4

I'm using squid 2.6.22 (Centos 5 Default) as a proxy. Squid seems to break the authentication process for web pages when they require NTLM or Kerberos Auth. I tested with sharepoint 2007 and tried all 3 authentication methods (NTLM, Kerberos, Basic). Accessing the site without squid works in all cases. When I access the same page with squid, then only basic-auth works. Using IE or Firefox desn't make any difference. Squid itself can be used by anybody (no auth_param configured). Its a bit tricky to find solutions online, since most of the topics whirl around auth_param for authenticating users to squid rather than authenticating users to a webpage behind squid. Could anyone help?

Edit:
Sorry, but my first test was totally screwed up. I tested against the wrong webservers (Memo to myself: always check assumptions before testing). Now I realized that the problem scenario is completely different.

  • Kerberos work for IE
  • Kerberos works for Firefox (after changing "network.negotiate-auth.trusted-uris" in about:config)
  • NTLM works for IE
  • NTLM does NOT work in Firefox (even after changing "network.automatic-ntlm-auth.trusted-uris" in about:config)

By the way: The feature that provides NTLM-passthrough in squid is called "connection pinning" and the HTTP header "Proxy-support: Session-based-authentication""

DonEstefan
  • 118
  • 2
  • 9

2 Answers2

0

I think what you ask is very relative to How to configure apache to basic authentication or allow when ntlm while proxying?. In particular, if you want to authenticate both to proxy, and then to remote site, it is not possible (unless client uses CONNECT).

If your situation is that you don't want to authenticate to Squid, but only to remote site, then I think Squid is somehow doing the right thing: once the resource you have fetched by authenticating yourself is in cache, it is now available also for non-authenticated requests for other clients. More precisely, have a look at this flow:

  • User A has requested the resource /index.html on some that.server.com and provided the authentication information.
  • Server returned HTTP status 200 and Squid has cached the resource /index.html.
  • Now user B has requested the same resource and has provided no authentication information / or has provided some authenticated information.

Possible scenarios:

  • Squid returns /index.html to user B from cache. This is wrong, as only server knows which users have access to which resources.
  • Squid also tries to cache the authentication information together with /index.html. For basic authentication Squid can capture the username. Other mechanisms (NTLM/Kerberos) send only hashes over HTTP, so there is no way to learn the username.
  • Squid never caches /index.html.
Community
  • 1
dma_k
  • 121
  • 7
  • 1
    Adding: It is not /Index.html may not be accessible to some users. It may look different depending on user. – TomTom Feb 06 '12 at 14:22
  • I don`t think the Problem is related to caching. No well behaving Proxy will ever cache sites, where authentication is used. See: http://www.web-caching.com/mnot_tutorial/how.html for a good explanation. – DonEstefan Mar 15 '12 at 17:02
0

There is a Bug in Firefox, causing NTLM to fail in certain conditions. Using Squid as a proxy will almost always meet these conditions. See https://bugzilla.mozilla.org/show_bug.cgi?id=602814

DonEstefan
  • 118
  • 2
  • 9