Re: [squid-users] Authentication problem

[Amos Jeffries]

On 1/11/2016 6:31 a.m., Eduardo Carneiro wrote:
> Hi all.
> 
> I have a strange authentication issue in my squid 3.5.19. My workstations
> only can authenticate if they are entered into the domain. When they doesn't
> entered into the domain, I access any URL on browser (Firefox and Chrome
> tested) and I'm not able authenticate on the boxes that are shown to me.
> 
> Squid logs show me "TCP_DENIED/407".

Meaning either no credentials were give, or the ones given would not
work, or the NTLM handshake initial request happened.

> 
> Bellow is my squid.conf authentication configuration:
> 
> ---
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 140
> auth_param ntlm keep_alive on

Try with "keep_alive off" on the above line. It may prevent recent
Browsers using the Basic auth when NTLM fails (which it will for
off-domain users).

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Authentication problem

[Eduardo Carneiro]

Hi all.

I have a strange authentication issue in my squid 3.5.19. My workstations
only can authenticate if they are entered into the domain. When they doesn't
entered into the domain, I access any URL on browser (Firefox and Chrome
tested) and I'm not able authenticate on the boxes that are shown to me.

Squid logs show me "TCP_DENIED/407".

Bellow is my squid.conf authentication configuration:

---
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 140
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 60
auth_param basic credentialsttl 10 hours
auth_param basic realm enter your password

acl authenticated proxy_auth REQUIRED
http_access deny !authenticated
---

I noticed that in Firefox's private tabs works perfectly.

Am I doing something wrong? Has anyone experienced this?

Thanks,
Eduardo Carneiro



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-problem-tp4680378.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication Problem

[Dima Ermakov]

Thank you, Amos.

I checked all, that you wrote.
It didn't help me.

I have this problem only on google chrome browser.
Before 2015-12-03 all was good.
I didn't change my configuration more than one month.

Ten minutes ago "Noel Kelly nke...@citrusnetworks.net" wrote in this list,
that google chrome v47 has broken NTLM authentication.
My clients with problems has google chrome v47 (((

Mozilla Firefox clients work good.

Thank you!

This is message from Noel Kelly:
"

Hi

For information, the latest version of Google Chrome (v47.0.2526.73M) has
broken NTLM authentication:

https://code.google.com/p/chromium/issues/detail?id=544255
https://productforums.google.com/forum/#!topic/chrome/G_9eXH9c_ns;context-place=forum/chrome

Cheers
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

"

On 4 December 2015 at 04:55, Amos Jeffries  wrote:

> On 4/12/2015 9:46 a.m., Dima Ermakov wrote:
> > Hi!
> > I have a problem with authentiation.
> >
> > I use samba ntlm authentication in my network.
> >
> > Some users ( not all ) have problems with http traffic.
> >
> > They see basic authentication request.
>
> Meaning you *dont* have NTLM authentication on your network.
>
> Or you are making the mistake of thinking a popup means Basic
> authentication.
>
> > If they enter correct domain login and password, they have auth error.
> > If this users try to open https sites: all works good, they have not any
> > type of errors.
>
> So,
>  a) they are probably not going through this proxy, or
>  b) the browser is suppressing the proxy-auth popups, or
>  c) the authentication request is not coming from *your* proxy.
>
> >
> > So we have errors only with unencrypted connections.
> >
> > I have this error on two servers:
> > debian8, squid3.4 (from repository)
> > CentOS7, squid3.3.8 (from repository).
> >
>
> Two things to try:
>
> 1) Adding a line like this before the group access controls in
> frntend.conf. This will ensure that authentiation credentials are valid
> before doing group lookups:
>  http_access deny !AuthorizedUsers
>
>
> 2) checking up on the Debian winbind issue mentioned in
> <
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions
> >
>
> Im not sure about this it is likely to be involved on Debian, but CentOS
> is not known to have that issue.
>
>
> Oh and:
>  3) remove the "acl manager" line from squid.conf.
>
>  4) change your cachemgr_passwd. Commenting it out does not hide it from
> view when you post it on this public mailing list.
>
> You should remove all the commented out directives as well, some of them
> may be leading to misunderstanding of what the config is actually doing.
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
С уважением, Дмитрий Ермаков.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication Problem

[Samuel Anderson]

Hi Amos and Dima,

I'm having the exact same problem. After updating Chrome to version
(47.0.2526.73
m) I'm no longer able to authenticate. IE and Firefox still seem to work
fine. I haven't changed anything in my config file for months.

On Fri, Dec 4, 2015 at 5:22 AM, Dima Ermakov  wrote:

> Thank you, Amos.
>
> I checked all, that you wrote.
> It didn't help me.
>
> I have this problem only on google chrome browser.
> Before 2015-12-03 all was good.
> I didn't change my configuration more than one month.
>
> Ten minutes ago "Noel Kelly nke...@citrusnetworks.net" wrote in this
> list, that google chrome v47 has broken NTLM authentication.
> My clients with problems has google chrome v47 (((
>
> Mozilla Firefox clients work good.
>
> Thank you!
>
> This is message from Noel Kelly:
> "
>
> Hi
>
> For information, the latest version of Google Chrome (v47.0.2526.73M) has
> broken NTLM authentication:
>
> https://code.google.com/p/chromium/issues/detail?id=544255
>
> https://productforums.google.com/forum/#!topic/chrome/G_9eXH9c_ns;context-place=forum/chrome
>
> Cheers
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> "
>
> On 4 December 2015 at 04:55, Amos Jeffries  wrote:
>
>> On 4/12/2015 9:46 a.m., Dima Ermakov wrote:
>> > Hi!
>> > I have a problem with authentiation.
>> >
>> > I use samba ntlm authentication in my network.
>> >
>> > Some users ( not all ) have problems with http traffic.
>> >
>> > They see basic authentication request.
>>
>> Meaning you *dont* have NTLM authentication on your network.
>>
>> Or you are making the mistake of thinking a popup means Basic
>> authentication.
>>
>> > If they enter correct domain login and password, they have auth error.
>> > If this users try to open https sites: all works good, they have not any
>> > type of errors.
>>
>> So,
>>  a) they are probably not going through this proxy, or
>>  b) the browser is suppressing the proxy-auth popups, or
>>  c) the authentication request is not coming from *your* proxy.
>>
>> >
>> > So we have errors only with unencrypted connections.
>> >
>> > I have this error on two servers:
>> > debian8, squid3.4 (from repository)
>> > CentOS7, squid3.3.8 (from repository).
>> >
>>
>> Two things to try:
>>
>> 1) Adding a line like this before the group access controls in
>> frntend.conf. This will ensure that authentiation credentials are valid
>> before doing group lookups:
>>  http_access deny !AuthorizedUsers
>>
>>
>> 2) checking up on the Debian winbind issue mentioned in
>> <
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions
>> >
>>
>> Im not sure about this it is likely to be involved on Debian, but CentOS
>> is not known to have that issue.
>>
>>
>> Oh and:
>>  3) remove the "acl manager" line from squid.conf.
>>
>>  4) change your cachemgr_passwd. Commenting it out does not hide it from
>> view when you post it on this public mailing list.
>>
>> You should remove all the commented out directives as well, some of them
>> may be leading to misunderstanding of what the config is actually doing.
>>
>>
>> Amos
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> --
> С уважением, Дмитрий Ермаков.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


