Re: [squid-users] TCP_MISS/401 with rpc over https

From: Ori Besser <oribesser_at_gmail.com>
Date: Wed, 1 Jun 2011 09:23:54 +0300

Basic authentication does not work here, I don't know why. Can you
elaborate on the 'login=NEGOTIATE'? I read about it in the config
manual but its not so clear:
login=NEGOTIATE
                        If this is a personal/workgroup proxy and your parent
                        requires a secure proxy authentication.
                        The first principal from the default keytab or defined by
                        the environment variable KRB5_KTNAME will be used.

What is principal in this case? what is the default keytab?

On Tue, May 31, 2011 at 5:57 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 01/06/11 01:26, Ori Besser wrote:
>>
>> Hello,
>> I am trying to use squid as a reverse proxy to a Remote Desktop
>> Gateway server (part of MS Win Server 2008 R2 Remote Desktop Services)
>> with no success, I am just getting the login prompt over and over
>> again and in the access log: TCP_MISS/401 373 RPC_OUT_DATA
>> https://mydomain/rpc/rpcproxy.dll? - DEFAULT_PARENT/rdsServer
>> text/plain.
>>
>> I am using Squid Cache: Version 3.2.0.8 and this is my squid.conf:
>>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32 ::1
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src
>> 10.0.0.0/8 acl SSL_ports port 443
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 21          # ftp
>> acl Safe_ports port 443         # https
>> acl Safe_ports port 70          # gopher
>> acl Safe_ports port 210         # wais
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl Safe_ports port 280         # http-mgmt
>> acl Safe_ports port 488         # gss-http
>> acl Safe_ports port 591         # filemaker
>> acl Safe_ports port 777         # multiling http
>> acl CONNECT method CONNECT
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access allow localnet
>> http_access allow localhost
>>
>> hierarchy_stoplist cgi-bin ?
>>
>> cache_dir ufs /var/cache/squid 1024 16 256
>>
>> cache_effective_user proxy
>> access_log /var/log/squid/access.log
>> cache_log /var/log/squid/cache.log
>> cache_store_log /var/log/squid/store.log
>
> store.log is rarely useful and wastes a lot of Disk IO. You can erase this
> line to gain a bit of speed.
>
>> coredump_dir /var/cache
>>
>> refresh_pattern ^ftp:           1440    20%     10080
>> refresh_pattern ^gopher:        1440    0%      1440
>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>> refresh_pattern .               0       20%     4320
>>
>> https_port 443 cert=/etc/squid/certs/x.crt key=/etc/squid/certs/x.key
>> accel defaultsite=my_external_domain_name
>> cache_peer ip_of_rd_gateway parent 443 0 no-query originserver
>> login=PASS connection-auth=on ssl name=rdsServer default
>>
>> acl RDS dstdomain my_external_domain_name
>> cache_peer_access rdsServer allow RDS
>> cache_peer_access rdsServer deny all
>> http_access allow RDS
>> http_access deny all
>> miss_access allow RDS
>> miss_access deny all
>>
>>
>> The certificate is OK, I have no issues connecting to the rd web
>> access site and even authenticate on it, just when a connection is
>> attempted to the rd gateway I am getting the login prompts.
>>
>> Does anyone knows about some magic that can solve this?
>>
>> Thanks.
>
>  http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchngeRpc
>
>  * login=PASS uses Basic auth protocol. Check that Exchange is configured to
> match.
>
> NP: for something more secure 3.2 can do login=NEGOTIATE for Kerberos.
>
>
> You may also be able to use "login=PASSTHRU connection-auth=on", but we have
> not checked that yet with Exchange.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.12
>  Beta testers wanted for 3.2.0.8 and 3.1.12.2
>
Received on Wed Jun 01 2011 - 06:24:21 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 12:00:04 MDT