Re: [squid-users] Non-browser applications using NTLM+Squid?

From: Alex Crow <alex_at_nanogherkin.com>
Date: Mon, 23 Jul 2012 18:05:57 +0100

Josh,

http_access deny requirentlmhosts

after the allow rule should do it I think.

Alex

On 23/07/12 15:08, Baird, Josh wrote:
> How would I go about only forcing certain hosts to use NTLM auth, but allowing everyone else to use the proxy un-authenticated?
>
> I have a ACL that contain's src's of IP's that I need to force to use NTLM:
>
> acl requirentlm proxy_auth REQUIRED
> acl requirentlmhosts src 1.1.1.1/255.255.255.255
> http_acccess allow requirentlmhosts requirentlm
>
> This takes care of forcing "requirentlmhosts" to auth, but if I have another http_access rule that allows everyone else, what keeps "requirentlmhosts" from getting out without auth?
>
> Thanks,
>
> Josh
>
> -----Original Message-----
> From: Baird, Josh
> Sent: Thursday, July 19, 2012 9:39 PM
> To: Eliezer Croitoru; squid-users_at_squid-cache.org
> Subject: RE: [squid-users] Non-browser applications using NTLM+Squid?
>
> Not sure why I didn't think of that. Thanks!
>
> Josh
> ________________________________________
> From: Eliezer Croitoru [eliezer_at_ngtech.co.il]
> Sent: Thursday, July 19, 2012 6:12 PM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Non-browser applications using NTLM+Squid?
>
> On 7/19/2012 11:29 PM, Baird, Josh wrote:
>> Hi,
>>
>> I'm wondering what others are doing about non-browser applications (Anti-virus software that fetches updates, instant messengers over HTTP, etc) that sit behind a Squid proxy that requires NTLM authentication? These applications, in my experience, use Windows' proxy settings to proxy their outbound traffic, but can't speak NTLM, so the application is prevented from proxying any traffic.
>>
>> Would a Kerberos integrated Squid be a possible solution to this problem?
>>
>> Thanks,
>>
>> Josh
>>
> very simple.. just allow them all before the authentication acls such as in:
>
> acl updates dstdomain .windowsupdates.microsoft.com .antivirusupdates.org
> acl updates1 dst 192.168.0.1/32
>
> http_access allow localnet updates
> http_access allow localnet updates1
> http_access allow localnet ntlm_auth_helper
> http_access deny all
>
>
> Regards,
> Eliezer
> --
> Eliezer Croitoru
> https://www1.ngtech.co.il
> IT consulting for Nonprofit organizations
> eliezer<at> ngtech.co.il
Received on Mon Jul 23 2012 - 17:06:02 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 24 2012 - 12:00:02 MDT