-- 
Samuel Anderson  |  System Administrator  |  International Document Services

IDS  |  11629 South 700 East, Suite 200  |  Draper, UT 84020-4607

-- 
CONFIDENTIALITY NOTICE:
This e-mail and any attachments are confidential. If you are not an 
intended recipient, please contact the sender to report the error and 
delete all copies of this message from your system.  Any unauthorized 
review, use, disclosure or distribution is prohibited.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Authentication Problem

[Dima Ermakov]

Hi!
I have a problem with authentiation.

I use samba ntlm authentication in my network.

Some users ( not all ) have problems with http traffic.

They see basic authentication request.
If they enter correct domain login and password, they have auth error.
If this users try to open https sites: all works good, they have not any
type of errors.


So we have errors only with unencrypted connections.

I have this error on two servers:
debian8, squid3.4 (from repository)
CentOS7, squid3.3.8 (from repository).

squid servers are domain joined.

System Time on client PC is correct.

Sorry for my bad English.
Thank you, for your help.

Configuration files are in attachment.

-- 
С уважением, Дмитрий Ермаков.
# Uncomment and adjust the following to add a disk cache directory.
cache_dir aufs /var/spool/squid3/ 1 32 256

http_port 127.0.0.1:4001
cache_mem 1024 MB
visible_hostname it-gw-b.vod.local
http_access allow localhost

access_log /var/log/squid3/access.backend.log
cache_log /var/log/squid3/cache.backend.log

#Memoty Cache size
cache_mem 256 MB

maximum_object_size_in_memory 1024 KB

cache_peer 127.0.0.1 parent 4001 0 default name=it-squid-b.vod.local
never_direct allow all

visible_hostname it-gw-f.vod.local

##AUTHENTICATION BLOCK#
#Authentication Programs
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 startup=5 idle=5
auth_param ntlm keep_alive on

#authenticate_ttl 1 hour
#authenticate_cache_garbage_interval 1 hour


auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic credentialsttl 600 second
auth_param basic children 60 startup=5 idle=5



#Need Auth
acl AuthorizedUsers proxy_auth REQUIRED

#Unlim speed users
acl unlim_group src "/etc/squid/acl/unlim_group"

#Check group membership
external_acl_type testforGroup   children-max=30 children-startup=5  %LOGIN 
/usr/lib/squid3/ext_wbinfo_group_acl
acl internet_G external testforGroup Internet_group
acl internet_SG external testforGroup Internet_super_group

## END AUTHENTICATION BLOCK #


### Speed Limits Block ###
delay_pools 3

#Limit for internet super group
delay_class 1 4

#Limit for internet group
delay_class 2 4

# No Speed Limit - unlim
delay_class 3 4

delay_parameters 1 -1/-1 -1/-1 -1/-1 -1/-1
delay_parameters 2 -1/-1 -1/-1 -1/-1 125000/125000
delay_parameters 3 -1/-1 -1/-1 -1/-1 64000/64000


delay_access 1 allow unlim_group
#delay_access 1 allow unlim_domains
delay_access 1 deny all

delay_access 2 allow internet_SG
delay_access 2 deny all

delay_access 3 allow internet_G
delay_access 3 deny all

 End Speed Limits Block ###3


 ACL Control Block ##

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet

http_access allow unlim_group
http_access allow internet_SG
http_access allow internet_G

#http_access allow unlim_group


# And finally deny all other access to this proxy
http_access allow localhost

http_access deny all

#3 End ACL Control Block ##

# Squid normally listens to port 3128
http_port 8080
##https_port 8080

access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
#
# Recommended minimum configuration:
#

SNMP
#if ${process_number} = 2
##   snmp_port 3401
#endif
acl zabbix src 192.168.4.19/32
acl snmppublic snmp_community public
snmp_access allow snmppublic zabbix
snmp_access allow snmppublic localhost
snmp_access deny all

### END SNMP



pid_filename /var/run/squid3/squid.pid

### Set local DNS as DNS for squid
dns_nameservers 127.0.0.1 192.168.4.23 192.168.4.1 192.168.4.2

#DNS V4
dns_v4_first on

 SMP support
###workers 4

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/18 # RFC1918 possible internal network
acl localnet src 192.168.4.0/23 # RFC1918 possible internal network
#acl localnet src fc00::/7   # RFC 4193 local private network range
#acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl SSL_ports port 443 #https
acl SSL_ports port 8445 #it-smtp.vod.local
acl SSL_ports port 8443 #it-ubiquiti.vod.local

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # 

Re: [squid-users] Authentication Problem

[Amos Jeffries]

On 4/12/2015 9:46 a.m., Dima Ermakov wrote:
> Hi!
> I have a problem with authentiation.
> 
> I use samba ntlm authentication in my network.
> 
> Some users ( not all ) have problems with http traffic.
> 
> They see basic authentication request.

Meaning you *dont* have NTLM authentication on your network.

Or you are making the mistake of thinking a popup means Basic
authentication.

> If they enter correct domain login and password, they have auth error.
> If this users try to open https sites: all works good, they have not any
> type of errors.

So,
 a) they are probably not going through this proxy, or
 b) the browser is suppressing the proxy-auth popups, or
 c) the authentication request is not coming from *your* proxy.

