squid no longer works with local authenticated web site
Sorry to cast such a large net. I didn't find where proxy servers were listed.
We have two proxy servers on our campus. Both are using squid. The main difference is the library bypasses our web security box for all sites and the main one bypasses it only for our local sites. This was done because mcafee was blocking sites we needed access to including on our own web server.
When we set things up we verified connectivity to the needed sites.
This morning we found we couldn't connect to the local authenticated site using either proxy. It appears the request for name and password isn't being forwarded to the client.
We haven't done anything to the proxies and I have been assured the web server wasn't changed. One of the symptoms is a pop-up saying "the connection was refused when attempting to contact the proxy server you have configured". We are unable to connect with either firefox or internet explorer. The resulting web display says "you are not authorized to view this page".
Since I really don't have an external authenticated web site other than gmail, I didn't do extensive testing on the outside access. Gmail worked fine using either proxy but so does our web exchange site.
I would appreciate any assistance with this.
Thanks.
rt
Software/Hardware used:
Software/Hardware used:
ASKED:
July 18, 2005 2:32 PM
UPDATED:
July 26, 2005 11:29 AM
Answer Wiki:
Hi Astronomer,
as I understood the situation, your squids DON'T REQUIRE authentication of the users to accept connections for proxiing, but your internal website is which requires users to be authenticated to use some service.
If this is true, I think there might be a change in the url pointing to the website (https://... instead of http://...). Then there are two possibilities:
(1) squid is not configured to listen for/handle ssl connections;
(2) proxie configuration in your browsers directs ssl requests not to the port whwre squids expect your requests.
Of course, if my assumption is wrong, the problem could be quite different.
BR
Petko
To see all answers submitted to the Answer Wiki: View Answer History.
We aren’t doing any authenticating with squid.
What I have found so far is the problem web site uses integrated windows authentication. According to the squid manual, this form of authentication is incompatible with proxy servers. I checked another site with basic authentication, (cleartext passwords), and it works fine with our proxy.
We are setting up another IIS server in our test lab to see if there are issues with digest authentication. I also intend to see what happens if we set the server to use HTTPS. I asked why we are requiring encrypted authentication to a web site but send the data in the clear. I didn’t get an answer.
This is all new to me but I will let you know what we stumble across.
Thanks for the response.
rt
We aren’t doing any authenticating with squid.
What I have found so far is the problem web site uses integrated windows authentication. According to the squid manual, this form of authentication is incompatible with proxy servers. I checked another site with basic authentication, (cleartext passwords), and it works fine with our proxy.
We are setting up another IIS server in our test lab to see if there are issues with digest authentication. I also intend to see what happens if we set the server to use HTTPS. I asked why we are requiring encrypted authentication to a web site but send the data in the clear. I didn’t get an answer.
This is all new to me but I will let you know what we stumble across.
Thanks for the response.
rt
Hi again,
So, probably your problem might be connected with some autoupdate on “black tuesday”… I’m unfamiliar with IIS and that “internal windows authentication”, but I agree with your webserver guys that plaintext password authentication is not an authentication at all. Though, an excerpt from Squid 2.5 release notes:
================================
1. Key changes from squid 2.4:
* Major rewrite of proxy authentication to support other schemes than basic. First in the line is NTLM support but others can easily be added (minimal digest is present). See the Programmers Guide for the internals…..
================================
What is your squids version? Probabbly updating them would help?
BR
Petko
We are using 2.5 on a windows platform.
rt
Hi,
It’s bad that NTLM thing is not working as expected in squid 2.5; Any success with ssl-based authentication?
We haven’t done an SSL test yet. That should be next,(if we don’t have another big fire), after we finish the backup server we are deploying on another campus.
rt
We haven’t done an SSL test yet. That should be next,(if we don’t have another big fire), after we finish the backup server we are deploying on another campus.
rt