On Wed, 1 Jul 2009 12:56:43 +0200, Gontzal <gontzalp_at_gmail.com> wrote:
> Hi,
>
> I've recompiled squid, now 3.0 stable 16 on a non-production opensuse
> 10.3 server with the --enable-http-violations option
> I've added the following lines to my squid.conf file:
>
> acl Java browser Java/1.4 Java/1.5 Java/1.6
>
> header_access Proxy-Authenticate deny Java
> header_replace Proxy-Authenticate Basic realm="XXXX"
>
> The header tags are before the http_access tags, I don't know if it is
> correct. I've also disable the option http_access allow Java
>
> Squid runs correctly but when i check for java, it doesn't work, it
> don't ask for basic auth and doesn't show the java applet page.
>
> On the access log it shows lines like this one:
>
> (01/Jul 12:46:01) (TCP_DENIED/407/NONE) (172.28.3.186=>172.28.129.250)
> (tp.seg-social.es:443) text/html-2226bytes 1ms
>
> I've changed the identity of my browser from firefox to java and it
> browses using ntlm auth instead of asking for user/passwd
>
> Where can be the problem?
In squid-3 the header_access has been broken in half.
I believe you are needing to use reply_header_access.
Amos
>
> Thanks again!
>
> 2009/6/30 Amos Jeffries <squid3_at_treenet.co.nz>:
>>
>>
>> I agree this does look like a good clean solution. I'll look at
>> implementing a small on/off toggle to do only this change for safer Java
>> bypass. May not be very soon though. What version of Squid are you
using?
>>
>> Meanwhile yes, you do have to add the option to the ./configure options
>> and
>> re-compile = re-install Squid.
>> The install process if done right should not alter existing squid.conf
>> and
>> be a simple drop-in to the existing install. But a backup is worth doing
>> just in case.
>> If currently using a packages Squid, you may want to contact the package
>> maintainer for any help on the configure and install steps.
>>
>> Amos
>>
>> On Mon, 29 Jun 2009 10:40:06 +0200, Gontzal <gontzalp_at_gmail.com> wrote:
>>> Hi Kevin,
>>>
>>>
>>> Thanks for your post, I think is a very good solution to the Java
>> security
>>> hole.
>>>
>>> I've seen that for using header_access and header_replace you need to
>>> compile with the --enable-http-violations. My question is, if I
>>> compiled squid without this option, is there any way to add this
>>> feature or I've to compile entire squid again? In this case, should I
>>> save my configuration files?
>>>
>>> Where should I put these lines, after acls?
>>>
>>> Thanks again
>>>
>>> Gontzal
>>>
>>> 2009/6/27 Kevin Blackwell <akblackwel_at_gmail.com>:
>>>> This what your looking for?
>>>>
>>>> acl javaNtlmFix browser -i java
>>>> acl javaConnect method CONNECT
>>>> header_access Proxy-Authenticate deny javaNtlmFix javaConnect
>>>> header_replace Proxy-Authenticate Basic realm="Internet"
>>>>
>>>> now only https/ssl access from java will have basic auth and so a
>>>> password dialog.
>>>> normal http access will work with ntlm challenge response.
>>>>
>>>> thanxs again
>>>>
>>>> markus
>>>>
>>>>>-----Ursprüngliche Nachricht-----
>>>>>Von: Rietzler, Markus (Firma Rietzler Software / RZF)
>>>>>Gesendet: Dienstag, 16. Oktober 2007 18:17
>>>>>An: 'Chris Robertson'; squid-users_at_squid-cache.org
>>>>>Betreff: AW: [squid-users] force basic NTLM-auth for certain
>>>>>clients/urls
>>>>>
>>>>>thanxs for that hint - it worked as a fix
>>>>>
>>>>>i have addes this to my squid.conf
>>>>>
>>>>>acl javaNtlmFix browser -i java
>>>>>header_access Proxy-Authenticate deny javaNtlmFix
>>>>>header_replace Proxy-Authenticate Basic realm="Internet Access"
>>>>>
>>>>>now any java-client (java web start, java or applets in
>>>>>browser) will only see the basic auth scheme.
>>>>>a username/password dialog pops up and i have to enter my credentials.
>>>>>
>>>>>any other client (firefox, ie) still se both NTLM and Basic
>>>>>scheme and use NTLM challenge response to authenticate...
>>>>>
>>>>>the little drawback is, that there is that little nasty dialog
>>>>>but connection via proxy is working...
>>>>>
>>>>>thanxs
>>>>>
>>>>>markus
>>>>>
>>>>
>>>> On Sat, May 9, 2009 at 12:13 AM, Nitin
>>>> Bhadauria<nitin.bhadauria_at_tetrain.com> wrote:
>>>>> Dear All,
>>>>>
>>>>> Please reply if we have some solution for the problem. I am stuck
with
>>>>> the
>>>>> problem my server is live and i can't afforded to allow the java
sites
>>>>> to
>>>>> unauthorized users in the network.
>>>>>
>>>>> Regards,
>>>>> Nitin B.
>>>>>
>>>>>
>>>>> Nitin Bhadauria wrote:
>>>>>>
>>>>>> Dear All,
>>>>>>
>>>>>>
>>>>>> I have the same problem ..
>>>>>>
>>>>>> Everytime a browser proxying through squid tries to load a secure
>>>>>> java
>>>>>> applet, it comes up with a red x where the java applet should be.
>>>>>>
>>>>>>
>>>>>> So I have bybass those sites for authentication, But the problem is
>>>>>> users
>>>>>> how don't have permission to access internet they are also able to
>>>>>> access
>>>>>> those sites.
>>>>>>
>>>>>> Please update if we had find any other solution for the problem.
>>>>>>
>>>>>> Thanks in advance for any reply.
>>>>>>
>>>>>> Regards,
>>>>>> Nitin Bhadauria
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>
Received on Thu Jul 02 2009 - 05:28:51 MDT
This archive was generated by hypermail 2.2.0 : Mon Jul 20 2009 - 12:00:02 MDT