Re: [squid-users] Question about NTLM and transparent proxy.

From: Michael <mic-lists-squid@dont-contact.us>
Date: Mon, 22 Jul 2002 09:35:29 +0200 (CEST)

Joe Cooper wrote:
> Michael wrote:
> > Hi there,
> > i have an problem to get squid run as an transparent proxy and an NTLM
> > authentification Server.
>
> From the FAQ:
>
> 17.15 Can I use proxy_auth with interception?
>
> No, you cannot. With interception proxying, the client thinks it is
> talking to an origin server and would never send the Proxy-authorization
> request header.
>
> I don't see how it could be any clearer than that. squid.conf also has
> the helpful words:
>
> # WARNING: proxy_auth can't be used in a transparent proxy. It
> # collides with any authentication done by origin servers. It may
> # seem like it works at first, but it doesn't.
>
> What more does it need to say on the subject to be convincing?

Ok. thx .. that was what I found my self. And the logfile was telling
me the same. The question was just asked
to find out if there exists an workaround. Next time i won 't waste
your time, sorry. I always read the faq and I also read the squid.conf

>
>> I just forward the port 80 to 3128 squid port (with ipchains, standard as
>> far
>> as I know).
>>
>> the options are an must as far as I know in squid.conf
>>
>> http_accel_host virtual
>> http_accel_port 80
>> httpd_accel_with_proxy on
>>
>> The trans proxy is working with smb_auth .... but not with NTLM
>> and the FAQ and other mailingslist are telling me that with accel*
>> it is not possible to use authentification.
>
>
> That isn't strictly accurate. If you are operating an accelerator
> (which also uses the httpd_accel options), it would be possible to
> authenticate users at the Squid machine. But not a transparent proxy.

My problem is I need an transparent proxy with authentication. Is there an
other way to make one. Maybe I add an Proxy after the transparent proxy
and make the auth there ???
Idea: cache_peer IP *foo*

ntlm_auth@IP ???

could that work ???

Other Idea: can I get the userdata into an perl script (from
squid_redirect) to say pass thru the proxy or deny.
how can I realize for windoof an (transparent, was my idea to make it)
proxy without changing any settings in the internet exploder. I knowit is hell, but it is a stupid policy taking affect so the users should
not see that they are surfing thru an proxy ..... and people which are not
complaining to the company should not access the internet withoutcontacting the helpdesk and get an temp user. Installing additional
software @ the clients is also not possible (ident etc.).
Everthing is welcome
mic

> Michael wrote:
> Hi there,
> i have an problem to get squid run as an transparent proxy and an NTLM
> authentification Server.

From the FAQ:

17.15 Can I use proxy_auth with interception?

No, you cannot. With interception proxying, the client thinks it is
talking to an origin server and would never send the Proxy-authorization
request header.
I don't see how it could be any clearer than that. squid.conf also has
the helpful words:
# WARNING: proxy_auth can't be used in a transparent proxy. It
# collides with any authentication done by origin servers. It may
# seem like it works at first, but it doesn't.

What more does it need to say on the subject to be convincing?

I just forward the port 80 to 3128 squid port (with ipchains, standard as
far
as I know).

the options are an must as far as I know in squid.conf

http_accel_host virtual
http_accel_port 80
httpd_accel_with_proxy on

The trans proxy is working with smb_auth .... but not with NTLM
and the FAQ and other mailingslist are telling me that with accel*
it is not possible to use authentification.

That isn't strictly accurate. If you are operating an accelerator (which
also uses the httpd_accel options), it would be possible to authenticate
users at the Squid machine. But not a transparent proxy.
Question 2:

Is it possible to use more then one redirect_program in squid.conf so
that 4 example 2 programs are parsing the stream one after the other.

Not in squid.conf. You can, however, tie two redirectors together with a
simple perl script. This has been documented on the mailing list in the
past by Henrik. A quick search didn't reveal it, but it did reveal
references to it...It should probably be in the FAQ, so I'll see if I can
dig it up.--
Joe Cooper <joe@swelltech.com>
Web caching appliances and support.
http://www.swelltech.com

>> Question 2:
>>
>> Is it possible to use more then one redirect_program in squid.conf so
>> that 4 example 2 programs are parsing the stream one after the other.
>
>
> Not in squid.conf. You can, however, tie two redirectors together with
> a simple perl script. This has been documented on the mailing list in
> the past by Henrik. A quick search didn't reveal it, but it did reveal
> references to it...It should probably be in the FAQ, so I'll see if I
> can dig it up.

Thx. for the help.
mic
Received on Mon Jul 22 2002 - 01:35:30 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:19 MST