[squid-users] Squid, NTLM and Java (Authentication)

From: Jörg Schütter <joerg_schuetter@dont-contact.us>
Date: Thu, 29 Sep 2005 12:11:12 +0200

Hello

We have a squid proxy (Squid Cache: Version 2.5.STABLE9) on a
Linux server (Linux hostname_of_server 2.4.19 #1 Fri Oct 4 18:36:11 EDT
2002 sparc64 GNU/Linux) which uses NTLM and Basic authentication
(in this order) for access control.
Web browsing w/ IE or Mozilla runs without any problem.
Unfortunately a few of our customers try to use java applets or
java applications which try to connect to the internet to.
The users are prompted for username, password and domain. This
means that NTLM scheme is used.
This window appears again and again. The logfile of squid reports
only 407 errors, but the credentials are correct.
To find out what's wrong I sniffed the network connection.
The only thing which looked strange to me was that the Java
application doesn't send "Proxy-Connection: Keep-Alive". Other
applications/browsers send this header information.

Any ideas how to convice java to send this header or to
reconfigure squid to be able to auth java applications.

-- cat squid.conf --
http_port 1.2.3.4:3128
icp_port 0
hierarchy_stoplist cgi-bin ?
acl all src 0.0.0.0/0.0.0.0
no_cache deny all
cache_store_log none
hosts_file /etc/hosts
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=S-1-1-11-1111111111-111111111-111111111-11111
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=S-1-1-11-1111111111-111111111-111111111-11111
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
request_body_max_size 10 MB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl AuthorizedUsers proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 # https, snews
acl Safe_ports port 80 8080 443 21 # http
acl purge method PURGE
acl CONNECT method CONNECT
acl our_networks src 10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0 192.168.0.0/255.255.0.0
acl self dst 1.2.3.4/255.255.255.255
acl deny_dst dst "/etc/squid/squid_acl.deny_dst"
acl deny_dstdomain dstdomain "/etc/squid/squid_acl.deny_dstdomain"
acl deny_url_regex url_regex -i "/etc/squid/squid_acl.deny_url_regex"
acl allow_dst dst "/etc/squid/squid_acl.allow_dst"
acl allow_dstdomain dstdomain "/etc/squid/squid_acl.allow_dstdomain"
acl allow_dstdomain_kiosk dstdomain "/etc/squid/squid_acl.allow_dstdomain_kiosk"
acl allow_dstdom_regex dstdom_regex -i "/etc/squid/squid_acl.allow_dstdom_regex"
acl allow_dstdom_regex_kiosk dstdom_regex -i "/etc/squid/squid_acl.allow_dstdom_regex_kiosk"
acl allow_dst_url_regex url_regex -i "/etc/squid/squid_acl.allow_dst_url_regex"
acl allow_src src "/etc/squid/squid_acl.allow_src"
acl kiosk src ....
...
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all allow_dst
http_access allow all allow_dstdomain
http_access allow all allow_dstdom_regex
http_access allow all allow_dst_url_regex
http_access allow localhost
http_access allow allow_src
http_access allow hsyvm01 ftp_nai
http_access allow allow_src_elster allow_dst_elster_url_regex
http_access allow wlse access-cisco
http_access deny all deny_url_regex
http_access deny all deny_dst
http_access deny all deny_dstdomain
http_access deny kiosk
http_access allow our_networks AuthorizedUsers Safe_ports
http_access allow our_networks AuthorizedUsers CONNECT SSL_ports
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr xyz@abc.de
forwarded_for off
client_db off
offline_mode on
coredump_dir /var/spool/squid
pipeline_prefetch on
--- end of cat ---

regards
  Jörg Schütter

-- 
Global IT-Security & Mobility
Heraeus infosystems GmbH
Heraeusstr. 12-14
D-63450 Hanau
Phone:   +49 (0) 61 81 / 35 - 53 76
Fax:     +49 (0) 61 81 / 35 16 - 53 76
E-Mail:  joerg.schuetter@heraeus.com
Received on Thu Sep 29 2005 - 04:11:14 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:04 MDT