* site not seen through squid
@ 2005-02-16 15:51 Payal Rathod
2005-02-16 18:19 ` Jason Opperisano
0 siblings, 1 reply; 5+ messages in thread
From: Payal Rathod @ 2005-02-16 15:51 UTC (permalink / raw)
To: Netfilter ML
Hi,
My friend has a sharepoint (don't know what it is) server in her DMZ
at 10.10.10.3. She can access that server from outside world by
giving its public IP in browser. She cannot access it via her squid
proxy inside the LAN. But when she removes proxy settings and gives,
iptables -I FORWARD -s 192.168.10.7 -j ACCEPT
she can access it. When I say access here it means that in all cases
she can see IIS page but it is giving authorization failed from
inside LAN. When she removes proxy settings and gives iptables rule
above she is presented with a username-password box which is not seen
via squid internally.
Strangely if I am on the squid/gateway/firewall machine and still
using proxy I can see the authorization box. Can someone give us
both some hints to proceed?
With warm regards,
-Payal
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: site not seen through squid
2005-02-16 15:51 site not seen through squid Payal Rathod
@ 2005-02-16 18:19 ` Jason Opperisano
2005-02-16 18:51 ` Payal Rathod
0 siblings, 1 reply; 5+ messages in thread
From: Jason Opperisano @ 2005-02-16 18:19 UTC (permalink / raw)
To: netfilter
On Wed, Feb 16, 2005 at 10:51:16AM -0500, Payal Rathod wrote:
> Hi,
> My friend has a sharepoint (don't know what it is) server in her DMZ
> at 10.10.10.3. She can access that server from outside world by
> giving its public IP in browser. She cannot access it via her squid
> proxy inside the LAN. But when she removes proxy settings and gives,
> iptables -I FORWARD -s 192.168.10.7 -j ACCEPT
> she can access it. When I say access here it means that in all cases
> she can see IIS page but it is giving authorization failed from
> inside LAN. When she removes proxy settings and gives iptables rule
> above she is presented with a username-password box which is not seen
> via squid internally.
> Strangely if I am on the squid/gateway/firewall machine and still
> using proxy I can see the authorization box. Can someone give us
> both some hints to proceed?
my guess is that your friend is using transparent redirection to the
squid proxy and not explicit proxying (i.e. configuring the proxy in the
web browser). HTTP AUTH does not work through a transparent proxy.
easiest solution would be to bypass the transparent redirect for
requests to the sharepoint server by adding an ACCEPT rule prior to the
REDIRECT:
iptables -t nat -A PREROUTING -i $INT_IF -d 10.10.10.3 --dport 80 \
-j ACCEPT
iptables -t nat -A PREROUTING -i $INT_IF --dport 80 \
-j REDIRECT --to-port 3128
-j
--
"Operator! Give me the number for 911!"
--The Simpsons
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: site not seen through squid
2005-02-16 18:19 ` Jason Opperisano
@ 2005-02-16 18:51 ` Payal Rathod
2005-02-16 19:18 ` Jason Opperisano
0 siblings, 1 reply; 5+ messages in thread
From: Payal Rathod @ 2005-02-16 18:51 UTC (permalink / raw)
To: Netfilter ML
On Wed, Feb 16, 2005 at 01:19:43PM -0500, Jason Opperisano wrote:
> my guess is that your friend is using transparent redirection to
> the
> squid proxy and not explicit proxying (i.e. configuring the proxy in the
No it is not transparent proxy. She has it configured in all browsers
in her office.
Any clues?
With warm regards,
-Payal
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: site not seen through squid
2005-02-16 18:51 ` Payal Rathod
@ 2005-02-16 19:18 ` Jason Opperisano
2005-02-17 3:27 ` Payal Rathod
0 siblings, 1 reply; 5+ messages in thread
From: Jason Opperisano @ 2005-02-16 19:18 UTC (permalink / raw)
To: netfilter
On Wed, Feb 16, 2005 at 01:51:21PM -0500, Payal Rathod wrote:
> On Wed, Feb 16, 2005 at 01:19:43PM -0500, Jason Opperisano wrote:
> > my guess is that your friend is using transparent redirection to
> > the
> > squid proxy and not explicit proxying (i.e. configuring the proxy in the
>
> No it is not transparent proxy. She has it configured in all browsers
> in her office.
> Any clues?
then my next guess is that the sharepoint server uses NTLM
authentication, and the problem is:
http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14
which links to:
http://support.microsoft.com/kb/q198116/
punch line: you can't put a proxy between a client and a server that
does NTLM authentication
again--you'll have to bypass the proxy for this destination server (or
configure the web server to use another authentication method).
-j
ps - this is starting to sound more like a squid question than a
netfilter question.
--
"Kids, you tried your best and you failed miserably. The lesson is,
never try."
--The Simpsons
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: site not seen through squid
2005-02-16 19:18 ` Jason Opperisano
@ 2005-02-17 3:27 ` Payal Rathod
0 siblings, 0 replies; 5+ messages in thread
From: Payal Rathod @ 2005-02-17 3:27 UTC (permalink / raw)
To: Netfilter ML
On Wed, Feb 16, 2005 at 02:18:07PM -0500, Jason Opperisano wrote:
> http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14
Thanks for the tip. I will get it to squid's list. But I don't
understand one more thing, how does it work from outside the LAN?
There must be people accessing it via. their squid proxies.
With warm regards,
-Payal
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-02-17 3:27 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-16 15:51 site not seen through squid Payal Rathod
2005-02-16 18:19 ` Jason Opperisano
2005-02-16 18:51 ` Payal Rathod
2005-02-16 19:18 ` Jason Opperisano
2005-02-17 3:27 ` Payal Rathod
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.