如何使用 SQUID 代理验证 .NET2 Web 服务
我有一个小实用程序,它是 SOAP WebService 客户端。 SOAP 代理是从 WSDL 生成的。一切正常。
现在客户想要使用 SQUID 代理,但它拒绝验证我的 SOAP 客户端。
我已经尝试过:
MyWebservice ws = new MyWebservice();
// set URL etc.
// login for the actual service, this part works
HeaderLogin hl = new HeaderLogin();
hl.username = svcLogin;
hl.password = svcPassword;
ws.HeaderLoginValue = hl;
// setting up the Proxy of the Proxy
//ws.Proxy = System.Net.WebRequest.GetSystemWebProxy();
ws.Proxy = System.Net.WebRequest.DefaultWebProxy;
//ws.Proxy.Credentials = CredentialCache.DefaultCredentials;
ws.Proxy.Credentials = new NetworkCredential(proxyUser, proxyPassword, proxyDomain);
但我不断收到 HTTP 407 错误:需要代理身份验证。
SQUID (squid/2.7.STABLE4) 设置为使用 NTLM 和 AD 进行身份验证。这似乎工作正常:还有其他 WebService 客户端正在通过代理正常。
我无法直接访问该网站,但只能查看一些日志文件。最引人注目的是我在 PCAP (Wireshark) 文件中看到的内容。当我使用 userName="Henk"、domain="TEST" 创建 NetworkCredential 时,它在 PCAP 中显示为
... HTTP CONNECT someurl:443 HTTP/1.1 ,NTLMSSP_AUTH,用户:T\H
当我查看 PCAP 的工作服务时
... HTTP CONNECT someurl:443 HTTP/1.0 ,NTLMSSP_AUTH,用户:TEST\Henk
并且在 SQUID acces.log 中所有尝试都显示为:
... 0 192.168.15.95 TCP_DENIED/407 1759 CONNECT someurl:443 - 无/- text/html
... 32 192.168.15.95 TCP_DENIED/407 2055 CONNECT someurl:443 - 无/- text/html
... 31 192.168.15.95 TCP_DENIED/407 1759 连接 someurl:443 - 无/- text/html
具体问题:
- .NET2 SOAP 和 Squid 存在任何已知问题吗?
- TEST\Henk 显示为 T\H 有意义吗?
- 我还应该寻找什么?
I've got a little utility that is a SOAP WebService client. The SOAP-proxy is generated from WSDL. It was working fine.
Now the customer wants to use a SQUID proxy, but that refuses to authenticate my SOAP client.
I have already tried:
MyWebservice ws = new MyWebservice();
// set URL etc.
// login for the actual service, this part works
HeaderLogin hl = new HeaderLogin();
hl.username = svcLogin;
hl.password = svcPassword;
ws.HeaderLoginValue = hl;
// setting up the Proxy of the Proxy
//ws.Proxy = System.Net.WebRequest.GetSystemWebProxy();
ws.Proxy = System.Net.WebRequest.DefaultWebProxy;
//ws.Proxy.Credentials = CredentialCache.DefaultCredentials;
ws.Proxy.Credentials = new NetworkCredential(proxyUser, proxyPassword, proxyDomain);
But I keep getting the HTTP 407 error: Proxy authentication required.
SQUID (squid/2.7.STABLE4) is setup to use NTLM and AD for the authentication. That seems to work OK: there are other WebService clients that are getting through the Proxy OK.
I don't have direct access to the site but only some logfiles to look at. Most remarkable is what I can see in the PCAP (Wireshark) files. When I create a NetworkCredential with userName="Henk", domain="TEST" it shows up in the PCAP as
... HTTP CONNECT someurl:443 HTTP/1.1 , NTLMSSP_AUTH, User: T\H
And when I look at the PCAP for a working service
... HTTP CONNECT someurl:443 HTTP/1.0 , NTLMSSP_AUTH, User: TEST\Henk
And in the SQUID acces.log all attempts are shown as:
... 0 192.168.15.95 TCP_DENIED/407 1759 CONNECT someurl:443 - NONE/- text/html
... 32 192.168.15.95 TCP_DENIED/407 2055 CONNECT someurl:443 - NONE/- text/html
... 31 192.168.15.95 TCP_DENIED/407 1759 CONNECT someurl:443 - NONE/- text/html
Concrete questions:
- any known issues with .NET2 SOAP and Squid?
- is the display of TEST\Henk as T\H significant?
- anything else I should be looking for?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
NTLM 连接可能在连接完成之前被回收,从而导致新的/第二个匿名连接请求和 407 错误。
尝试重写 GetWebRequest(Uri uri) 方法并设置 KeepAlive 属性设置为 false。
使用以下内容编辑 Reference.cs 文件:
请记住,更新 Web 引用将导致 Visual Studio 重新生成该文件,并且您需要再次修改该文件。
It is possible that the NTLM connection is being recycled before the connection is completed resulting in a new/second anonymous connection request and the 407 error.
Try overriding the GetWebRequest(Uri uri) method and set the KeepAlive property to false.
Edit the Reference.cs file with the following:
Just remember that updating the web reference will cause Visual Studio to regenerate the file and you'll need to modify the file again.
T\H 可能表明您将 Unicode 字符串用作 ASCII 字符串。由于 Unicode 字符是两个字节(Windows 上最常见的情况),因此如果将它们解释为 ASCII,您将获得真实字符和空终止符字节。
我不希望在 .NET 应用程序中看到这种类型的错误,但你永远不知道。
The T\H could be an indication that you have Unicode string being used as ASCII string. Since Unicode characters are two bytes (the most common case on Windows), if you interpret them as ASCII you get the real character and a null terminator byte.
I wouldn't expect to see that type of error in a .NET app, but you never know.
我看到鱿鱼日志显示对 someurl:443 的访问被拒绝...端口 443 是安全通道端口 (SSL)。在通常的实践中,托管在 SSL 上的 Web 服务需要某种身份验证。请检查网络服务凭据要求。您可能必须传递凭据或通过证书将自己验证为有效客户端。
I see that squid log shows access denied to someurl:443... port 443 is a secure channel port (SSL). In common practice webservices hosted on SSL require some sort of a authentication. please check the webservice credential requirements. you may have to pass the credentials or authenticate yourself as a valid client through a certificate.
您可以尝试将“http_access allowed”添加到您的鱿鱼配置中的域中吗
can you try add "http_access allow" to the domain in your squid config