Hello to all, I am using Squid Version 2.5.STABLE6-20040729 and Samba 3.0.2a on Red Hat ES3.0.
Our squid users connect to an internal squid proxy, and then the traffic is routed depending on the destination : directly for "local traffic", forwarded to a parent squid proxy for traffic related to other side company, or by default forwarded to our external squid proxy . The users are authenticated to AD with ntlm (using winbind) on the internal proxy. Everything is working fine except, when a user tries to connect a https site. Its traffic is then denied on the internal proxy. If if disable the authentication in the squid.conf of the internal proxy, then this traffic is ok. (correctly forward to the external proxy) So my question : is it possible to relay to a squid parent proxy some https traffic while using ntlm authentication. If yes , how ? . If no, is there a way to insure that, after having my users authenticated on the internal proxy, their https traffic is forwarded to the external proxy. Thanks by advance for your help. Lionel squid.conf. ..... auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours external_acl_type wbinfo_group_helper ttl=300 %LOGIN /usr/local/squid/libexec/wbinfo_group.maj.pl acl Internet external wbinfo_group_helper Internet acl Authorized_users proxy_auth REQUIRED acl my_networks src xxx.xxx.xxx.xxx/24 acl local_intranet dstdomain .site.company acl remote_intranet dstdomain .company acl SSL method CONNECT cache_peer remote_proxy parent 80 0 no-query cache_peer_access remote_proxy allow remote_intranet cache_peer my_external_proxy parent 80 0 no-query default cache_peer_access my_external_proxy deny remote_intranet cache_peer_access my_external_proxy allow all always_direct allow local_intranet never_direct allow all never_direct allow SSL http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # User authentication http_access allow my_networks Authorized_users # Group authentication # http_access allow my_networks Internet # No authentication # http_access allow my_networks http_access deny all ...... configure options: --prefix=/usr/local/squid --sysconfdir /etc/squid --enable-gnuregex --enable-storeio=aufs,diskd,ufs --with-pthreads --enable-useragent-log --enable-snmp --enable-err-languages=French --enable-auth=ntlm,basic --enable-external-acl-helpers=wbinfo_group --