> 
> So we have errors only with unencrypted connections.
> 
> I have this error on two servers:
> debian8, squid3.4 (from repository)
> CentOS7, squid3.3.8 (from repository).
> 

Two things to try:

1) Adding a line like this before the group access controls in
frntend.conf. This will ensure that authentiation credentials are valid
before doing group lookups:
 http_access deny !AuthorizedUsers


2) checking up on the Debian winbind issue mentioned in


Im not sure about this it is likely to be involved on Debian, but CentOS
is not known to have that issue.


Oh and:
 3) remove the "acl manager" line from squid.conf.

 4) change your cachemgr_passwd. Commenting it out does not hide it from
view when you post it on this public mailing list.

You should remove all the commented out directives as well, some of them
may be leading to misunderstanding of what the config is actually doing.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Authentication problem upgrading from squid 2 to squid 3

[Javier Smaldone]

I've been using squid 2.6.STABLE5 for a long time. Now, I'm upgrading
to 3.1.19 (Ubuntu 12.04). On my previous setup i've used ldap_auth
(with basic authentication) and after tuning my configuration I made
it work for squid3.

But now I have a problem with some (allowed) sites that load some
(forbidden) content (as twitter and facebook javascript, for example):
When loading such a page, the user get prompted (again) for the login
credentials.

I've raised the loglevel to 9 and found some differences on the log
for exactly the same request.

Please, take a look at my config and logfile and save my life!

Thanks in advance.

--
Javier


This is the relevant part of my squid.conf file:

auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
dc=mycompany,dc=com,dc=ar -D
cn=ldaplinux,ou=ati,dc=mycompany,dc=com,dc=ar -W /etc/squid3/secret
-f sAMAccountName=%s -h ldapserver
auth_param basic children 5
auth_param basic credentialsttl 2 hours
auth_param basic realm Internet access

external_acl_type adsgroup %LOGIN  /usr/lib/squid3/squid_ldap_group
-b dc=mycompany,dc=com,dc=ar -D
cn=ldaplinux,ou=ati,dc=mycompany,dc=com,dc=ar -W /etc/squid3/secret
-f 
((objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=mycompany,dc=com,dc=ar))
-h ldapserver -v 3

http_access allow manager localhost
http_access deny manager

acl forbidden_ip src /var/squid/acls/noips
http_access deny forbidden_ip

acl users.privileged external adsgroup internet.privileged
http_access allow users.privileged

[...lot of acl and http_access rules...]\.twitter\

acl domains.banned.re dstdom_regex /var/squid/acls/domains.banned.re
http_access deny domains.banned.re
# domains.banned.re includes '\.twitter\'


For the request GET http://platform.twitter.com/widgets.js;, the
first part of the log info is always the same (and it is the expected
behaviour):


| HttpMsg.cc(445) parseRequestFirstLine: parsing possible request:
GEThttp://platform.twitter.com/widgets.js HTTP/1.1
Host: platform.twitter.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: */*
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: 
http://www.infobae.com/notas/687652-Cromanon-todos-los-condenados-seran-detenidos-inmediatamente.html
Proxy-Authorization: Basic XXX


| Parser: retval 1: from 0-52: method 0-2; url 4-41; version 43-50 (1/1)
| parseHttpRequest: req_hdr = {Host: platform.twitter.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: */*
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: 
http://www.infobae.com/notas/687652-Cromanon-todos-los-condenados-seran-detenidos-inmediatamente.html
Proxy-Authorization: Basic XXX

}
| parseHttpRequest: end = {
}

[...]

| parsing HttpHeaderEntry: near 'Proxy-Authorization: Basic
XXX'
| parsed HttpHeaderEntry: 'Proxy-Authorization: Basic XXX'
| created HttpHeaderEntry 0x7f6b92f4d790: 'Proxy-Authorization : Basic
XXX
| 0x7f6b7dc43150 adding entry: 40 at 7

[...]

| ACLChecklist::preCheck: 0x7f6b80288658 checking 'http_access deny
forbidden_ip'
| ACLList::matches: checking forbidden_ip
| ACL::checklistMatches: checking 'forbidden_ip'
| aclIpMatchIp: '192.168.1.1:53563' NOT found
| ACL::ChecklistMatches: result for 'forbidden_ip' is 0
| ACLList::matches: result is false
| aclmatchAclList: 0x7f6b80288658 returning false (AND list entry
failed to match)
| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0
lastACLResult() = 0 finished() = 0


Now, the important part: Checking user credentials (and group membership).

Despite the presence of the Proxy-Authorization field on the
request, the log shows:

| ACLChecklist::preCheck: 0x7f6b80288658 checking 'http_access allow
users.privileged'
| ACLList::matches: checking users.privileged
| ACL::checklistMatches: checking 'users.privileged'
| aclMatchExternal: acl=adsgroup
| authenticateAuthenticate: broken auth or no proxy_auth header.
Requesting auth header.
| Acl.cc(70) AuthenticateAcl: returning 0 sending authentication challenge.
| aclMatchExternal: adsgroup user not authenticated (0)
| ACL::ChecklistMatches: result for 'users.privileged' is 0
| ACLList::matches: result is false
| aclmatchAclList: 0x7f6b80288658 returning false (AND list entry
failed to match)
| ACLChecklist::checkForAsync: requiring Proxy Auth header.

As a result, the browser asks the user for credentials again. When
entered, the requests shows exactly the same for the firs ACL checks,
but when checking http_access allow users.privileged it shows:

| ACLChecklist::preCheck: 0x7f6b80288658 checking 'http_access allow
users.privileged'
| ACLList::matches: checking users.privileged
| ACL::checklistMatches: checking 'users.privileged'
| aclMatchExternal: acl=adsgroup
| 

[squid-users] Authentication problem

[Warren Baker]

HI List

I have squid-3.2.3 configured to make use of negotiate, and to
authenticate certain users. However the following config doesn't work


acl userA proxy_auth warren
acl userB proxy_auth testb

http_access allow userA
http_access allow userB
http_access deny all

userA successfully authenticates and can browse. userB however
obviously doesn't match userA acl and just gets presented with the
cache denied page.
Debugging the acl shows that it never moves passed the userA acl and
doesn't continue onto authenticating the 'testb' user.

