On 04.10.2012 09:53, muno wrote:
> I need to configure the Squid3 to authenticate via NTLM
> reverse proxy authentication. I have instaled and configured
> the squid but the browser requires the password again and
> again.
NTLM on a reverse proxy or web server is a very bad idea. It was
designed for LAN usage end-to-end without any proxies or other software
in the middle. It adds a huge amount of traffic overheads and requires
some hacks which severely limit the proxy and network capacity. Besides
even the small details of being vulnerable to downgrade attacks.
For a reverse-proxy you can get better security, efficiency and
reliability using Kerberos in Negotiate auth.
>
> Anyone have a clue to help me?
>
Squid version: 3.?.?
>
> Here my configuration:
>
> ./configure --prefix=/usr/local/squid
> --exec_prefix=/usr/local/squid --enable-ssl
> --enable-auth-ntlm="ntlm,basic"
> --enable-basic-auth-helpers="winbind"
> --enable-ntlm-auth-helpers="winbind"
> --enable-external-aclhelpers="winbind_group,wbinfo_group"
> --enable-delay-pools --enable-removal-policies
> --enable-underscores --enable-cache-digests
> --disable-ident-lookups --enable-truncate
> --with-winbind-auth-challenge
>
> -------------------------------
> squid.conf
>
> ### pure ntlm authentication
> auth_param ntlm program /usr/lib/squid/ntlm_auth
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
>
> ### provide basic authentication via ldap for clients not
> authenticated via kerberos/ntlm
> #auth_param basic program /usr/lib/squid3/squid_ldap_auth
> -R -b "dc=example,dc=local" -D squid_at_example.local -W
> /etc/squid3/ldappass.txt -f sAMAccountName=%s -h
> dc1.example.loc
> al
> #auth_param basic children 10
> #auth_param basic realm Internet Proxy
> #auth_param basic credentialsttl 1 minute
>
>
> acl warp dstdomain warpx.uninet.com.br
> acl xymon dstdomain monitorx.uninet.com.br
> acl uninet dstdomain www.uninet.com.br
> acl admin src 200.220.1.0/24
> acl admin src 200.220.102.0/24
> acl unisys src 129.222.0.0/16
> acl unisys src 129.224.0.0/16
> acl unisysvpn src 172.0.0.0/8
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_port 80 accel
> https_port 443 accel cert=/usr/local/squid/CA/cacert.pem
> key=/usr/local/squid/CA/cakey.pem
>
> cache_peer 200.220.0.103 parent 80 0 no-query no-digest
> connection-auth=on originserver proxy-only no-netdb-exchange
> login=PASS name=warpsite
> cache_peer_access warpsite allow warp
>
> cache_peer 200.220.0.139 parent 443 0 no-query no-digest
> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
> name=xymonsite
> cache_peer_access xymonsite allow xymon
>
> cache_peer 200.220.0.120 parent 80 0 no-query no-digest
> originserver name=uninetsite
> cache_peer_access uninetsite allow uninet
>
> #http_access allow all
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access deny all
Um, you don't seem to have any http_access allow rules. Or even
anything testing the auth credentials. ??
Amos
Received on Wed Oct 03 2012 - 22:40:21 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 04 2012 - 12:00:03 MDT