[squid-users] Squid3 authentification proxy and method CONNECT SSL

[Amos Jeffries]

On 1/07/2015 8:55 p.m., Alexandre Magnat wrote:
> Hello,
> 
> I use Squid3 (3.1.20) 

Please upgrade.

> with Squidguard filtering linked with an user 's
> authentication  on a OpenLDAP.
> But, recurrently, Firefox, Thunderbird, Chrome (certainly IE) ask again
> frequently the login and password in a popup.
> 
> It seem, the popup authentication appear when the browser try a request
> on a CONNECT method like this:
> 172.16.1.215 - - [01/Jul/2015:10:40:18 +0200] "CONNECT
> fhr.data.mozilla.com:443 HTTP/1.1" 407 3812 TCP_DENIED:NONE
> or like this:
> 172.16.1.207 - - [01/Jul/2015:10:39:40 +0200] "CONNECT
> safebrowsing.google.com:443 HTTP/1.1" 407 3824 TCP_DENIED:NONE
> 

1) no credentials were presented. Thus 407 - Auth required.

OR

2) credentials presented were rejected by the auth system. Thus 407 -
Auth requires different credentials (or scheme).

OR

3) NTLM or Negotiate handshake underway. Thus 407 - Auth requires
handshake completion.


> 
> But, I think, I have configured correctly Squid3 for accept this kind of
> request:
> 
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> http_access deny CONNECT !SSL_ports
> 

Those lines have nothing to do with auth. They are for rejecting non-
port 443 connection attempts.

> 
> It's a boring problem for my user to have 4 or 5 times per day this kind
> of popup :-(
> Anybody have an idea for helping me to resolve this ?
> 

Firefox and Thunderbird it may be
<https://bugzilla.mozilla.org/show_bug.cgi?id=318253>. I'm not sure how
long it will take Mozilla to get a fixed version of their software out.
At least they have now finally found the problem.

Chrome and IE may have similar issues. They all tend to copy each others
behaviour with things like this.

Meanwhile there is a workaround that should work - add whichever is
relavant to your config:
 auth_param ntlm keep_alive off
 auth_param negotiate keep_alive off

Amos