Re: [squid-users] Fwd: Squid and website with IIS+NTLM

From: Francesco Collini <ict.security.job_at_gmail.com>
Date: Sat, 24 Jul 2010 10:55:14 +0200

Hello Amos and thank you in advance for your kind interest!

I am the squid proxy administrator and in 2.6 or 3.1 connection
pinning is enabled, but those iis+ntlm website are not authenticated
yet!

Have i to apply some particular configuration in my squid.conf?

Thank you again,
Francesco

2010/7/24 Amos Jeffries <squid3_at_treenet.co.nz>:
> Francesco Collini wrote:
>>
>> Hello,
>>
>> i am experiencing problem with some remote websites that use IIS and
>> ntlm windows authentication.
>> The problems persist with 2.6 and 3.1 version, too.
>>
>> I tried to add: http_port 3128 connection-auth=on but no results.
>>
>> Is there a solution?
>
> �* NTLM websites assume that every piece of HTTP browser and proxy software
> supports Microsoft proprietary protocols and connection pinning.
>
> �* You are assuming that your proxy is the only proxy in the chain.
>
> Neither if those are likely to be true.
>
> NTLM websites can work locally on a LAN where all software has a chance of
> being controlled with the requirement of supporting NTLM. Over the general
> Internet it's a non-starter.
>
> Using HTTPS instead of HTTP *almost* guarantees the end-to-end connection
> NTLM requires. I say almost because middle-proxies are now also decrypting
> HTTPS and proxying it in some places.
>
> The solution is to get the website to use a method of authentication which
> works outside walled-garden LANs. Digest auth designed specifically for high
> security over HTTP is available. Basic auth is the 'normal' low-security
> method.
>
> The alternative is to find every proxy in the middle between you and those
> sites, and get their admin to turn on connection pinning just for you.
>
> Amos
> --
> Please be using
> �Current Stable Squid 2.7.STABLE9 or 3.1.5
>
Received on Sat Jul 24 2010 - 08:55:16 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 24 2010 - 12:00:04 MDT