone, but the credentials have already authenticated. So, the users hit the cancel button and traffic is allowed to proxy. Below is output of the access log. I do notice that the TCP_DENIED messages, which I don’t understand. Maybe this is part of the issue?
---access.log 1437577600.112 1612 70.197.232.249 TCP_TUNNEL/200 1728 CONNECT myproxyserver.com:443 myproxyuser HIER_DIRECT/206.15.205.62 - 1437577600.120 2089 70.197.232.249 TCP_TUNNEL/200 1728 CONNECT myproxyserver.com:443 myproxyuser HIER_DIRECT/206.15.205.62 - 1437577601.253 2161 70.197.232.249 TCP_TUNNEL/200 5677 CONNECT myproxyserver.com:443 myproxyuser HIER_DIRECT/206.15.205.62 - 1437577601.362 0 70.197.232.249 TCP_DENIED/407 4074 CONNECT myproxyserver.com:443 - HIER_NONE/- text/html Here is my configuration. Can you tell me specifically where to place the "all" and/or oder to properly test and block Squid actively requesting credentials? ############################################## auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_passwd auth_param basic children 20 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 8 hours auth_param basic casesensitive on acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users http_access deny all http_port 3128 ############################################## -----Original Message----- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, July 22, 2015 6:55 AM To: Berkes, David; squid-users@lists.squid-cache.org Subject: Re: [squid-users] suppress sending authentication prompt On 22/07/2015 3:36 a.m., Berkes, David wrote: > Thank you. > From the tcpdump, I see the iphone sending requests to the proxy. Sometimes > with credentials and sometimes not. How can I tell squid to not send 407 in > response to the header with no credentials? I have tried the following > variations with no luck. > Think about that for a minute. If Squid is never allowed to *ask* for credentials. How will it get them? Do you really want the browser actively broadcasting usernames and passwords in trivially decrypted format out into the network regardless of where its connecting to? You can block Squid actively requesting credentials by adding " all" to the end of the http_access line(s) that would otherwise end with ncsa_users ACL check. However, that will only cause the browser to display an error page. Access Denied, end of transaction, full stop, dont try again. Remember that the popup is *not* part of HTTP messaging nor the HTTP level authentication. It is purely a browser internal mechanism for locating credentials. 407 is a perfectly normal HTTP operation. A working browser would always answer Squid 407 queries by sending the MDM configured cerdentials, with *zero* user involvement. I suspect that perhapse your MDM system is tying the credentials to an IPv4 address, and the iPhone using IPv6 on some traffic? Or maybe the browser really is braindead and forgetting how to lookup the credentials. Amos ________________________________ Piper Jaffray & Co. Since 1895. Member SIPC and NYSE. Learn more at www.piperjaffray.com. Piper Jaffray corporate headquarters is located at 800 Nicollet Mall, Minneapolis, MN 55402. Piper Jaffray outgoing and incoming e-mail is electronically archived and recorded and is subject to review, monitoring and/or disclosure to someone other than the recipient. This e-mail may be considered an advertisement or solicitation for purposes of regulation of commercial electronic mail messages. If you do not wish to receive commercial e-mail communications from Piper Jaffray, go to: www.piperjaffray.com/do_not_email to review the details and submit your request to be added to the Piper Jaffray "Do Not E-mail Registry." For additional disclosure information see www.piperjaffray.com/disclosures _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
