This is currently a brain dump from me (Robert). It should/will become more organised when I get some more time. Also programming docs need to be done, but they can go into the Programming Guide. This FAQ will become obsoleted when(if) the ntlm branch becomes part of HEAD. Till then however :-]
Firstly the background to squid and authentication:
HTTP authentication works with two distinct sets of servers:
* Origin servers
* Proxy servers
For each server type, only a single authentication set can be used in
any one request, for any given URI. This means that within http you
_cannot_ have a different username for two proxies in a row.
* Intercepting proxies (a.k.a. transparent proxies) cannot use
proxy-authentication because the client _thinks_ that the challenging
server is the origin server not the proxy server (which it doesn't know
HTTP defines multiple authentication _schemes_. When a server challenges
a client to authenticate it offers a list of schemes, and the client
chooses the scheme it wants to use to login. (The client _should_ choose
the most secure scheme it understands). The client then presents a
single authentication header to that server with the users credentials
(encoded under that authentication scheme).
How does squid work with this?
Squid can act as the origin server (for www acceleration) and prompt for
authentication. More commonly though squid acts as a standard proxy and
prompts for proxy-authentication.
In the standard squid branch(s) squid challenges with a single
authentication scheme (Basic) when it is checking a proxy_auth acl. You
can only define one helper for a given authentication scheme. (If you
had more than one helper there is no way to tell which helper to use.)
In the ntlm squid branch squid
* Only challenges with an authentication scheme if
a) a helper for that scheme is defined
b) the request needs to be checked against a proxy_auth acl
* Supports the
basic authentication scheme and the
ntlm authentication scheme
What if one scheme denies the user, can they try the other?
Yes and no :-/. Squid has _no_ control over what schemes a client may
try. It does offer the schemes that it supports (and has helpers defined
for), and most clients should present a user password box for the user
if the login fails the first time.
However having said that, MSIE will NOT switch to basic authentication
if NTLM is offered as a challenge. It will offer a user/password/domain
dialog box though.
How do I get squid-ntlm?
Use CVS and download it from the sourceforge cvs repository (see
http://devel.squid-cache.org). There is no daily snapshot happening at
the moment. If you don't have access to cvs (it is free software and
available on (AFAIK) every platform that squid runs on) then download
the patch (see http://devel.squid-cache.org/projects.html) and apply
that to the latest squid 2.4 daily snapshot. It should apply cleanly.
Do I need to do to build it?
* Run autoconf and autoheader in the root of the source tree.
* If you got the source via cvs unpack the icons -
You are now ready to treat it like a standard download of the squid
When you run the configure script, use --enable-ntlm-auth-modules=
option to compile one or more NTLM authentication helpers. (You can only
use one at a time, but building the different ones will give you some
flexability for testing).
If you want to use Basic authentication at the same time (say for
Netscape or Lynx users) use --enable-auth-modules= option to compile an
appropriate basic auth module for yuor environment.
No other special options are needed.
Configuring squid-ntlm - how do I _use it_.
If you are migrating from an older squid.conf file, you will not see the
new options. Look in squid.conf.default and you will see three new
# authenticate_children_ntlm 5
# authenticate_cache_garbage_interval 1 hour
To enable ntlm authentication you _must_ set the
authenticate_program_ntlm. It works the same was as
authenticate_program. Set the path to the helper, and any command line
parameters the helper needs.
Most users will _not_ need to tune the garbage collection interval. This
means *DO NOT TOUCH*.
You also need to set a proxy_auth acl and have it listed in at least one
http_access line. NTLM retrieved Usernames are returned in the form
domain\username. Note that this is in lower case.