Re: [squid-users] Squid proxying NTLM authentication servers

From: Neil A. Hillard <hillardn@dont-contact.us>
Date: Tue, 27 Sep 2005 15:27:38 +0100

Hi,

     please do not remove that code. NTLM is seriously broken and makes
incorrect assumptions. As

http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14

states:

> Windows NT Challenge/Response authentication requires implicit
> end-to-end state and will not work through a proxy server.

Therefore the check should be left in. If you are responsible for the
service you should look at https + Basic Auth, otherwise you should
convince the host of the site to do that.

HTH,

                 Neil.

Vinod Patel wrote:

> Hi,
> I read the squid FAQ's and it says that
> " We cannot proxy connections to a origin server that use NTLM
> authentication".
>
> I am using squid-2.5-STABLE2.
>
> I removed the following code in file client_side.c,
> routine: clientBuildReplyHeaders,
>
> /* Filter unproxyable authentication types */
> if (http->log_type != LOG_TCP_DENIED &&
> (httpHeaderHas(hdr, HDR_WWW_AUTHENTICATE)
> || httpHeaderHas(hdr, HDR_PROXY_AUTHENTICATE))) {
>
> /* code for removing NTLM headers from reply */
> }
>
> I removed the above code and NTLM auth seems to work for me.
> With firefox, it works for both transparent mode as well as proxy mode.
> With IE, it works in transparent mode, but does not work in proxy mode.
>
> I don't think this could be that simple???
> Please guide me further in right direction.
>
> Rgds,
> Vinod Patel

-- 
Neil Hillard                    hillardn@whl.co.uk
Westland Helicopters Ltd.       http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
             views of Westland Helicopters Ltd.
Received on Tue Sep 27 2005 - 08:29:51 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:04 MDT