Re: [squid-users] strange behavior with https sites and ntlm/basic authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 10 Jul 2012 23:56:32 +1200

On 10/07/2012 9:59 p.m., Bruno Santos wrote:
> Hi all !
>
> I finally (sort of) manage to get squid with ntlm authentication. I now have it working as i want it, but there's a configuration that i had to change and that's keeping bugging me in the why.
>
> Everything was workig fine until reaching https sites.
>
> If i had enabled both types of authentication: ntlm and basic (for those under Linux or not using a ntlm enabled browser):
> --------
> # Autenticacao NTLM - Winbind - AD
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 300
> auth_param ntlm keep_alive off
>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 100
> auth_param basic realm Por favor autentique-se!
> auth_param basic credentialsttl 2 hours
>
> acl ntlmAuth proxy_auth REQUIRED
>
> --------------------
>
> This configuration worked fine, but those with NTLM (windows + IE / Firefox) were asked for authentication (that shouldn't happen). Those in Linux worked just fine (with an authentication dialog) and every site appears as it should be.
>
>
> If i remove the basic authentication, those with windows (IE and Firefox) are NOT asked for authentication and those using Linux are asked for authentication (everything fine here). Here is the problem:

By "those" I assume you mean the persons/users, and not their browser
agents.

By "asked" I assume you mean the auth popup window, and not the 407
proxy challenge.

Popups are a browser feature, when it happens is decided *only* by the
browser, usually because it was unable to find any working credentials
that could be used [some browsers are broken].

Ideally no user would be asked for authentication when NTLM is used. The
grand benefit offering from NTLM is that it works from the users network
login credentials and the browser never has to ask them to type anything.

>
> Those using Linux can't access (most) https sites. It just gives:
>
> TCP_DENIED/407 3833 CONNECT twitter.com:443 - NONE/- text/html
>
> And nothing happens...

Most likely your: "auth_param ntlm keep_alive off" is breaking the
fragile support CONNECT method has for NTLM.

> So i've decided to do an experiment
>
> In squid.conf, i've changed:
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> to
>
> http_access allow CONNECT SSL_ports
>
> And sudden all those https sites began working...
Of course. You just bypassed authentication.

>
> Well, by question is:
>
> Is this correect ? What would be happening with the other configuration? Is it safe ?

No. See above. No, it allows anyone unlimited access to tunnel via
CONNECT method to SSL_ports.

HTH
Amos
Received on Tue Jul 10 2012 - 11:56:45 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 10 2012 - 12:00:02 MDT