What am I doing wrong here?

thx

-- 
.warren

AW: AW: [squid-users] Authentication problem

[Fuhrmann, Marcel]

Image #1 appears to be a login box of some kind. Where is it coming from; the 
browser software or a web page?
 Browser

Image #2 appears to be an HTTP login which the browser is refusing to display 
popup box for. Why is the browser not finding credentials somewhere or showing 
a popup?
 The popup shown in picture one doesn't appear. For some reason, some 
 credentials are automatically used (maybe SSO) or some configuration block 
 this login popup.


-Ursprüngliche Nachricht-
Von: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Gesendet: Mittwoch, 9. Mai 2012 03:53
An: squid-users@squid-cache.org
Betreff: Re: AW: [squid-users] Authentication problem

On 09.05.2012 01:44, Fuhrmann, Marcel wrote:
 Hi Markus,

 sorry, but it doesn't work. :-(

 - Added this line in squid.conf
 - server squid3 reload
 - deleted IE cache restarted IE and open the website - same error.


Err, yeah. Leaving the headers alone only works if one was already playing with 
erasing them in the first place. If someone else was erasing them in transit 
you need to kick them about the problems.


 Any other ideas?

Finding out what the problem actually is would be a better start.

Image #1 appears to be a login box of some kind. Where is it coming from; the 
browser software or a web page?

Image #2 appears to be an HTTP login which the browser is refusing to display 
popup box for. Why is the browser not finding credentials somewhere or showing 
a popup?

Amos



 -Ursprüngliche Nachricht-
 Von: Markus Lauterbach

 Hi Marcel,

 You have to add a small piece in your config. I think, it should lool 
 somehow like this:

 header_access Authorization allow all

 And restart your squid.

 Markus

 -Ursprüngliche Nachricht-
 Von: Fuhrmann, Marcel

 Hello,

 i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a 
 website.
 Normally (without proxy) I am getting this windows to login:
 http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu

 With proxy I get this error (german; but understandable):
 http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um

 Can somebody give me advice?


 Thanks a lot!

 --
 Marcel

[squid-users] Authentication problem

[Fuhrmann, Marcel]

Hello,

i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a website.
Normally (without proxy) I am getting this windows to login:
http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu

With proxy I get this error (german; but understandable):
http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um

Can somebody give me advice?


Thanks a lot!

--
Marcel

RE: [squid-users] Authentication problem

[Markus Lauterbach]

Hi Marcel,

You have to add a small piece in your config. I think, it should lool somehow 
like this:

header_access Authorization allow all

And restart your squid.

Markus

 -Ursprüngliche Nachricht-
 Von: Fuhrmann, Marcel [mailto:marcel.fuhrm...@lux.ag]
 Gesendet: Dienstag, 8. Mai 2012 15:04
 An: squid-users@squid-cache.org
 Betreff: [squid-users] Authentication problem
 
 Hello,
 
 i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a website.
 Normally (without proxy) I am getting this windows to login:
 http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu
 
 With proxy I get this error (german; but understandable):
 http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um
 
 Can somebody give me advice?
 
 
 Thanks a lot!
 
 --
 Marcel

AW: [squid-users] Authentication problem

[Fuhrmann, Marcel]

Hi Markus,

sorry, but it doesn't work. :-(

- Added this line in squid.conf
- server squid3 reload
- deleted IE cache restarted IE and open the website - same error.

Any other ideas?

--
Marcel




-Ursprüngliche Nachricht-
Von: Markus Lauterbach [mailto:markus.lauterb...@meinestadt.de] 
Gesendet: Dienstag, 8. Mai 2012 15:32
An: squid-users@squid-cache.org
Betreff: RE: [squid-users] Authentication problem

Hi Marcel,

You have to add a small piece in your config. I think, it should lool somehow 
like this:

header_access Authorization allow all

And restart your squid.

Markus

 -Ursprüngliche Nachricht-
 Von: Fuhrmann, Marcel [mailto:marcel.fuhrm...@lux.ag]
 Gesendet: Dienstag, 8. Mai 2012 15:04
 An: squid-users@squid-cache.org
 Betreff: [squid-users] Authentication problem
 
 Hello,
 
 i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a website.
 Normally (without proxy) I am getting this windows to login:
 http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu
 
 With proxy I get this error (german; but understandable):
 http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um
 
 Can somebody give me advice?
 
 
 Thanks a lot!
 
 --
 Marcel

Re: AW: [squid-users] Authentication problem

[Amos Jeffries]

On 09.05.2012 01:44, Fuhrmann, Marcel wrote:

Hi Markus,

sorry, but it doesn't work. :-(

- Added this line in squid.conf
- server squid3 reload
- deleted IE cache restarted IE and open the website - same error.



Err, yeah. Leaving the headers alone only works if one was already 
playing with erasing them in the first place. If someone else was 
erasing them in transit you need to kick them about the problems.




Any other ideas?


Finding out what the problem actually is would be a better start.

Image #1 appears to be a login box of some kind. Where is it coming 
from; the browser software or a web page?


Image #2 appears to be an HTTP login which the browser is refusing to 
display popup box for. Why is the browser not finding credentials 
somewhere or showing a popup?


Amos




-Ursprüngliche Nachricht-
Von: Markus Lauterbach

Hi Marcel,

You have to add a small piece in your config. I think, it should lool
somehow like this:

header_access Authorization allow all

And restart your squid.

Markus


-Ursprüngliche Nachricht-
Von: Fuhrmann, Marcel

Hello,

i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a 
website.

Normally (without proxy) I am getting this windows to login:
http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu

With proxy I get this error (german; but understandable):
http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um

Can somebody give me advice?


Thanks a lot!

--
Marcel

Re: [squid-users] Authentication problem

[Mohamed Amine Kadimi]

 The designed purpose of these redirect tricks in commercial proxies (and
 Squid captive portals too) is to get the client to make a request to a
 controlled web service. That server pulls details such as the cient IP
 address and user-agent header (maybe other things) which the proxy can use
 as the things it checks for in external_acl_type script to guess at which
 later requests are coming from this same client and allow them through. If
 you do login at that point (optional!) it is merely to associate the browser
 signature with a username for recording/billing purposes.

Thank you for clearing that up for me.

So when a client requests a web page, I'll check some session table
which should return OK to let the user go to the internet or ERR to
redirect him to my portal and recheck for cookie presence.

The problem now is this session table. Is there any squid session
helper which is able to bound the session info to additional data
beside the user's IP?



