Re: [squid-users] NTLM pass-through breaking uploads to Flickr, etc.

[Amos Jeffries]

Mike Ely wrote:
On 2/17/10 4:10 PM, "Mike Ely" <mike...@amyskitchen.net> wrote:
Hi there, 

We've got 2.6 stable running as logging only server, no caching going on.
Users are authenticated via NTLM if they're on Windows, works fine in FF and
IE with one exception.  Uploading a file prompts a second auth dialogue
(regardless of which browser) and entering credentials to that only causes
the browser to hork.  I've tested this on XP and 2k3, various browser
versions. 

What I find interesting about this is that if I set the Internet Connection
Settings in the control panel to "auto-detect" I will get the failure even
if I explicitly configure FireFox (via about:config) to not do NTLM
pass-through.  My current working guess is that Flickr (and the work-related
site that uses a somewhat similar ajaxy/flashy uploader) is making a call to
Flash and Flash is barfing on the NTLM pass-through, but that's really only
a guess. 

Steps to reproduce:
Setup NTLM auth 
Connect through the proxy
Attempt to upload a photo to Flickr

Steps to work around:
Disable "automatically connect" on the client control panel and auth by
hand, or use a non-windows client and also auth by hand.



Squid.conf here: 
# Generic stuff 
visible_hostname proxy
http_port 3128 
cache_mgr [redacted]

# Don't cache ANYTHING
cache_dir null /tmp

# Custom error messages are nice
error_directory /etc/squid/customerrors/amys

# ShoreTel Client Badly Broken:
request_entities on

# Further workarounds for broken ShoreTel:
acl shoretel url_regex CSISISAPI\.dll/\?
http_access allow shoretel
always_direct allow shoretel

# In Squid 2.6, you have to explicitly declare this:
access_log /var/log/squid/access.log squid

# Let's not take forever to shutdown the server, OK?
shutdown_lifetime 15 seconds

# Even smart people get confused when their web browser fails
# trying to find http://bart
dns_defnames on 

# Let's let some stuff pass unhassled:
acl directaccess dstdomain "/etc/squid/direct.squid"
acl unrestricted dstdomain "/etc/squid/unrestricted.squid"
always_direct allow directaccess
http_access allow unrestricted

# NTLM User Authentication
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

# LDAP User Authentication
auth_param basic program /usr/lib64/squid/squid_ldap_auth \
-b "dc=[redacted],dc=net" \
-D "cn=[redacted],cn=Users,dc=[redacted],dc=net" \
-w "[redacted]" \
-f "sAMAccountName=%s" \
-h ldap 

auth_param basic children 5
auth_param basic realm Amy's Intranet Login
auth_param basic credentialsttl 2 hours

# More generic stuff
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl snmp_manager src [redacted]/255.255.255.255
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80                # http
acl Safe_ports port 21                # ftp
acl Safe_ports port 443 563           # https, snews
acl Safe_ports port 70                # gopher
acl Safe_ports port 210               # wais
acl Safe_ports port 1025-65535        # unregistered ports
acl Safe_ports port 280               # http-mgmt
acl Safe_ports port 488               # gss-http
acl Safe_ports port 591               # filemaker
acl Safe_ports port 631               # cups
acl Safe_ports port 777               # multiling http
acl Safe_ports port 901               # SWAT
acl Safe_ports port 5440              # ShoreTel
acl Safe_ports port 8000              # Oracle EBS
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com

acl purge method PURGE
acl CONNECT method CONNECT

acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com

acl FTP proto FTP
http_access deny !Safe_ports

#SNMP Config 
snmp_port 3401 
acl snmppublic snmp_community [redacted]
snmp_access allow snmppublic snmp_manager
snmp_access allow snmppublic localhost
snmp_access deny all

#This prevents squid from even trying to cache
cache deny all 

# Set up group queries against AD. Don't monkey with the OU.
external_acl_type InetGroup %LOGIN /usr/lib64/squid/squid_ldap_group \
-b "dc=[redacted],dc=net" -D "cn=[redacted],cn=Users,dc=[redacted],dc=net" \
-s sub \ 
-w "[redacted]" \
-f 
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=WebAccess,dc=[r
edacted],dc=net))" \
-h ldap 

# Destinations here
acl fedex dstdomain .fedex.com

# User groups here
acl localnet proxy_auth REQUIRED src 10.0.0.0/8

1)  "proxy_auth" ACL type accepts a list of usernames OR the word 
"REQUIRED" to accept any valid username.

2) "proxy_auth REQUIRED src" has never been valid AFAICT. The "src ..." 
bit has silently been discarded by all Squid 2.6+ I'm aware of.

3) If I'm wrong about (2) being discarded then the effect will be that 
the username "src" or "10.0.0.0/8" with no password might possibly be 
used to login on your Squid.

4) Without IP address range checks there is no restriction on where the 
logins may be done from.


http_access allow CONNECT wuCONNECT localnet

'localnet Requires authentication and will challenge.

http_access allow windowsupdate localnet

'localnet Requires authentication and will challenge.

NOTE: 'localnet' being one of the default Squid-3 ACL all documentation 
you will find anywhere will assume that it retains that default type 
(which is to match source IP address only).


SOLUTION:
  Create a new name for your login ACL and use that where login is needed.
  Revert localnet to IP range "src" type and use that where appropriate 
as well.


acl AllWebAccess external InetGroup allweb
acl FedexWebAccess external InetGroup fedexweb
acl BlockedWebAccess external InetGroup blockedweb

http_access allow fedex FedexWebAccess
http_access allow AllWebAccess
http_access allow !BlockedWebAccess
http_access deny all


Hate to re-bump this, but the issue seems to have flown under the radar
since it was posted last week.  I just did a packet capture of the whole
interaction but am unable to see where things go sideways - I see the
traffic between the proxy and the client doing gets to flickr/yahoo, and
then the "proxy authentication required" comes up out of nowhere.  Surely
this is something straightforward that I have screwed up in my config, but I
can't for the life of me see it.

Am not sure posting the pcap file would be wise given the amount of auth
info included, but would be happy to answer specific questions related to
what happens and when.

The notes I've added above in your config should help out a LOT.
Get those corrected and we can work on the additional fix after that.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE8 or 3.0.STABLE24
  Current Beta Squid 3.1.0.16