Debian – get Squid proxy server authentication type from local client

authenticationdebianntlmPROXYsquid

Just like the title is:

Is there a way to get the authentication type of a squid proxyserver from a client in the local network?

Im using debian

UPDATE 1:

HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.3.9
Mime-Version: 1.0
Date: Fri, 25 Apr 2014 17:51:25 GMT
Content-Type: text/html
Content-Length: 3305
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: Basic realm="Squid Web Proxy"
X-Cache: MISS from domain.com
Via: 1.1 domain.com (squid/3.3.9)
Connection: keep-alive

I am only seeing the Basic realm line. So my Proxy only accepts Basic authentication right?

Best Answer

One thing you can do is inspect the HTTP response headers of a 407 (Proxy Authentication Required) response from your proxy. It should include the authentication schemes that it will accept from a client. You'll see something like this, one header for each scheme:

Proxy-Authenticate: NEGOTIATE
Proxy-Authenticate: NTLM
Proxy-Authenticate: BASIC realm="SomeRealm"

Based on your edit yes, your proxy won't accept NTLM authentication. Since there is just the one Proxy-Authenticate header for Basic, then your clients will only send Basic authentication. It seems your proxy is not configured (or at least properly) to accept anything other than basic authentication.

Related Solutions

How to setup user authentication on a Squid caching server

I think you can use ntlm auth with proper ordered acls on the squid proxy. You might see this article and this one to help you out with the setup.

Hope this helps.

Squid proxy authentication – most painless way

I assume you are using an Active Directory server. We have done something similar and the easiest way was to use the ntlm_auth helper like this (part of my squid.conf):

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

You will have to install Samba and join your Windows domain. Your smb.conf will have to use these settings:

security = ADS
realm = your-dns-domain
password server = your-active-directory-server
winbind enum groups = yes
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes

I believe it was also necessary to alter the /etc/krb5.conf:

[libdefaults]
default_realm = your-dns-domain

[realms]
your-dns-domain = {
kdc = your-ad-server
}

Then you should be able to join your Windows domain:

net rpc join -S PDC -U Administrator

In the end you should have a setup that uses single-sign login from Windows. Both the Internet Explorer (in case you should seriously use it) as well as Firefox know how to send the authentication credentials.

For applications that don't know NTLM you may need to add a fallback to basic authentication, too. I haven't tested that, yet.

Links:

Best Answer

Related Solutions

How to setup user authentication on a Squid caching server

Squid proxy authentication – most painless way

Related Topic