--
Mohamed Amine Kadimi

Tél     : +212 (0) 675 72 36 45

Re: [squid-users] Authentication problem

[Amos Jeffries]

On 4/04/2012 3:54 a.m., Mohamed Amine Kadimi wrote:
OK, so here's another pseudo code that comes to my mind, this is 
somehow similar to some commercial products (Ironport, bluecoat):


- The user connects to http://www.somesite.com http://www.a.com/ via 
the proxy
- The Proxy redirects to 
http://authenticationportal/http://www.somesite.com 
http://authenticationportal/http://www.A.com with 302 return code.
- User is verified/authenticated on the authentication portal. This 
authentication portal sets a cookie and redirects to 
http://www.somesite.com http://www.a.com/
- User connects to http://www.somesite.com http://www.a.com/ via 
proxy. Proxy knows user is authenticated (cookie).


The problem is with the last step since the cookie is bound to 
http://authenticationportal 
http://authenticationportal/http://www.A.com so the user may 
encounter an endless loop.


Exactly. The browser authenticated against your website. It did not 
authenticate against the proxy or against somesite.com.


The designed purpose of these redirect tricks in commercial proxies (and 
Squid captive portals too) is to get the client to make a request to a 
controlled web service. That server pulls details such as the cient IP 
address and user-agent header (maybe other things) which the proxy can 
use as the things it checks for in external_acl_type script to guess at 
which later requests are coming from this same client and allow them 
through. If you do login at that point (optional!) it is merely to 
associate the browser signature with a username for recording/billing 
purposes.
  Notice how there is nothing required for the browser to do except 
visit. Basically: no authentication.





Do you know the solution for letting this authenticated user go to the 
target after being authenticated


I think you are getting closer to understanding the boundary between 
possible and impossible.


The whole point of traffic interception is that the browser is *not* 
aware of the proxy. You might as well try to drink water out of an empty 
cup,  as to get the browser to do something special for the proxy.



I like your example. somesite.com happens to actually be a real 
website owned by an actual dodgy company.  Go on; visit it. See the ads, 
see the script errors, read the no-privacy policy, notice how the 
opt-out from their user tracking systems is not working.


Now consider what would happen if authenticationportal was your own 
banks website. What details about your login to the bank would you want 
to send to that dodgy website? the username? the password? the session 
cookies? some other detail used to link you and your accounts?


You are asking us how to make the browser spread exactly those private 
informations to websites which have no business receiving it.


Amos



On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:

Dear Developpers and Community,

I would like to set up the following configuration using squid:

When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the
user
with content.


Please read

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F





However, users IP are being NATed before going to the proxy.
So the
solution would be to use an application-layer verification:
cookies or
http headers

So, I come across the following solutions:

1. Use an ICAP server which checks if a cookie is set,
otherwise set
it for an authenticated user
 the problem is: cookies are bound to domains + each http
request must
be validated

2. Use a php splash page which sets the cookie then redirect
to destination
 same problem as ICAP

3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
  problem: sessions are associated to the IP by squid

I'm using squid 3.1

Thank you for any idea


The whole point of transparent interception is that the browser is
*completely unaware it is talking to a proxy*. It contacted some
web server, and *all* of its communications are with that server.
If you can find a way to trick it into storing security
credentials of any kind set by your proxy it will consider those
credentials safe to use when contacting the same server via other
non-HTTP methods as well, causing great deal of problems. The good
thing to do at that point is to report the zero-day security
vulnerability you just found.


You might be able to use details gleaned from the browsers request
to *guess* what user it is and have a external_acl_type script
inform Squid of the guessed username. Or the authorize (*not*
authenticate) the request to happen.

Amos

Re: [squid-users] Authentication problem

[Amos Jeffries]

On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:

Dear Developpers and Community,

I would like to set up the following configuration using squid:

When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the user
with content.


Please read
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F




However, users IP are being NATed before going to the proxy. So the
solution would be to use an application-layer verification: cookies or
http headers

So, I come across the following solutions:

1. Use an ICAP server which checks if a cookie is set, otherwise set
it for an authenticated user
  the problem is: cookies are bound to domains + each http request must
be validated

2. Use a php splash page which sets the cookie then redirect to destination
  same problem as ICAP

3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
   problem: sessions are associated to the IP by squid

I'm using squid 3.1

Thank you for any idea


The whole point of transparent interception is that the browser is 
*completely unaware it is talking to a proxy*. It contacted some web 
server, and *all* of its communications are with that server. If you can 
find a way to trick it into storing security credentials of any kind set 
by your proxy it will consider those credentials safe to use when 
contacting the same server via other non-HTTP methods as well, causing 
great deal of problems. The good thing to do at that point is to report 
the zero-day security vulnerability you just found.



You might be able to use details gleaned from the browsers request to 
*guess* what user it is and have a external_acl_type script inform Squid 
of the guessed username. Or the authorize (*not* authenticate) the 
request to happen.


Amos

Re: [squid-users] Authentication problem

[Mohamed Amine Kadimi]

OK, so here's another pseudo code that comes to my mind, this is
somehow similar to some commercial products (Ironport, bluecoat):

- The user connects to http://www.somesite.com via the proxy
- The Proxy redirects to
http://authenticationportal/http://www.somesite.com with 302 return
code.
- User is verified/authenticated on the authentication portal. This
authentication portal sets a cookie and redirects to
http://www.somesite.com
- User connects to http://www.somesite.com via proxy. Proxy knows user
is authenticated (cookie).

The problem is with the last step since the cookie is bound to
http://authenticationportal so the user may encounter an endless loop.

Do you know the solution for letting this authenticated user go to the
target after being authenticated

2012/4/3 Amos Jeffries squ...@treenet.co.nz

 On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:

 Dear Developpers and Community,

 I would like to set up the following configuration using squid:

 When a user asks for a web page he is transparently redirected to
 squid, where an authentication must be done before serving the user
 with content.


 Please read
 http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F




 However, users IP are being NATed before going to the proxy. So the
 solution would be to use an application-layer verification: cookies or
 http headers

 So, I come across the following solutions:

 1. Use an ICAP server which checks if a cookie is set, otherwise set
 it for an authenticated user
  the problem is: cookies are bound to domains + each http request must
 be validated

 2. Use a php splash page which sets the cookie then redirect to destination
  same problem as ICAP

 3. using squid authentication and checking if Proxy-Authorization
 header is set before serving the client
   problem: sessions are associated to the IP by squid

 I'm using squid 3.1

 Thank you for any idea


 The whole point of transparent interception is that the browser is 
 *completely unaware it is talking to a proxy*. It contacted some web server, 
 and *all* of its communications are with that server. If you can find a way 
 to trick it into storing security credentials of any kind set by your proxy 
 it will consider those credentials safe to use when contacting the same 
 server via other non-HTTP methods as well, causing great deal of problems. 
 The good thing to do at that point is to report the zero-day security 
 vulnerability you just found.


