Re: [squid-users] Squid not keeping authenticated NTLM session open

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 15 May 2012 21:03:42 +1200

On 15/05/2012 5:28 p.m., infernalis wrote:
> Hi all,
>
> I'm having considerable trouble getting Squid to work well with
> NTLM/Kerberos and was hoping someone here would be able to help.
>
> My ultimate goal is to be able to connect to an IIS server through Squid
> using a computer that is not a member of the AD domain. I would like to
> enter my credentials once to the proxy, and then have Squid save the
> authentication token in order to use it against other servers that require
> authentication.

Token re-use in this form is not what happens in NTLM. It uses a code
specific to the TCP connection and a hash.

>
> The problem I'm facing is that no matter what I've tried, I'm forced to
> authenticate manually six times while loading sites requiring
> authentication. This is much worse than the behavior prior to adding Squid.

6 times is a problem. You should at most be asked once. But there are
some software (IE primarily) which are known to ask for manual
authentication when it should not need to.

>
> First, is it possible for Squid to cache the credentials and then
> authenticate on behalf of the client to an upstream server? If this isn't
> the best way to go about doing this, what would you suggest?

Squid *does* cache the credentials. In a specific way that NTLM
requires. Re-using the same credentials for other TCP connections out of
a normal cache causes a major security vulnerability with NTLM.

>
> Second, what could be the problem with my configuration?
>
> I'm running Squid 3.1.10.

Please try an upgrade; 3.1.19 is current, 3.1.15 at oldest is
recommended. The hacks disabling certain HTTP features in order to get
NTLM to operate were improved incrementally across 3.1 series, so the
later the release you can get the better NTLM will work. Up to a point.
However, be aware this multiple-login is known to still occur with IE +
Squid even in the latest releases. It is IE behaviour.

>
> Thanks in advance!
>
>
>
>
> Here is my current config:
>
> http_port 80 accel defaultsite=webservername connection-auth=on

Ah, so by "sites" which login is failing for you mean
"http://webservername/".

NP: NTLM is *not* a good protocol to use for website authentication
over the general Internet. It is extremely fragile, resource intensive,
and not supported by most of the software spread through the middle of
the Internet.

> cache_peer x.x.x.x parent 80 0 no-query login=PASS originserver
> connection-auth=on name=serv
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param ntlm keep_alive on

Turning this one off might help reduce your popups. It does not disable
connection persistence, but enables a hack to get around some of the IE
multiple-popup behaviour.

>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Domain Proxy Server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> acl auth proxy_auth REQUIRED
>
> http_access allow auth
> http_access deny all
>

At this "deny all" any following http_access lines are ignored.

>
> acl our_sites dstdomain webservername proxy_auth REQUIRED
> client_persistent_connections on
> server_persistent_connections on
> debug_options ALL,2
>
> http_access allow our_sites
> cache_peer_access serv allow our_sites
> cache_peer_access serv deny all
>

Amos
Received on Tue May 15 2012 - 09:03:53 MDT

This archive was generated by hypermail 2.2.0 : Tue May 15 2012 - 12:00:04 MDT