[squid-users] Squid3 authentification proxy and method CONNECT SSL
Alexandre Magnat
alexandre.magnat at mecaprotec.fr
Wed Jul 1 13:42:55 UTC 2015
Hi Amos;
Thanks you for this complete response.
You're true, I have to upgrade my Debian :) soon !
For the conf, I have put this value in my squid.conf
auth_param ntlm keep_alive off
auth_param negotiate keep_alive off
but it seems it's not working (one user have call me).... to be sure,
i'm waiting more user's return.
Alex
Le 01/07/2015 13:58, Amos Jeffries a écrit :
> On 1/07/2015 8:55 p.m., Alexandre Magnat wrote:
>> Hello,
>>
>> I use Squid3 (3.1.20)
> Please upgrade.
>
>> with Squidguard filtering linked with an user 's
>> authentication on a OpenLDAP.
>> But, recurrently, Firefox, Thunderbird, Chrome (certainly IE) ask again
>> frequently the login and password in a popup.
>>
>> It seem, the popup authentication appear when the browser try a request
>> on a CONNECT method like this:
>> 172.16.1.215 - - [01/Jul/2015:10:40:18 +0200] "CONNECT
>> fhr.data.mozilla.com:443 HTTP/1.1" 407 3812 TCP_DENIED:NONE
>> or like this:
>> 172.16.1.207 - - [01/Jul/2015:10:39:40 +0200] "CONNECT
>> safebrowsing.google.com:443 HTTP/1.1" 407 3824 TCP_DENIED:NONE
>>
> 1) no credentials were presented. Thus 407 - Auth required.
>
> OR
>
> 2) credentials presented were rejected by the auth system. Thus 407 -
> Auth requires different credentials (or scheme).
>
> OR
>
> 3) NTLM or Negotiate handshake underway. Thus 407 - Auth requires
> handshake completion.
>
>
>> But, I think, I have configured correctly Squid3 for accept this kind of
>> request:
>>
>> acl SSL_ports port 443
>> acl CONNECT method CONNECT
>> http_access deny CONNECT !SSL_ports
>>
> Those lines have nothing to do with auth. They are for rejecting non-
> port 443 connection attempts.
>
>> It's a boring problem for my user to have 4 or 5 times per day this kind
>> of popup :-(
>> Anybody have an idea for helping me to resolve this ?
>>
> Firefox and Thunderbird it may be
> <https://bugzilla.mozilla.org/show_bug.cgi?id=318253>. I'm not sure how
> long it will take Mozilla to get a fixed version of their software out.
> At least they have now finally found the problem.
>
> Chrome and IE may have similar issues. They all tend to copy each others
> behaviour with things like this.
>
> Meanwhile there is a workaround that should work - add whichever is
> relavant to your config:
> auth_param ntlm keep_alive off
> auth_param negotiate keep_alive off
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list