On Tue, 26 Jun 2007 00:01:38 +0200
Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
> mån 2007-06-25 klockan 17:47 +0200 skrev Joerg Schuetter:
>
> > Browsing the Internet is only permitted after athenticating (NTLM
> > w/ ADS). This will run undetected by most users since this part is
> > done by the client.
> > After upgrading our system to debian Etch (squid=2.6.5-6,
> > winbind=3.0.24-6etch4, samba=3.0.24-6etch4) we started having
> > some problems (I'll use separate mails for each problem).
> >
> > When our users try to connect to
> > https://keylink.ubs.com/keylink.ubs.com/client/int/startklw.html
> > they will not be able to use this service.
> > In the log of the proxy I have this line:
> > 1182327931.205 0 x.y.z.a TCP_DENIED/400 1614 NONE \
> > error:unsupported-request-method - NONE/- text/html
>
> What did cache.log say here?
parseHttpRequest: Unsupported method 'User-Agent:'
clientReadRequest: FD 116 (a.b.c.d:3568) Invalid Request
>
> > Digging a little bit deeper with a sniffer I found that the
> > header line CONNECT is missing. The older squid version
> > (2.5.12-4) seemed to ignore this.
>
> ???
>
> Can you provide a bit more details on that?
Here is the header from the client which caused the error:
User-Agent: Mozilla/4.0 (Windows 2003 5.2) Java/1.4.2_06
Host: keylink.ubs.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-authorization: NTLM ...
The request before looked like this and worked w/o any problem:
CONNECT keylink.ubs.com:443 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 2003 5.2) Java/1.4.2_06
Host: keylink.ubs.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-authorization: NTLM ...
>
> > The workaround to keep the users doing their jobs was to grant
> > access to ksylink.ubs.com without userauthentication.
> > But what's the clean way to solve this?
>
> First I need to understand the problem on the wire level..
>
> But if authentication makes a difference and it worked in earlier
> Squid versions using NTLM then try "auth_param ntlm keep_alive off".
> This might work around some client brokenness.
I'll try disabling keep_alive after office hours.
Regards
Jörg
Received on Tue Jun 26 2007 - 06:50:52 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT