RE: [squid-users] Logging username at parent cache using ntlm_aut h

From: Wilshire, Andrew <[email protected]>
Date: Tue, 7 Oct 2003 10:19:02 +1300

Hi Everybody,

Firstly thank-you all for your awesome help to date!! I'm sorry to repost
this q but I'm hoping someone will be able to tell me what I'm doing wrong.
I'm at the frustratingly-close stage of getting this working... oh the
bitter-sweet taste :/ I have one Squid proxy which uses NTLMSSP auth and
uses another Squid proxy as it's parent cache. The 'parent' will have
several 'children' squid caches when this pilot is finished. My aim is to
use a content filtering product at the parent cache to vet the browsing of
our LAN users and report on them from a central location.

child cache's access.log
TCP_MISS/407 1751 GET http://www.nzherald.co.nz/ USERDOM\ANDREW
FIRST_UP_PARENT/192.168.0.23 text/html

parent cache's access.log
TCP_DENIED/407 1710 GET http://www.nzherald.co.nz/ USERDOM\ANDREW

parent cache's cache.log <snip>
2003/10/06 14:48:57| aclCheck: checking 'http_access allow user_passwords '
2003/10/06 14:48:57| aclMatchAclList: checking user_passwords
2003/10/06 14:48:57| aclMatchAcl: checking 'acl user_passwords proxy_auth
/tmp/user_passwords'
2003/10/06 14:48:57| authenticateAuthenticate: header Basic
QIUlSTsdflotTlpcV3023lMU0hBOg==.
2003/10/06 14:48:57| authenticateAuthenticate: This is a new checklist test
on FD:17
2003/10/06 14:48:57| authenticateAuthenticate: no connection authentication
type
2003/10/06 14:48:57| aclMatchAcl: returning 0 sending authentication
challenge.
2003/10/06 14:48:57| aclMatchAclList: no match, returning 0
2003/10/06 14:48:57| aclCheck: requiring Proxy Auth header.
2003/10/06 14:48:57| aclCheck: match found, returning 2
2003/10/06 14:48:57| aclCheckCallback: answer=2 </snip>

Now when I try to browse thru the 'child' cache I get prompted with IE
"Enter Network Password" dialog, and even though the 'Firewall' field in
this box refers to the child cache (, the realm states "Squid Proxy Tier-2"
- and this config line is only on the parent cache. I am passing the
username/password to the parent from the child cache using this syntax on
the child - cache_peer 192.168.0.23 parent 3128 3130 login=*:
no-query

I've tried re-ordering my http_access statements on the parent (see snip of
squid.conf below) to allow the child cache before the proxy_auth acl,
however then the usernames don't show up in the log :(. I've tried running
fakeauth_auth from the command line, but either I don't know the syntax or
it's broken becuase I never seem to be able to get it to return an error
code. I'm kinda hoping it just goes "OK" with any syntax, as that's exactly
what I'm looking for (hence if this is the case my IE session should stop
prompting for password!)

I'm so close, I can smell it : \

Andrew.

-----Original Message-----
Sent: Wednesday, 24 September 2003 14:30
Subject: RE: [squid-users] Logging username at parent cache using ntlm_auth

Thanks Henrik!

Ok I have done what you suggested and now I see the usernames in access.log
on the 2nd tier proxy... however I am consistently denied access (my IE
session brings up a login/password box)..

</snip>

The 2nd Tier Proxy's squid.conf

        auth_param basic program /libexec/fakeauth_auth
        auth_param basic children 5
        auth_param basic realm Squid Proxy Tier-2
        auth_param basic credentialsttl 1 minute
        acl nzproxyauth proxy_auth REQUIRED
        http_access allow nzproxyauth
        http_access allow proxytier1.fqdn.co.nz

Any ideas on what I have gotten wrong?

Many thanks :)
Andrew.

-----Original Message-----
Sent: Wednesday, 24 September 2003 12:47
Subject: Re: [squid-users] Logging username at parent cache using ntlm_auth

On Wed, 24 Sep 2003, Wilshire, Andrew wrote:

> When I look inside access.log on the PARENT (2nd tier) cache of the
> first-tier cache I see
>
> 1064290276.165 4844 eee.fff.ggg.hhh TCP_MISS/200 10100 GET
> http://www.nzherald.co.nz/pics/ACFNAA.Taimy.JPG -
> FIRST_UP_PARENT/3rdtiercache.fqdn.co.nz image/jpeg
>
> What I need to accomplish is to get the domain/username passed through to
> the PARENT cache so that I may use a filtering product on our 2nd tier
> proxy.

Then you need to set up a system where "faked" logins are used to the 2nd
tier proxy. You can set up the first proxy to log in with the same
username but a static password. See the login= cache_peer option.

This also requires reconfiguring the parent proxy to require basic
authentication and know about the static password assigned to the first
proxy.

> Do I need to recompile Squid on the 2nd tier cache with ntlm_auth support?

Won't help. You can't proxy ntlm_auth due to the nature of NTLM.

Regards
Henrik

____________________________________________________________________
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named above.
If you are not the intended recipient of this message you are hereby
notified that any use, dissemination, distribution or reproduction
of this message is prohibited. If you have received this message in
error please notify Air New Zealand immediately. Any views expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Air New Zealand.
_____________________________________________________________________
For more information on the Air New Zealand Group, visit us online
at http://www.airnewzealand.com
_____________________________________________________________________
Received on Mon Oct 06 2003 - 15:19:21 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:25 MST