 You might be able to use details gleaned from the browsers request to *guess* 
 what user it is and have a external_acl_type script inform Squid of the 
 guessed username. Or the authorize (*not* authenticate) the request to happen.

 Amos




--
Mohamed Amine Kadimi

Tél     : +212 (0) 675 72 36 45

[squid-users] Authentication problem

[Mohamed Amine Kadimi]

Dear Developpers and Community,

I would like to set up the following configuration using squid:

When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the user
with content.

However, users IP are being NATed before going to the proxy. So the
solution would be to use an application-layer verification: cookies or
http headers

So, I come across the following solutions:

1. Use an ICAP server which checks if a cookie is set, otherwise set
it for an authenticated user
 the problem is: cookies are bound to domains + each http request must
be validated

2. Use a php splash page which sets the cookie then redirect to destination
 same problem as ICAP

3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
  problem: sessions are associated to the IP by squid

I'm using squid 3.1

Thank you for any idea

[squid-users] Authentication problem. Squid3+ntlm_auth+Firefox.

[xor]

Hello,
I have installed squid3 with authorisation in the windows2003 domain, with 
libraries kerberos5 and samba + winbind. OS Debian Lenny 5.0.1.
Packages squid3, samba, krb and winbind are taken from official repositories 
(http://ftp.ru.debian.org/debian/).

The proxy clients working under WinXP with browser IE6 or IE7 pass 
authorisation normally, without superfluous requests of a login/password.

But those who uses Mozilla Firefox browser, at visiting of the sites especially 
containing JavaScript scenaries, often receive request of a login, password and 
domain for authorisation in proxy. If this request to reject (with pressed 
cancel), the client receives standard page of cache access denied. But if 
after that to press to refresh, the page is loaded without login/password 
request, and all works normally before occurrence of the next of authorisation 
request.
This effect observed on the firefox browsers only.
Incr. or decr. of auth_param ntlm children parameters don't helped.

Configs:

###squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on
authenticate_cache_garbage_interval 1 minute
authenticate_ttl 2 minutes
authenticate_ip_ttl 2 minutes
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 81 8080 8081 # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 5222
acl Safe_ports port 443 # https
acl PURGE method PURGE
acl CONNECT method CONNECT
acl bad_pat_servers_ip src /etc/squid3/acl/bad_pat_servers_ip
acl microsoft_activation dstdomain /etc/squid3/acl/microsoft_activation
acl ip_symantec_ftp src 192.168.2.11
acl ftp_symantec dstdomain ftp.symantec.com liveupdate.symantec.com 
liveupdate.symantecliveupdate.com
acl good_sites dstdomain /etc/squid3/acl/good_sites
acl bad_pattern url_regex /etc/squid3/acl/bad_pattern
acl bad_sites dstdomain /etc/squid3/acl/bad_sites
acl odvk url_regex /etc/squid3/acl/odvk
acl odnokl_sites dstdomain /etc/squid3/acl/odnokl_sites
acl odnokl_users proxy_auth /etc/squid3/acl/odnokl_users
acl ip_users src /etc/squid3/acl/ip_users
acl AuthUsers proxy_auth /etc/squid3/acl/users
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow microsoft_activation
http_access deny bad_pat_servers_ip
http_access allow ip_symantec_ftp ftp_symantec
http_access allow good_sites ip_users
http_access allow good_sites AuthUsers
http_access allow odnokl_sites odnokl_users
http_access deny bad_pattern
http_access deny bad_sites
http_access deny odvk
http_access allow ip_users
http_access allow AuthUsers
http_access allow localhost
http_access deny all
icp_access deny all
htcp_access deny all
http_port 192.168.60.60:3128
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_dir ufs /var/spool/squid3 1024 16 256
access_log /var/log/squid3/access.log squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern (cgi-bin|\?)0   0%  0
refresh_pattern .   0   20% 4320
icp_port 3130
forwarded_for off
coredump_dir /var/spool/squid3

###smb.conf
[global]
   workgroup = PATERSON
   realm = PATERSON.RU
   password server = SRV-MSK11 SRV-MSK12
   server string = %h server
   wins support = yes
   wins server = 192.168.2.11
   dns proxy = no
   interfaces = 192.168.60.60 eth0
   log file = /var/log/samba/log.%m
   log level = 3
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   invalid users = root
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* 
%n\n *password\supdated\ssuccessfully* .
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   case sensitive = No
   idmap uid = 1-2
   idmap gid = 1-2
   winbind enum groups = yes
   winbind enum users = yes
   winbind separator = +
   winbind use default domain = No
[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S
[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

Best regards, Ehenov Roman.

_ 
Авторский фотоальбом Андрея Оборина и Михаила Семенова
   http://www.oborin.ru/book/Home.html

Re: [squid-users] Authentication problem. Squid3+ntlm_auth+Firefox.

[Amos Jeffries]

xor wrote:

Hello,
I have installed squid3 with authorisation in the windows2003 domain, with 
libraries kerberos5 and samba + winbind. OS Debian Lenny 5.0.1.
Packages squid3, samba, krb and winbind are taken from official repositories 
(http://ftp.ru.debian.org/debian/).

The proxy clients working under WinXP with browser IE6 or IE7 pass 
authorisation normally, without superfluous requests of a login/password.

But those who uses Mozilla Firefox browser, at visiting of the sites especially containing 
JavaScript scenaries, often receive request of a login, password and domain for authorisation in 
proxy. If this request to reject (with pressed cancel), the client receives standard 
page of cache access denied. But if after that to press to refresh, the page is loaded 
without login/password request, and all works normally before occurrence of the next of 
authorisation request.
This effect observed on the firefox browsers only.
Incr. or decr. of auth_param ntlm children parameters don't helped.


Please define what you mean by containing JavaScript scenaries? how is 
this relevant to the HTTP requests?


Check that firefox has not saved previous passwords for the user or 
another. This can cause issues as the known passwords are used first 
every time.


