Hello everyone, I'm facing some problem with squid.
Squid proxy is working but in access.log is showing TCP_DENIED/407 for most
of the connections.
If i remove authentication configuration from squid.conf this error is
missing in access.log.
CentOS Linux release 8.0.1905
Squid Cache: Version 4.4
checking the trust secret for domain AD via RPC calls succeeded
Any assistance in this matter would be greatly appreciated
For my understanding, with (NTLM) authentication every request needs to be authenticated. Therefore you will see TCP_DENIED/407 anytime before TCP_***/200 because the request needs to be authenticated anytime again.
> Hello everyone, I'm facing some problem with squid.
> Squid proxy is working but in access.log is showing TCP_DENIED/407 for most
> of the connections.
> If i remove authentication configuration from squid.conf this error is
> missing in access.log.
> CentOS Linux release 8.0.1905
> Squid Cache: Version 4.4
> wbinfo -t
> checking the trust secret for domain AD via RPC calls succeeded
> Any assistance in this matter would be greatly appreciated
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html > _______________________________________________
> squid-users mailing list
> [hidden email] > http://lists.squid-cache.org/listinfo/squid-users
"Note that when using NTLM authentication, you will see two "TCP_DENIED/407" entries in access.log for every request. This is due to the challenge-response process of NTLM."
So usually any request from end-user through ntlm auth proxy should log a TCP_DENIED/407. If you have websites allowed without authentication in squid.conf before the authentication configuration - of course, these are not logging 407. The real challenge-response thing maybe somebody else can explain that better to you / or link a documentation.
For example I'm running a whitelist configured before the authentication configuration, so i can add domains to allow without NTLM (apple.com domains etc)
Somehow I've manage to miss this last sentence
I have another proxy in production that is working with ACL's like this, but
showing the same error ""TCP_DENIED/407"
That is why i decide to build new one and find the "problem".
Probably will try new one with kerberos.
Thank you very much Schroeffu.