[squid-users] Re: Squid 3.2 CONNECT not working with NTLM - logs

From: Alex Crow <alex_at_nanogherkin.com>
Date: Fri, 10 Jun 2011 16:15:07 +0100

Hi,

I noticed a few people have downloaded my logs - has anyone found
anything useful? It does appear to be a bug to me, but if it is a change
in behaviour I'd be happy of any hints to fix my config.

All the best

Alex

>
> Further to my original post, I've found that NTLM auth does not work
> with CONNECT requests from clients in 3.2. I use a similar config to
> that I'm using in production in 2.7.
>
> I have disabled ssl-bump and dynamic SSL until I can resolve this.
>
> I do *not* have to "add http_access allow CONNECT" before "http_access
> deny CONNECT !SSL_ports " in my production config, which seems correct
> as otherwise unauthorised users could use CONNECT.
>
> Here is the config I am testing, which works fine for plain HTTP traffic:
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 30
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> external_acl_type nt_group ttl=20 children=40 %LOGIN
> /usr/lib/squid3/ext_wbinfo_group_acl
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly
> plugged) machines
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl AuthorizedUsers proxy_auth REQUIRED
> always_direct allow all
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access allow AuthorizedUsers
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow all AuthorizedUsers
> http_access deny all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> cache_mem 2048 MB
> memory_replacement_policy heap GDSF
> cache_replacement_policy heap LFUDA
> cache_dir diskd /var/spool/squid3 360000 64 512
> debug_options ALL,3
> coredump_dir /var/cache
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> dns_defnames on
>
> However CONNECT requests do not work, the client sits forever waiting
> for data while squid does not match against "AuthorizedUsers" and
> attempts to return an error page:
>
> Logs are available here:
>
> http;//www.nanogherkin.com/nonssl_cache.log.gz
> http;//www.nanogherkin.com/ssl_cache.log.gz
>
> Any help much appreciated.
>
> Regards
>
> Alex
>
Received on Fri Jun 10 2011 - 15:15:10 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 10 2011 - 12:00:01 MDT