With debug_options ALL,1 29,6 28,6 cache.log gets a trace of the auth 
and ACL actions. Check that to see what is going on.
 You can expect to see some holdup while auth details are requested 
from the browser whether or not the popup appears. You can see for those 
checks whether is right to be needed or not though.



Some unrelated notes inline to the config...



Configs:

###squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on
authenticate_cache_garbage_interval 1 minute
authenticate_ttl 2 minutes
authenticate_ip_ttl 2 minutes
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 81 8080 8081 # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 5222
acl Safe_ports port 443 # https
acl PURGE method PURGE
acl CONNECT method CONNECT
acl bad_pat_servers_ip src /etc/squid3/acl/bad_pat_servers_ip


I find it rather confusing that you call this a servers_ip and indeed 
a pattern list yet use src which tests _client_ IP.


The name of the ACL sounds like you mean it to be a destination check of 
some sort.



acl microsoft_activation dstdomain /etc/squid3/acl/microsoft_activation
acl ip_symantec_ftp src 192.168.2.11
acl ftp_symantec dstdomain ftp.symantec.com liveupdate.symantec.com 
liveupdate.symantecliveupdate.com
acl good_sites dstdomain /etc/squid3/acl/good_sites
acl bad_pattern url_regex /etc/squid3/acl/bad_pattern
acl bad_sites dstdomain /etc/squid3/acl/bad_sites
acl odvk url_regex /etc/squid3/acl/odvk
acl odnokl_sites dstdomain /etc/squid3/acl/odnokl_sites
acl odnokl_users proxy_auth /etc/squid3/acl/odnokl_users
acl ip_users src /etc/squid3/acl/ip_users
acl AuthUsers proxy_auth /etc/squid3/acl/users
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow microsoft_activation
http_access deny bad_pat_servers_ip
http_access allow ip_symantec_ftp ftp_symantec
http_access allow good_sites ip_users
http_access allow good_sites AuthUsers
http_access allow odnokl_sites odnokl_users
http_access deny bad_pattern
http_access deny bad_sites
http_access deny odvk
http_access allow ip_users
http_access allow AuthUsers
http_access allow localhost
http_access deny all
htcp_access deny all
http_port 192.168.60.60:3128
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_dir ufs /var/spool/squid3 1024 16 256
access_log /var/log/squid3/access.log squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern (cgi-bin|\?)0   0%  0
refresh_pattern .   0   20% 4320



icp_access deny all
icp_port 3130


Combined with the icp_access deny all I find this really weird.

The default action in Squid-3 is not to listen for ICP at all and to 
deny all as well. I think you want to remove the icp_* configuration 
entirely.


Same for the htcp_access line further up.


forwarded_for off
coredump_dir /var/spool/squid3

###smb.conf
[global]
   workgroup = PATERSON
   realm = PATERSON.RU
   password server = SRV-MSK11 SRV-MSK12
   server string = %h server
   wins support = yes
   wins server = 192.168.2.11
   dns proxy = no
   interfaces = 192.168.60.60 eth0
   log file = /var/log/samba/log.%m
   log level = 3
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   

Re: [squid-users] Authentication problem/oddity/ignorance

[Rob Asher]

 Chris Robertson [EMAIL PROTECTED] 5/28/2008 5:03 PM 
 Proxies.  Plural.  How are you spreading the traffic among the proxies.  
 A number of authentication requiring websites associate login 
 credentials with a source IP.  Using a round robin load balancer 
 (without source NATing the outgoing requests from the multiple proxies) 
 can cause issues with such sites.  As well, using authentication on a 
 intercepting (also called a transparent) proxy can cause issues such as 
 this.

The traffic isn't being balanced among the proxies.  I have multiple locations, 
4 to be exact, all trying to access the same site with the same results.  Each 
location uses it's own proxy.  None of them are transparent and they all 
require authentication back to a single central LDAP server.


 TCP_MISS/401 indicates the website returned a Not Authorized response, 
 which should cause your browser to prompt for authentication.

With IE7, I get one prompt and then the cannot display the webpage message.  
With FF2, the prompt keeps popping up even with a valid login entry for the 
site until it's canceled.  


 Wow.  Not a single TCP_MISS/200 or TCP_HIT/200.  The only requests that 
 succeeded were cached content (TCP_MISS/304, with a parent of NONE).  
 So, from the evidence given, the machine that is working only appears 
 to be working because it is able to wrest a response from the cache that 
 allows it to use its locally cached copy...

OK.here's another bit from access.log with the TCP_MISS/200 from the 
working machine.  My fault on the previous one in that all I visited was 
things that I'd already been to and cached.  There are a lot of 401's in this 
but I only had to authenticate to the proxy itself and then once for the site.  

[EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 
1212065905.682182 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1212065923.714699 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1212065923.738 24 170.211.125.31 TCP_MISS/304 414 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
1212065923.793 54 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.818 24 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.856 38 170.211.125.31 TCP_MISS/404 1991 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065924.027 41 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.051 23 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.064 39 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 
text/html
1212065924.073 21 170.211.125.31 TCP_MISS/304 413 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- -
1212065924.088 23 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 
text/html
1212065924.105 38 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.109 21 170.211.125.31 TCP_MISS/304 412 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- -
1212065924.128 23 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- text/html
1212065924.154 26 170.211.125.31 TCP_MISS/304 413 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- -
1212065933.702855 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher 
DIRECT/165.29.214.2 text/html
1212065933.726 24 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher 
NONE/- text/html
1212065936.319   2593 170.211.125.31 TCP_MISS/200 96327 GET 
http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher 
NONE/- application/pdf
1212065961.927 79 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- text/html
1212065961.952 23 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
DIRECT/165.29.214.2 text/html
1212065962.164212 170.211.125.31 TCP_MISS/200 48057 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- application/pdf
1212065962.236 71 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- text/html
1212065962.260 24 170.211.125.31 TCP_MISS/401 2277 GET 

Re: [squid-users] Authentication problem/oddity/ignorance

[Chris Robertson]

Rob Asher wrote:


Chris Robertson [EMAIL PROTECTED] 5/28/2008 5:03 PM


The traffic isn't being balanced among the proxies.  I have multiple locations, 
4 to be exact, all trying to access the same site with the same results.  Each 
location uses it's own proxy.  None of them are transparent and they all 
require authentication back to a single central LDAP server.
  


Fair enough.  Two possibilities out of the way.

