Re: [squid-users] NTLM pass-through breaking uploads to Flickr, etc.

From: Mike Ely <mikeely_at_amyskitchen.net>
Date: Tue, 23 Feb 2010 15:38:34 -0800

On 2/19/10 6:11 PM, "Amos Jeffries" <squid3_at_treenet.co.nz> wrote:

> Mike Ely wrote:
>> On 2/17/10 4:10 PM, "Mike Ely" <mikeely_at_amyskitchen.net> wrote:
>>
>>> Hi there,
>>>
>>> We've got 2.6 stable running as logging only server, no caching going on.
>>> Users are authenticated via NTLM if they're on Windows, works fine in FF and
>>> IE with one exception. Uploading a file prompts a second auth dialogue
>>> (regardless of which browser) and entering credentials to that only causes
>>> the browser to hork. I've tested this on XP and 2k3, various browser
>>> versions.
>>>
>>> What I find interesting about this is that if I set the Internet Connection
>>> Settings in the control panel to "auto-detect" I will get the failure even
>>> if I explicitly configure FireFox (via about:config) to not do NTLM
>>> pass-through. My current working guess is that Flickr (and the work-related
>>> site that uses a somewhat similar ajaxy/flashy uploader) is making a call to
>>> Flash and Flash is barfing on the NTLM pass-through, but that's really only
>>> a guess.
>>>
>>> Steps to reproduce:
>>> Setup NTLM auth
>>> Connect through the proxy
>>> Attempt to upload a photo to Flickr
>>>
>>> Steps to work around:
>>> Disable "automatically connect" on the client control panel and auth by
>>> hand, or use a non-windows client and also auth by hand.
>>>
>>>
>>>
>>> Squid.conf here:
>
> <snip>
>
>>>
>>> # Destinations here
>>> acl fedex dstdomain .fedex.com
>>>
>>> # User groups here
>>> acl localnet proxy_auth REQUIRED src 10.0.0.0/8
>
> 1) "proxy_auth" ACL type accepts a list of usernames OR the word
> "REQUIRED" to accept any valid username.
>
> 2) "proxy_auth REQUIRED src" has never been valid AFAICT. The "src ..."
> bit has silently been discarded by all Squid 2.6+ I'm aware of.
>
> 3) If I'm wrong about (2) being discarded then the effect will be that
> the username "src" or "10.0.0.0/8" with no password might possibly be
> used to login on your Squid.
>
> 4) Without IP address range checks there is no restriction on where the
> logins may be done from.
>
>
>>> http_access allow CONNECT wuCONNECT localnet
>
> 'localnet Requires authentication and will challenge.
>
>>> http_access allow windowsupdate localnet
>
> 'localnet Requires authentication and will challenge.
>
> NOTE: 'localnet' being one of the default Squid-3 ACL all documentation
> you will find anywhere will assume that it retains that default type
> (which is to match source IP address only).
>
>
> SOLUTION:
> Create a new name for your login ACL and use that where login is needed.
> Revert localnet to IP range "src" type and use that where appropriate
> as well.
>
> <snip again>
>
> The notes I've added above in your config should help out a LOT.
> Get those corrected and we can work on the additional fix after that.
>
> Amos

Hi Amos,

Thanks for the reply. Per your suggestions, I�ve created a test server
running 2.7.STABLE7 and rebuilt the config (which I�ll append below).
Unfortunately this doesn�t change the original issue with file uploads �
client machine thinks it�s getting regular proxy stuff due to edited hosts
file and I�m verifying through logs that it�s hitting the test server I want
it to use. Then again, maybe I simply misunderstood you and misconfigured
it again...

Cheers,
Mike

Revised squid.conf (and includes):

# Generic stuff
visible_hostname proxy
http_port 3128
cache_mgr support_at_domain

# Don't cache ANYTHING
cache_dir null /tmp

# Custom error messages are nice
error_directory /etc/squid/customerrors/amys

# ShoreTel Client Badly Broken:
request_entities on

# Further workarounds for broken ShoreTel:
acl shoretel url_regex CSISISAPI\.dll/\?
http_access allow shoretel
always_direct allow shoretel

# You have to explicitly declare these:
access_log /var/log/squid/access.log squid
pid_filename /var/run/squid.pid

# Let's not take forever to shutdown the server, OK?
shutdown_lifetime 15 seconds

# Even smart people get confused when their web browser fails
# trying to find http://bart
dns_defnames on

# Let's let some stuff pass unhassled:
acl directaccess dstdomain "/etc/squid/direct.squid"
acl unrestricted dstdomain "/etc/squid/unrestricted.squid"
always_direct allow directaccess
http_access allow unrestricted

# NTLM User Authentication
(ntlm stuff here)

# LDAP User Authentication
(ldap stuff here)

# Include the ACLs (I'm putting them in-line here for clarity)
include /etc/squid/acls/generic.acl
include /etc/squid/acls/ports.acl
include /etc/squid/acls/dests.acl

(generic.acl)
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl snmp_manager src 10.1.6.81/255.255.255.255
acl localhost src 127.0.0.1/255.255.255.255
acl purge method PURGE
acl CONNECT method CONNECT
acl FTP proto FTP

(ports.acl)
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 5440 # ShoreTel
acl Safe_ports port 8000 # Oracle EBS

(dests.acl)
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com

auth_param basic children 5
auth_param basic realm "Amy's Intranet Login"
auth_param basic credentialsttl 2 hours

# Some sanity-checking for outbound port selection
http_access deny !Safe_ports

#SNMP Config
(snmp stuff here)

#This prevents squid from even trying to cache
cache deny all

# Set up group queries against AD. Don't monkey with the OU.
(more ldap stuff here)

# Destinations here
acl fedex dstdomain .fedex.com

# Start allowing things out
http_access allow CONNECT wuCONNECT all
http_access allow windowsupdate all

acl amysnet proxy_auth REQUIRED src 10.0.0.0/8

acl AllWebAccess external InetGroup allweb
acl FedexWebAccess external InetGroup fedexweb
acl BlockedWebAccess external InetGroup blockedweb

http_access allow fedex FedexWebAccess
http_access allow AllWebAccess
http_access allow !BlockedWebAccess
http_access deny all
Received on Tue Feb 23 2010 - 23:38:43 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 24 2010 - 12:00:06 MST