Re: [squid-users] Issue with proxy auth with facebook

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 12 Apr 2012 13:15:23 +1200

On 12.04.2012 13:06, Simon Dwyer wrote:
> On Thu, 2012-04-12 at 12:41 +1200, Amos Jeffries wrote:
>> On 12.04.2012 11:37, Simon Dwyer wrote:
>> > Hi All,
>> >
>> > I have setup squid to authenticate with NTLM then BASIC with the
>> > ntlm_auth program.
>> >
>> > I believe that it is all working fine for most users but for an
>> > example
>> > my linux desktop with firefox i get prompted for my crendentials
>> > (thats
>> > fine) but when i go to https://www.facebook.com or pages that link
>> to
>> > it
>> > i keep getting prompted for my password.
>> >
>> > the access.log shows this
>> >
>> > 1334186696.459 2 10.37.0.1 TCP_DENIED/407 4028 CONNECT
>> > www.facebook.com:443 - NONE/- text/html
>> > 1334186696.463 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
>> > www.facebook.com:443 - NONE/- text/html
>> > 1334186696.465 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
>> > www.facebook.com:443 - NONE/- text/html
>> >
>> > and my browser doesnt seem to present the credentals properly.
>> Sites
>> > like https://www.westpac.com.au seems to work perfectly.
>> >
>> > I am now running firefox 11.
>> >
>> > Where would be the first place to start looking?
>>
>> Firefox bug reports possibly. I've been hearing strange things about
>> trouble with its NTLM support recently.
>>
>> Also, with your Squid version. NTLM on CONNECT requests was only
>> fixed
>> recently, meaning older 3.1 and previous series do not support NTLM
>> well
>> on those requests.
>
> Yes i have come to a conclusion that this is probably a bug with
> firefox. I am moving our authentication to kerberos and basic which
> will hopfully get around using NTLM too much *touch wood*
>>
>>
>> Some unrelated hints about config optimization below...
>>
>> >
>> >
>> > Simon
>> >
>> > Config following
>> >
>> > [root_at_proxy1 ~]# cat /etc/squid/squid.conf
>> > #
>> > # Recommended minimum configuration:
>> > #
>> > cache_dir aufs /var/spool/squid 16384 32 512
>> >
>> > cache_mem 1024 MB
>> > http_port 8080
>> > snmp_port 3401
>> > visible_hostname proxy1.mulawa.internal
>> > acl snmppublic snmp_community ng-community-ro
>> > snmp_access allow snmppublic
>> > snmp_incoming_address 0.0.0.0
>> > snmp_outgoing_address 255.255.255.255
>> > ignore_expect_100 on
>> >
>> > auth_param ntlm program /usr/bin/ntlm_auth
>> > --helper-protocol=squid-2.5-ntlmssp
>> > auth_param ntlm children 30
>> >
>> > auth_param basic program /usr/bin/ntlm_auth
>> > --helper-protocol=squid-2.5-basic
>> > auth_param basic children 30
>> > auth_param basic realm TSG proxy-caching web server
>> > auth_param basic credentialsttl 8 hours
>> >
>> >
>> > url_rewrite_program /usr/local/bin/squidGuard
>> > -c /usr/local/squidGuard/squidGuard.conf
>> > url_rewrite_children 30
>> >
>> > acl BrownhouseIT src 10.37.0.0/24
>> > acl GTALK_ports port 443 5222 5050 5223
>> > acl GTALK_hosts dstdomain talk.google.com www.google.com
>> > acl GTALK_domains dstdomain .l.google.com
>> > acl GTALK_methods method CONNECT
>> >
>> > acl SSL_ports port 443
>> > acl SSL_ports port 5222
>> > acl SSL_ports port 5223
>> > acl Safe_ports port 80 # http
>> > acl Safe_ports port 21 # ftp
>> > acl Safe_ports port 443 # https
>> > acl Safe_ports port 70 # gopher
>> > acl Safe_ports port 210 # wais
>> > acl Safe_ports port 1025-65535 # unregistered ports
>> > acl Safe_ports port 280 # http-mgmt
>> > acl Safe_ports port 488 # gss-http
>> > acl Safe_ports port 591 # filemaker
>> > acl Safe_ports port 777 # multiling http
>> >
>> > acl CONNECT method CONNECT
>> > acl AuthorizedUsers proxy_auth REQUIRED
>> > acl UnauthorizedDomains url_regex microsoft.com
>> > acl UnauthorizedDomains url_regex verisign.com
>> > acl UnauthorizedDomains url_regex thawte.com
>> > acl UnauthorizedDomains url_regex crl.usertrust.com
>>
>> NP: These are all better tested as dstdomain. Use the wildcard '.'
>> prefix like you do for .l.google.com.
> Thanks will do
>
>>
>>
>> > acl UnauthorizedServers src 10.20.0.77
>> > acl UnauthorizedServers src 10.20.0.70
>> > acl UnauthorizedServers src 10.20.0.191
>> >
>> > acl oem-gc-host src 10.20.0.144
>> > acl oem-gc-domain url_regex linux-update.oracle.com
>>
>> NP: another best tested as dstdomain.
> Thanks
>>
>> >
>> >
>> > http_access deny !Safe_ports
>> > http_access deny CONNECT !SSL_ports
>> > http_access allow BrownhouseIT GTALK_methods GTALK_ports
>> GTALK_hosts
>> > http_access allow BrownhouseIT GTALK_methods GTALK_ports
>> > GTALK_domains
>>
>> Optimization:
>>
>> GTALK_hosts and GTALK_domains are both dstdomain type. You can
>> collapse these together and remove most of the ACL tests per request
>> to
>> *.l.google.com servers.
>
> Thanks will do.
>>
>> > http_access allow UnauthorizedServers
>>
>> Optimization:
>>
>> adding these IPs to the firewall to reject connections they make
>> inbound to the proxy allows you to drop this ACL policy.
>
> The point of this was to allow these servers through without having
> to
> authenticate due to them running software that was written by people
> who
> dont know what a proxy is.

Sorry. never mind that. Reading "unauthorized" as meaning well,
non-authorized, instead of bypass-authentication.

It is a bit tricky on the naming there since access control
terminology:
   allow == authorized access,
   deny == unauthorized.

... so "authorize access for UnauthorizedServers" mind bender.

Amos
Received on Thu Apr 12 2012 - 01:15:30 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 12 2012 - 12:00:03 MDT