RE: [squid-users] Authentication to Sharepoint not happening from Saurabh Agarwal on 2011-02-01 (squid-users)

From: Saurabh Agarwal <Saurabh.Agarwal_at_citrix.com>
Date: Tue, 1 Feb 2011 13:59:51 +0530

Hi Amos

I am using squid.2.7.STABLE7. Following is my configuration. I want to allow everything.

http_port 192.168.11.35:3128 transparent
acl from_localhost src 192.168.11.35
http_port 10.102.79.82:3128 transparent
acl from_localhost src 10.102.79.82
http_port 10.102.79.82:3128 transparent
acl from_localhost src 10.102.79.82
visible_hostname hostname
acl foreign_networksAux1 dst
acl foreign_networksapA dst 0.0.0.0/0
tcp_outgoing_address 192.168.11.35 foreign_networksAux1
tcp_outgoing_address 10.102.79.82 foreign_networksapA
access_log none
cache_log /dev/null

cache_mem 8 MB
cache_dir aufs /squid/var/cache/small 1500 9 256 max-size=10000
cache_dir aufs /squid/var/cache/medium 4500 6 256 max-size=1000000
cache_dir aufs /squid/var/cache/large 4000 3 256
maximum_object_size 1000 MB
log_mime_hdrs off
max_open_disk_fds 400
maximum_object_size_in_memory 16 KB
debug_options ALL,1

cache_store_log none
pid_filename /squid/logs/squid.pid
debug_options ALL,1

acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl all_dst dst 0.0.0.0/0.0.0.0
http_access allow manager from_localhost
http_access deny manager
http_access allow all all_dst
icp_access deny all

icp_port 0
htcp_port 0

#this is the directory where core-dump from squid will be kept
coredump_dir /squid/var

log_fqdn off
fqdncache_size 8192
ipcache_size 8192

minimum_object_size 512 bytes
quick_abort_min -1 KB

hierarchy_stoplist cgi-bin ?
acl store_rewrite_list urlpath_regex \/(get_video\?|videodownload\?|videoplayback.*id)
acl store_rewrite_list1 dstdomain .youtube.com .video.google.com \/(get_video\?|videodownload\?|videoplayback.*id)
storeurl_access allow store_rewrite_list store_rewrite_list1
storeurl_rewrite_program /orbital/current/squid/storeurl.pl
storeurl_rewrite_children 1
storeurl_rewrite_concurrency 10

redirector_bypass on

#this refresh_pattern is for caching youtube videos
refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 99999999% 5259487 ignore-private ignore-no-cache override-expire

refresh_pattern ^ftp: 1 50% 10080
refresh_pattern ^gopher: 1 0% 1440
refresh_pattern -i \.(gif|jpg|jpeg|tif|png|ico|bmp)$ 0 50% 6000 ignore-no-cache
refresh_pattern -i \.(wma|wmv|avi|mpeg|ram|mp3|mpg|flv)$ 60 200% 10080 ignore-no-cache override-expire ignore-private
refresh_pattern -i \.(3gp|mp4|rm|ram|mov|m4v|qt)$ 60 200% 10080 ignore-no-cache override-expire ignore-private
refresh_pattern -i \.(cab|exe|gzip|gz|zip|rpm|bin|dat|psf|bz2)$ 0 20% 14400
refresh_pattern -i \.(swf|css|js)$ 0 50% 10000
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 1 20% 1440
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 1 20% 1440
refresh_pattern -i \.(htm|html|asp|jsp|shtml|dhtml|php)$ 0 0% 0

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

#extension_methods dddxxx

cache_effective_user squid
cache_effective_group squid

client_persistent_connections on
server_persistent_connections on

logfile_rotate 0
ie_refresh on
request_entities on
pipeline_prefetch on
strip_query_terms off
minimum_direct_hops 0
minimum_direct_rtt 0
log_icp_queries off

# Shorten timeouts
negative_ttl 5 minutes
connect_timeout 1 minute
peer_connect_timeout 30 seconds
read_timeout 15 minutes
request_timeout 5 minutes
half_closed_clients off
pconn_timeout 1 minute

Regards,
Saurabh

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Tuesday, February 01, 2011 12:12 PM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Authentication to Sharepoint not happening

On 01/02/11 19:27, Saurabh Agarwal wrote:
> Hi All
>
> I am running Squid as a transparent proxy and can't authenticate to sharepoint server. If I bypass squid then everything works fine.
>
> I have not compiled Squid with any of the authentication related configurables
>
> --enable-auth="basic,digest,ntlm,negotiate" --enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL" --enable-negotiate-auth-helpers="squid_kerb_auth" --enable-cache-digests --enable-ntlm-auth-helpers="SMB,fakeauth" --enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group".
>
> I see that sharepoint sends squid the following http headers in HTTP 401 response
>
> WWW-Authenticate: Negotiate\r\n
> WWW-Authenticate: NTLM\r\n
>
> But squid is not forwarding these headers to the client? If I bypass squid then everything works fine.
>
> Can someone please help here?

Negotiate and NTLM both require HTTP/1.1 persistent connections and also
some major hacks called connection pinning. Not all Squid support these
equally.

What version of Squid are you using? and with what configuration?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

Received on Tue Feb 01 2011 - 08:30:06 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 02 2011 - 12:00:03 MST