[Gllug] Squid and proxy_auth

Simon Morris mozrat at gmail.com
Wed Sep 28 20:05:27 UTC 2005


On 28/09/05, Martin A. Brooks <martin at hinterlands.org> wrote:
> Simon Morris wrote:
> > Some sites that clients visit require authentication and I think what
> > is happening is that Squid is sending out the users AD credentials
> > rather than requesting the alternate name and password from the user.
>
> If I understand your setup correctly then it's the browser that's
> sending the credentials, not Squid.
>
> HTTP is stateless, each time the browser makes a new request it must
> reauthenticate.  For convenience your browser will store authentication
> data and automatically forward it until either authentication is no
> longer required, or the credentials become invalid.
>

"God aften" Martin :)

My setup is that Internet Explorer users authenticate against Squid
using ntlm_auth and their names are pulled from Active Directory using
winbind.

Mac users specify a username and password in the HTTP proxy server settings.

I understand what you are saying about HTTP being stateless and it is
the browser sending authentication but if I remove the proxy server
configuration it works in I.E.

It seems that when the URL is sent to Squid I have it configured to do
HTTP authentication (over NTLM in this case) and when the request then
goes upstream to the Internet web server the connection is using the
incorrect name and password.

>From the user point of view the connection fails immediately with a
"HTTP 401.3 - Access denied by ACL on resource" error

Thanks

~sm
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list