[squid-users] ssl internet explorer

From: Robert Rader <[email protected]>
Date: Mon, 9 Aug 2004 15:29:32 -0400

On Mon, Aug 09, 2004 at 01:26:55PM -0400, Robert Rader wrote:

> I authenticate no problems with the dc...

> The proxy works fine with http but whenever I go to an secure site I get

> an microsoft error page... Cannot find server or DNS Error..

> Now my understanding with ntlm authentication with Internet explore 5.5

> or greater this is an Explorer error? Is there a workaround or a fix for

> this? If you anyone could let me know I would appreciate it.. I have

> been banging my head against a wall here..

Two things come to my mind...

1. IE still has problems when you start with an HTTPS page and require

proxy authentication. This is a well known (and still stupid)

IE bug.

2. How did you define the proxy for HTTPS in the browser? What do the

logs say?

Christoph

Chris thanks for your help...

For the proxy server I just use "the squid proxy name" port 3128

 I see alot of TCP DENIED, but it seems to happen with HTTP also... But
with regular HTTP it will come up about the 3rd time. With HTTPS,
sometimes if I hit refresh it will come up or send the info without me
knowing it. But for an example with my bank account i get TCP DENIED also
but buy the 3rd one it seems to authenticate with the log but I get that
stupid error, and then the page is timed out on the bank side.

I have been getting this error in the cache.log when it tries to
autheneticate over a Secured page I am not sure what this means.

[2004/08/09 14:44:46, 1] libsmb/ntlmssp.c:ntlmssp_update(252)
  got NTLMSSP command 3, expected 1

I was thinking maybe I could set up something with Iptables to redirect
request to go directly out for https only?

This is my config file... I cheated and used mostly defaults in this
area....

http_port 3128

ssl_unclean_shutdown on

cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024

cache_effective_user squid
cache_dir ufs /usr/local/squid/var/spool/ 5000 16 256
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
emulate_httpd_log on
log_ip_on_direct on
mime_table /usr/local/squid/etc/mime.conf
log_mime_hdrs off
debug_options ALL,1

ftp_user squid@blair.edu
ftp_list_width 32
ftp_passive on

auth_param ntlm program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 5 minutes
auth_param ntlm use_ntlm_negotiate on

auth_param basic program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 30
auth_param basic realm Please Enter your Blair Username and Password!
auth_param basic credentialsttl 2 hours

authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour

wais_relay_port 0
request_header_max_size 10 KB
request_body_max_size 1 MB
# reply_body_max_size 0
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern . 0 20% 4320
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
negative_ttl 5 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 5 minutes
# range_offset_limit -1 KB

connect_timeout 2 minutes
peer_connect_timeout 30 seconds
#siteselect_timeoute 4 seconds
read_timeout 4 seconds

persistent_request_timeout 1 minute

request_timeout 30 seconds
client_lifetime 1 day
half_closed_clients on
pconn_timeout 120 seconds
# idnet_timeout 10 seconds
shutdown_lifetime 30 seconds

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl auth proxy_auth REQUIRED
acl SSL_ports port 443 563
acl Safe_ports port 80 21 210 1025-65535 280 488 591 777
acl CONNECT method CONNECT
acl east src 10.0.10.0/255.255.255.0
acl locke src 10.0.11.0/255.255.255.0
acl freeman src 10.0.12.0/255.255.255.0
acl mason src 10.0.13.0/255.255.255.0
acl west src 10.0.14.0/255.255.255.0
acl annie src 10.0.15.0/255.255.255.0
acl south src 10.0.16.0/255.255.255.0
acl insley src 10.0.17.0/255.255.255.0
acl clinton src 10.0.19.0/255.255.255.0
acl bogle src 10.0.20.0/255.255.255.0
acl timken src 10.0.21.0/255.255.255.0
acl gym src 10.0.22.0/255.255.255.0
acl perfart src 10.0.23.0/255.255.255.0
acl health src 10.0.18.0/255.255.255.0
acl admin src /255.255.255.0
acl admin2 src /255.255.255.0
acl facdorm src 10.0.24.0/255.255.255.0
acl servadm src 10.0.25.0/255.255.255.0
acl serveve src 10.0.26.0/255.255.255.0
acl morntime time SMTWHF 05:00-19:56
acl evetime time SMTWHF 22:00-22:55
acl sattime time A 05:00-23:59
acl realplay browser RealMedia
acl mimeblockq req_mime_type ^app/x-hotbar-xip20$
acl mimeblockq req_mime_type ^application/x-icq$
acl mimeblockp req_mime_type ^app/x-hotbar-xip20$
acl mimeblockp req_mime_type ^application/x-icq$

http_access allow auth CONNECT
http_access deny mimeblockq
http_reply_access deny mimeblockp
http_access allow auth east morntime
http_access allow auth east evetime
http_access allow auth east sattime
http_access allow auth locke morntime
http_access allow auth locke evetime
http_access allow auth locke sattime
http_access allow auth freeman morntime
http_access allow auth freeman evetime
http_access allow auth freeman sattime
http_access allow auth mason morntime
http_access allow auth mason evetime
http_access allow auth mason sattime
http_access allow auth west morntime
http_access allow auth west evetime
http_access allow auth west morntime
http_access allow auth annie morntime
http_access allow auth annie evetime
http_access allow auth annie sattime
http_access allow auth south morntime
http_access allow auth south evetime
http_access allow auth south sattime
http_access allow auth insley morntime
http_access allow auth insley evetime
http_access allow auth insley sattime
http_access allow auth health
http_access allow auth clinton
http_access allow auth bogle
http_access allow auth timken
http_access allow auth gym
http_access allow auth perfart
http_access allow auth admin
http_access allow auth admin2
http_access allow auth facdorm
http_access allow auth servadm
http_access allow auth serveve
http_access allow realplay
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

visible_hostname internet2@blair.edu

Thanks.. Bob
Received on Mon Aug 09 2004 - 13:27:26 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT