Re: [squid-users] TCP_DENIED/407 when using NCSA-AUTH and video streaming

From: Werner Opriel <W.Opr_at_gmx.de>
Date: Sun, 11 Jul 2010 16:06:45 +0200

Am Sonntag, 11. Juli 2010 schrieb Amos Jeffries:
> Werner Opriel wrote:
> > We are using a debian-Package of Squid 2.7 Stable3 on a Debian Lenny
> > machine with ncsa-auth configured, acting as a central Internet-Proxy.
> >
> > All Users/Passwords are stored in /etc/squid/passwd on localhost and only
> > authenticated users are allowed to surf on sites outside the intranet.
> > There are no problems with authentication so far.
> >
> > But we have a problem playing videos from the side http://www.wdr.de,
> > they do provide media-streams based on flash, for example:
> > http://www.wdr.de/mediathek/html/regional/2009/07/30/aktuelle-stunde-kuen
> >digung.xml
> >
> > Those pages can be accessed without problems and the starting picture of
> > the video is displayed. When we try to play the video we are receiving
> > "network error" and "file not found" within the flasharea-window after a
> > few seconds. There is no problem playing an audio stream from this site
> > or flash-videos for example from youtube.com or golem.de
> >
> > Our Clients, always with flashplugin installed:
> > Firefox 3.5 (Win), Firefox 3.6 (Linux) and Chrome (Linux) .
> >
> > In the access.log we can see an authenticated user "test" surfin on
> > www.wdr.de.
> > When starting the video it would seem that he lost his authentication
> > information and then ends in tcp-denied/407.
> > When disabling NCSA-AUTH in squid, we can play the videos without any
> > problems.
>
> <snip>
>
> It's clear the flash player is making it's own background HTTP requests
> and not sending credentials. This is a flash player problem.
>
> You have a choice of putting up with it or letting the player through
> your Squid without authentication. The headers you log show a few things
> like User-Agent, source website and Content-Type you could match on to
> identify its requests.

Thanks Amos.
But can you give me a hint how i have to configure squid for letting the
flashplayer through it without authentication?
Received on Sun Jul 11 2010 - 14:06:57 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 12 2010 - 12:00:04 MDT