Re: [squid-users] squid, Safari and https pages problem

From: Markus Krause <[email protected]>
Date: Mon, 11 Sep 2006 01:06:14 +0200

Zitat von Dwayne Hottinger <dhottinger@harrisonburg.k12.va.us>:
> I have found that Safari does a lot of things that no other browser does.
> Many
> things that work on Firefox, IE, Mozilla or any other browser do not work in
> Safari. I have Mac users also, I encourage them to use Firefox. No surprise
> that Safari doesnt work correctly. I would suggest Firefox for you apple
> users.
unfortunately our users insist on using safari and i can not force them to
switch to firefox, but they can in return force me to switch the proxy what i
definetly do not want to do (they are the directors of our institute!)
right now i created as workaround a package which the users should simply
install, this installs a local squid proxy on their macs which forwards all
requests to our central proxy. but i really hope for another solution!

regards,
   markus

>
> Quoting Markus Krause <krause@biochem.mpg.de>:
>
> > Hi list,
> >
> > i searched in the archives and other forums but could not find a solution
> > (only
> > descriptions!) for the following problem, which causes quite a lot
> annoyance
> > for our apple users, i hope someone on this has a solution for this:
> >
> > we are using squid 2.5.9 on a recent debian linux box with one password for
> > all
> > users. for most browsers and applications theres is no problem at all, but
> > users which are using Safari 2.x on a recent Mac OS X 10.4. are forced to
> > retype the proxy username and password on some web pages delivered via
> https,
> > not only once but several times! this occures on pages like "web.de" or
> > "https://www.editorialmanager.com/mc/".
> > actually it seems that Safari does not send the proxy username and password
> > to
> > squid but as others (another institute) reported that they have no problems
> > at
> > all i am wondering if there might by a configuration problem. other
> browsers
> > like netscape, firefox or opera work without problems, but some of our
> users
> > do
> > not want to switch!
> > if the error occurs i am finding the following in
> /var/log/squid/access.log:
> >
> > ===== /var/log/squid/access.log =====
> > 1157445010.280 3 192.168.0.35 TCP_DENIED/407 1711 CONNECT
> img.web.de:443
> > -
> > NONE/- text/html
> > 1157445010.347 144 192.168.0.35 TCP_MISS/200 1984 CONNECT
> > freemailng2402.web.de:443 proxyuser DIRECT/217.72.196.3 -
> > 1157445011.001 8 192.168.0.35 TCP_DENIED/407 1744 CONNECT
> > freemailng2402.web.de:443 - NONE/- text/html
> > 1157445058.071 159 192.168.0.35 TCP_MISS/200 7649 CONNECT
> > freemailng2402.web.de:443 proxyuser DIRECT/217.72.196.3 -
> > 1157445058.938 1388 192.168.0.35 TCP_MISS/200 16769 CONNECT
> img.web.de:443
> > proxyuser DIRECT/217.72.200.153 -
> > 1157445059.081 1181 192.168.0.35 TCP_MISS/200 6014 CONNECT img.web.de:443
> > proxyuser DIRECT/217.72.200.153 -
> > 1157445059.087 1190 192.168.0.35 TCP_MISS/200 9702 CONNECT img.web.de:443
> > proxyuser DIRECT/217.72.200.153 -
> > 1157445059.142 1282 192.168.0.35 TCP_MISS/200 8938 CONNECT img.web.de:443
> > proxyuser DIRECT/217.72.200.153 -
> > ===== /var/log/squid/access.log =====
> >
> > running squid in debug mode i see (only parts with errors):
> > ===== Squid Debug output ====
> > 2006/09/05 10:30:10| parseHttpRequest: req_hdr = {Host:
> freemailng2402.web.de
> > User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; de-de)
> AppleWebKit/418.8
> > (KHTML, like Gecko) Safari/419.3
> >
> > }
> > 2006/09/05 10:30:10| parseHttpRequest: end = {}
> > 2006/09/05 10:30:10| parseHttpRequest: prefix_sz = 187, req_line_sz = 44
> > 2006/09/05 10:30:10| clientSetKeepaliveFlag: http_ver = 1.0
> > 2006/09/05 10:30:10| clientSetKeepaliveFlag: method = CONNECT
> >
> > [snipp]
> >
> > 2006/09/05 10:30:10| aclMatchAcl: checking 'acl testacl proxy_auth
> REQUIRED'
> > 2006/09/05 10:30:10| authenticateAuthenticate: broken auth or no proxy_auth
> > header. Requesting auth header.
> > 2006/09/05 10:30:10| aclMatchAcl: returning 0 sending authentication
> > challenge.
> > 2006/09/05 10:30:10| aclMatchAclList: no match, returning 0
> > 2006/09/05 10:30:10| aclCheck: requiring Proxy Auth header.
> > 2006/09/05 10:30:10| aclCheck: match found, returning 2
> > 2006/09/05 10:30:10| aclCheckCallback: answer=2
> > 2006/09/05 10:30:10| The request CONNECT freemailng2402.web.de:443 is
> DENIED,
> > because it matched 'testacl'
> > 2006/09/05 10:30:10| clientSendMoreData: Appending 1313 bytes after 324
> bytes
> > of
> > headers
> > 2006/09/05 10:30:11| connStateFree: FD 15
> > 2006/09/05 10:30:11| httpRequestFree: freemailng2402.web.de:443
> > =======
> >
> > is this really a bug in Safari (just tested again with the latest version
> > 2.0.4)
> > or is there some incompatibility?
> > any ideas how i can solve this (apart from using a different browser!)??
> >
> > my squid.conf:
> > ======= /etc/squid/squid.conf
> > hierarchy_stoplist cgi-bin ?
> > acl QUERY urlpath_regex cgi-bin \?
> > no_cache deny QUERY
> > debug_options ALL,1
> > auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern . 0 20% 4320
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 128.0.0.0/8
> > acl purge method PURGE
> > acl CONNECT method CONNECT
> > acl testnet proxy_auth REQUIRED
> > http_access allow manager localhost
> > http_access deny manager
> > http_access allow purge localhost
> > http_access deny purge
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost
> > http_access allow testnet
> > http_access deny all
> > http_reply_access allow all
> > icp_access deny all
> > icp_access allow testnet
> > visible_hostname testproxy.biochem.mpg.de
> > coredump_dir /var/spool/squid
> > =======
> >
> > thanks in advance for any hints!!
> >
> > regards
> > markus
> >
> > --
> > Markus Krause email:
> krause@biochem.mpg.de
> > Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS
> > by order of the Computing Center of the Max-Planck-Institute of
> Biochemistry
> > Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98
> >
> > ---------------------------------------------------------------------
> > This message was sent using https://webmail.biochem.mpg.de
> > If you encounter any problems please report to rz-linux@biochem.mpg.de
> >
>
>
> --
> Dwayne Hottinger
> Network Administrator
> Harrisonburg City Public Schools
>

--
Markus Krause                                   email: krause@biochem.mpg.de
Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS
by order of the Computing Center of the Max-Planck-Institute of Biochemistry
Tel.: 089 - 89 40 85 99                         Fax.: 089 - 89 40 85 98
---------------------------------------------------------------------
     This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux@biochem.mpg.de
Received on Sun Sep 10 2006 - 17:06:24 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:03 MDT