Re: [squid-users] Issue with proxy auth with facebook

On Thu, 2012-04-12 at 13:15 +1200, Amos Jeffries wrote:
> On 12.04.2012 13:06, Simon Dwyer wrote:
> > On Thu, 2012-04-12 at 12:41 +1200, Amos Jeffries wrote:
> >> On 12.04.2012 11:37, Simon Dwyer wrote:
> >> > Hi All,
> >> >
> >> > I have setup squid to authenticate with NTLM then BASIC with the
> >> > ntlm_auth program.
> >> >
> >> > I believe that it is all working fine for most users but for an
> >> > example
> >> > my linux desktop with firefox i get prompted for my crendentials
> >> > (thats
> >> > fine) but when i go to https://www.facebook.com or pages that link
> >> to
> >> > it
> >> > i keep getting prompted for my password.
> >> >
> >> > the access.log shows this
> >> >
> >> > 1334186696.459 2 10.37.0.1 TCP_DENIED/407 4028 CONNECT
> >> > www.facebook.com:443 - NONE/- text/html
> >> > 1334186696.463 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
> >> > www.facebook.com:443 - NONE/- text/html
> >> > 1334186696.465 3 10.37.0.1 TCP_DENIED/407 4028 CONNECT
> >> > www.facebook.com:443 - NONE/- text/html
> >> >
> >> > and my browser doesnt seem to present the credentals properly.
> >> Sites
> >> > like https://www.westpac.com.au seems to work perfectly.
> >> >
> >> > I am now running firefox 11.
> >> >
> >> > Where would be the first place to start looking?
> >>
> >> Firefox bug reports possibly. I've been hearing strange things about
> >> trouble with its NTLM support recently.
> >>
> >> Also, with your Squid version. NTLM on CONNECT requests was only
> >> fixed
> >> recently, meaning older 3.1 and previous series do not support NTLM
> >> well
> >> on those requests.
> >
> > Yes i have come to a conclusion that this is probably a bug with
> > firefox. I am moving our authentication to kerberos and basic which
> > will hopfully get around using NTLM too much *touch wood*
> >>
> >>
> >> Some unrelated hints about config optimization below...
> >>
> >> >
> >> >
> >> > Simon
> >> >
> >> > Config following
> >> >
> >> > [root_at_proxy1 ~]# cat /etc/squid/squid.conf
> >> > #
> >> > # Recommended minimum configuration:
> >> > #
> >> > cache_dir aufs /var/spool/squid 16384 32 512
> >> >
> >> > cache_mem 1024 MB
> >> > http_port 8080
> >> > snmp_port 3401
> >> > visible_hostname proxy1.mulawa.internal
> >> > acl snmppublic snmp_community ng-community-ro
> >> > snmp_access allow snmppublic
> >> > snmp_incoming_address 0.0.0.0
> >> > snmp_outgoing_address 255.255.255.255
> >> > ignore_expect_100 on
> >> >
> >> > auth_param ntlm program /usr/bin/ntlm_auth
> >> > --helper-protocol=squid-2.5-ntlmssp
> >> > auth_param ntlm children 30
> >> >
> >> > auth_param basic program /usr/bin/ntlm_auth
> >> > --helper-protocol=squid-2.5-basic
> >> > auth_param basic children 30
> >> > auth_param basic realm TSG proxy-caching web server
> >> > auth_param basic credentialsttl 8 hours
> >> >
> >> >
> >> > url_rewrite_program /usr/local/bin/squidGuard
> >> > -c /usr/local/squidGuard/squidGuard.conf
> >> > url_rewrite_children 30
> >> >
> >> > acl BrownhouseIT src 10.37.0.0/24
> >> > acl GTALK_ports port 443 5222 5050 5223
> >> > acl GTALK_hosts dstdomain talk.google.com www.google.com
> >> > acl GTALK_domains dstdomain .l.google.com
> >> > acl GTALK_methods method CONNECT
> >> >
> >> > acl SSL_ports port 443
> >> > acl SSL_ports port 5222
> >> > acl SSL_ports port 5223
> >> > acl Safe_ports port 80 # http
> >> > acl Safe_ports port 21 # ftp
> >> > acl Safe_ports port 443 # https
> >> > acl Safe_ports port 70 # gopher
> >> > acl Safe_ports port 210 # wais
> >> > acl Safe_ports port 1025-65535 # unregistered ports
> >> > acl Safe_ports port 280 # http-mgmt
> >> > acl Safe_ports port 488 # gss-http
> >> > acl Safe_ports port 591 # filemaker
> >> > acl Safe_ports port 777 # multiling http
> >> >
> >> > acl CONNECT method CONNECT
> >> > acl AuthorizedUsers proxy_auth REQUIRED
> >> > acl UnauthorizedDomains url_regex microsoft.com
> >> > acl UnauthorizedDomains url_regex verisign.com
> >> > acl UnauthorizedDomains url_regex thawte.com
> >> > acl UnauthorizedDomains url_regex crl.usertrust.com
> >>
> >> NP: These are all better tested as dstdomain. Use the wildcard '.'
> >> prefix like you do for .l.google.com.
> > Thanks will do
> >
> >>
> >>
> >> > acl UnauthorizedServers src 10.20.0.77
> >> > acl UnauthorizedServers src 10.20.0.70
> >> > acl UnauthorizedServers src 10.20.0.191
> >> >
> >> > acl oem-gc-host src 10.20.0.144
> >> > acl oem-gc-domain url_regex linux-update.oracle.com
> >>
> >> NP: another best tested as dstdomain.
> > Thanks
> >>
> >> >
> >> >
> >> > http_access deny !Safe_ports
> >> > http_access deny CONNECT !SSL_ports
> >> > http_access allow BrownhouseIT GTALK_methods GTALK_ports
> >> GTALK_hosts
> >> > http_access allow BrownhouseIT GTALK_methods GTALK_ports
> >> > GTALK_domains
> >>
> >> Optimization:
> >>
> >> GTALK_hosts and GTALK_domains are both dstdomain type. You can
> >> collapse these together and remove most of the ACL tests per request
> >> to
> >> *.l.google.com servers.
> >
> > Thanks will do.
> >>
> >> > http_access allow UnauthorizedServers
> >>
> >> Optimization:
> >>
> >> adding these IPs to the firewall to reject connections they make
> >> inbound to the proxy allows you to drop this ACL policy.
> >
> > The point of this was to allow these servers through without having
> > to
> > authenticate due to them running software that was written by people
> > who
> > dont know what a proxy is.
>
> Sorry. never mind that. Reading "unauthorized" as meaning well,
> non-authorized, instead of bypass-authentication.
>
> It is a bit tricky on the naming there since access control
> terminology:
> allow == authorized access,
> deny == unauthorized.
>
>
> ... so "authorize access for UnauthorizedServers" mind bender.

Yea my first run through setting this up so not everything is worded
correctly yet.

Thanks for you help Amos i see you helping so much on this list.
>
>
> Amos
Received on Thu Apr 12 2012 - 01:21:45 MDT