[squid-users] suppress sending authentication prompt

Berkes, David David.J.Berkes at pjc.com
Wed Jul 22 15:10:31 UTC 2015 

Thank you very much for your help.  Yes, I agree it's not the approach I would like to take.  I believe it may be something to do with the MDM and/or the IOS.  I'm setting up a tcpdump to look at the packets.  What I see is the authentication "pop-up" occurs on the iphone, but the credentials have already authenticated.  So, the users hit the cancel button and traffic is allowed to proxy.  Below is output of the access log.  I do notice that the TCP_DENIED messages, which I don’t understand.  Maybe this is part of the issue?

---access.log
1437577600.112   1612 70.197.232.249 TCP_TUNNEL/200 1728 CONNECT myproxyserver.com:443 myproxyuser HIER_DIRECT/206.15.205.62 -
1437577600.120   2089 70.197.232.249 TCP_TUNNEL/200 1728 CONNECT myproxyserver.com:443 myproxyuser HIER_DIRECT/206.15.205.62 -
1437577601.253   2161 70.197.232.249 TCP_TUNNEL/200 5677 CONNECT myproxyserver.com:443 myproxyuser HIER_DIRECT/206.15.205.62 -
1437577601.362      0 70.197.232.249 TCP_DENIED/407 4074 CONNECT myproxyserver.com:443 - HIER_NONE/- text/html

Here is my configuration.  Can you tell me specifically where to place the "all" and/or oder to properly test and block Squid actively requesting credentials?

##############################################
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 8 hours
auth_param basic casesensitive on

acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
http_access deny all

http_port 3128
##############################################

-----Original Message-----
From: Amos Jeffries [mailto:squid3 at treenet.co.nz]
Sent: Wednesday, July 22, 2015 6:55 AM
To: Berkes, David; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] suppress sending authentication prompt

On 22/07/2015 3:36 a.m., Berkes, David wrote:
> Thank you.
> From the tcpdump, I see the iphone sending requests to the proxy.  Sometimes with credentials and sometimes not.  How can I tell squid to not send 407 in response to the header with no credentials?  I have tried the following variations with no luck.
>

Think about that for a minute.

If Squid is never allowed to *ask* for credentials. How will it get them?

Do you really want the browser actively broadcasting usernames and passwords in trivially decrypted format out into the network regardless of where its connecting to?

You can block Squid actively requesting credentials by adding " all" to the end of the http_access line(s) that would otherwise end with ncsa_users ACL check. However, that will only cause the browser to display an error page. Access Denied, end of transaction, full stop, dont try again.



Remember that the popup is *not* part of HTTP messaging nor the HTTP level authentication. It is purely a browser internal mechanism for locating credentials.

407 is a perfectly normal HTTP operation. A working browser would always answer Squid 407 queries by sending the MDM configured cerdentials, with
*zero* user involvement.

I suspect that perhapse your MDM system is tying the credentials to an
IPv4 address, and the iPhone using IPv6 on some traffic?
 Or maybe the browser really is braindead and forgetting how to lookup the credentials.

Amos

________________________________


Piper Jaffray & Co. Since 1895. Member SIPC and NYSE. Learn more at www.piperjaffray.com. Piper Jaffray corporate headquarters is located at 800 Nicollet Mall, Minneapolis, MN 55402.

Piper Jaffray outgoing and incoming e-mail is electronically archived and recorded and is subject to review, monitoring and/or disclosure to someone other than the recipient. This e-mail may be considered an advertisement or solicitation for purposes of regulation of commercial electronic mail messages. If you do not wish to receive commercial e-mail communications from Piper Jaffray, go to: www.piperjaffray.com/do_not_email to review the details and submit your request to be added to the Piper Jaffray "Do Not E-mail Registry." For additional disclosure information see www.piperjaffray.com/disclosures

More information about the squid-users mailing list