On 21/04/2012 4:01 a.m., Wladner Klimach wrote:
Amos,
what could be causing this? When I desable NTLM authentication or when
I use Kerberos all access go just fine, but when only NTLM is able I
can't get access to https pages and I get in the logs TCP_DENIED/407.
How can I debug it?
You need to locate and identify what request headers are being denied.
The easiest way with 3.1 is a packet dump with full packet bodies
("tcpdump -s0 ..."). Then base-64 decode the www-authenticate headers
from the client and check the type codes. NTLM has "NTLMSSPI" then a
binary type number 1, 2 or 3.
The NTLM flow should be:
client: makes request (no auth)
Squid: emits 407 with NTLM advertised as available
squid: [optionally closes the connection (due to "auth_param ntlm
keep-alive off" hack)]
client: repeat request with type-1 NTLM proxy-auth header
squid: 407 with type-2 NTLM proxy-auth header
client: repeat request with type-3 NTLM proxy-auth header
squid: HTTP response
client: [optionally make other requests with type-3 NTLM proxy-auth
header]
connection closes.
If you find connections opening and starting immediately with type-3
token that is Kerberos or broken NTLM from the client.
Amos
regards
2012/4/20 Amos Jeffries<squ...@treenet.co.nz>:
On 21/04/2012 1:15 a.m., Harry Mills wrote:
Hi Wladner,
I don't think this is causing your problems, but I think you need to
change the following:
Instead of:
http_access deny CONNECT !Safe_ports
try:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
Also, on the last two lines of your included config you have:
acl AUTENTICADO proxy_auth REQUIRED
http_access allow AUTENTICADO
This is one of several correct proxy-auth configurations.
I simply have:
http_access allow proxy_auth
I have no idea if this will help, but worth giving it a try perhaps?
?? for that to work you require this somewhere above your http_access rule
...
acl proxy_auth proxy_auth REQUIRED
or some other definition for an ACL *label* "proxy_auth".
Amos
