RE: [squid-users] NTLM auth popup boxes && Solaris 8 tuning for upgrade into 2.7.4

From: <vincent.blondel_at_ing.be>
Date: Wed, 19 Nov 2008 19:39:22 +0100

 
>>>> Before digging deep into OS settings check your squid.conf auth,
acl
>>> and
>>>> http_access settings.
>>>
>>> okay let's go concerning auth part of the squid.conf, I would like
to
>>> say, nothing special .. below the ntlm config part
>>>
>>> auth_param ntlm program /usr/local/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp
>>> auth_param ntlm children 128
>>> auth_param ntlm keep_alive on
>>> acl ntlmauth proxy_auth REQUIRED
>>> ...
>>> http_access allow ntlmauth all
>>> http_reply_access allow all
>>> http_access deny all
>>> deny_info TCP_RESET all
>>>
>>
>>Hmm, what those lines do is:
>> - test the request for auth details (allow ntlmauth),
>> - if correct details found, allow (allow ntlmauth all).
>> - if none are found, or bad details ignore (allow ntlmauth all)
>> - but send a RESET on the TCP link (deny all + TCP_RESET)
>
>something I tried last week to see if it could solve my problem.
>
>>
>>The clients will never get any correction when auth details are
invalid.
>>They will just get a completely new session, the browser will try to
>>resend the same broken details until it gives up and re-asks the user.
>>
>>
>>The 'all' silencing hack is intended for situations where auth may be
>>the preferred methods of access, but an alternative exists and can be
>>taken easily when it fails. It prevents the browser being notified
when
>>credentials are wrong.
>>
>>Does it work if you make that line just: http_access allow ntlmauth
>
>indeed seems also working, if no valid credential 'cache access denied'
otherwise goes to internet.

as announced in my previous mails, I migrated all my proxies servers
last night. this ran fine and the packages are running well.
I updated access ntlm rule by removing 'all' at the end of the line but
this does not chnage anything except it happened at most 37 times on one
of of the proxies. I got this more than 100 times a day before.

so can I still try something else ?

>
>does it change the internal squid behaviour by removing all ??
>
>
>>>> Check the TTL settings on your auth config. If it's not long enough
>>> squid
>>>> will re-auth between request and reply.
>>>
>>> not really sure to understand what setting you are speaking about ??
>>>
>>
>>auth_param ntlm ttl
>
>do you advice using it because I do not find any reference on it on
squid configuration guide website.
>

you spoke about ttl parameter .. do you advice using it ??

>

-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
Received on Wed Nov 19 2008 - 18:39:32 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 20 2008 - 12:00:03 MST