Re: [squid-users] Fwd: Squid and website with IIS+NTLM

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 24 Jul 2010 13:57:29 +1200

Francesco Collini wrote:
> Hello,
>
> i am experiencing problem with some remote websites that use IIS and
> ntlm windows authentication.
> The problems persist with 2.6 and 3.1 version, too.
>
> I tried to add: http_port 3128 connection-auth=on but no results.
>
> Is there a solution?

  * NTLM websites assume that every piece of HTTP browser and proxy
software supports Microsoft proprietary protocols and connection pinning.

  * You are assuming that your proxy is the only proxy in the chain.

Neither if those are likely to be true.

NTLM websites can work locally on a LAN where all software has a chance
of being controlled with the requirement of supporting NTLM. Over the
general Internet it's a non-starter.

Using HTTPS instead of HTTP *almost* guarantees the end-to-end
connection NTLM requires. I say almost because middle-proxies are now
also decrypting HTTPS and proxying it in some places.

The solution is to get the website to use a method of authentication
which works outside walled-garden LANs. Digest auth designed
specifically for high security over HTTP is available. Basic auth is the
'normal' low-security method.

The alternative is to find every proxy in the middle between you and
those sites, and get their admin to turn on connection pinning just for you.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.5
Received on Sat Jul 24 2010 - 01:57:40 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 24 2010 - 12:00:04 MDT