TCP_MISS/401 indicates the website returned a Not Authorized response, 
which should cause your browser to prompt for authentication.



With IE7, I get one prompt and then the cannot display the webpage message.  With FF2, the prompt keeps popping up even with a valid login entry for the site until it's canceled.  
  


Further investigation shows that the site in question is requesting NTLM 
authentication, which any version of Squid 2.6 should handle.  Hmmm...  
Perhaps this is related to the broken-ness of IIS passing chunked 
encoding to non HTTP1.1 compliant clients.  But it looks like the fixes 
for that were added in 2.6S8 and 2.6S10.  Given you have at least one 
2.6S13 server (and not all clients using it work) the fix might not be 
enough.  Well, you can try adding the following lines in your squid.conf 
(on any of the servers) and see if it helps...


acl chunked dstdomain .k12.ar.us
header_access Accept-Encoding deny chunked

Wow.  Not a single TCP_MISS/200 or TCP_HIT/200.  The only requests that 
succeeded were cached content (TCP_MISS/304, with a parent of NONE).  
So, from the evidence given, the machine that is working only appears 
to be working because it is able to wrest a response from the cache that 
allows it to use its locally cached copy...



OK.here's another bit from access.log with the TCP_MISS/200 from the working machine.  My fault on the previous one in that all I visited was things that I'd already been to and cached.  There are a lot of 401's in this but I only had to authenticate to the proxy itself and then once for the site.  

[EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 
1212065905.682182 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html

1212065923.714699 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1212065923.738 24 170.211.125.31 TCP_MISS/304 414 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
1212065923.793 54 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.818 24 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.856 38 170.211.125.31 TCP_MISS/404 1991 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065924.027 41 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
  

SNIP

1212065933.726 24 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher 
NONE/- text/html
1212065936.319   2593 170.211.125.31 TCP_MISS/200 96327 GET 
http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher 
NONE/- application/pdf
  


Huh?  This line doesn't make sense.  It's a TCP_MISS/200, which means 
the request was successful, but the parent server is NONE.  Color me 
confused.



1212065961.927 79 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- text/html
1212065961.952 23 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
DIRECT/165.29.214.2 text/html
1212065962.164212 170.211.125.31 TCP_MISS/200 48057 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- application/pdf
1212065962.236 71 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- text/html
1212065962.260 24 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- text/html
1212065962.661400 170.211.125.31 TCP_MISS/206 176993 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- multipart/byteranges


If you have any suggestions on what else to look for, I'm willing to try about 
anything.  I captured some of the headers in FF on both the working and a 
nonworking machine but I can't make any sense of them.  Also, if running 
tcpdump would help, I'm game to try that as well?
  


Well, Squid 2.7 Stable 1 is out, which appears to have more support for 
HTTP 1.1.  You could set it up on one of your machines (instructions for 
running multiple instances of Squid on one box are at 

[squid-users] Authentication problem/oddity/ignorance

[Rob Asher]

I have an external site that requires authentication that's not working through 
my proxies.  The squid versions vary from 2.6.STABLE6 to 2.6.STABLE13 with the 
same results.  With IE7, all that's returned is cannot display the webpage 
even with show friendly http error messages turned off.  With FF2, the login 
box keeps popping up until you cancel.  Here's the oddity though, I have one XP 
machine that is able to authenticate through the proxy without any problems 
with both IE7 and FF2.   Same user, same proxy, same passwords just different 
machines.  If I bypass the proxy, everything works fine on all machines.  I 
read something in the archives about configuring the browser to keep 
authentication details longer.  Could that be the difference?  If so, I have no 
idea how to change that??  Below are the two relevant portions from access.log. 
 I have the live http header add-on for FF also but I'm ignorant on reading and 
using it effectively.  Any help or ideas are appreciated!

Does NOT connect:
[EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 
1211985315.277 53 170.211.xxx.30 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1211985326.697 25 170.211.xxx.30 TCP_MISS/401 2272 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1211985326.760 42 170.211.xxx.30 TCP_MISS/401 2028 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html


Does connect:
[EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 
1211985582.423 71 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1211985605.978 27 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1211985606.002 25 170.211.xxx.31 TCP_MISS/304 414 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
1211985606.077 61 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher DIRECT/165.29.214.2 
text/html
1211985606.103 26 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1211985606.130 26 170.211.xxx.31 TCP_MISS/404 1991 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1211985606.234 71 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.259 24 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.263 49 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 
text/html
1211985606.267 53 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.281 21 170.211.xxx.31 TCP_MISS/304 413 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- -
1211985606.286 23 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 
text/html
1211985606.291 23 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.314 26 170.211.xxx.31 TCP_MISS/304 412 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- -
1211985606.314 22 170.211.xxx.31 TCP_MISS/304 413 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- -

Thanks,
Rob


-
Rob Asher
Network Systems Technician
Paragould School District
(870)236-7744 Ext. 169

Re: [squid-users] Authentication problem/oddity/ignorance

[Chris Robertson]

Rob Asher wrote:

I have an external site that requires authentication that's not working through 
my proxies.


Proxies.  Plural.  How are you spreading the traffic among the proxies.  
A number of authentication requiring websites associate login 
credentials with a source IP.  Using a round robin load balancer 
(without source NATing the outgoing requests from the multiple proxies) 
can cause issues with such sites.  As well, using authentication on a 
intercepting (also called a transparent) proxy can cause issues such as 
this.



The squid versions vary from 2.6.STABLE6 to 2.6.STABLE13 with the same results.  With IE7, all 
that's returned is cannot display the webpage even with show friendly http error 
messages turned off.  With FF2, the login box keeps popping up until you cancel.  Here's the 
oddity though, I have one XP machine that is able to authenticate through the proxy without any 
problems with both IE7 and FF2.   Same user, same proxy, same passwords just different machines.  
If I bypass the proxy, everything works fine on all machines.  I read something in the archives 
about configuring the browser to keep authentication details longer.  Could that be the difference? 
 If so, I have no idea how to change that??  Below are the two relevant portions from access.log.  
I have the live http header add-on for FF also but I'm ignorant on reading and using it 
effectively.  Any help or ideas are appreciated!

Does NOT connect:
[EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 
1211985315.277 53 170.211.xxx.30 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html

1211985326.697 25 170.211.xxx.30 TCP_MISS/401 2272 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1211985326.760 42 170.211.xxx.30 TCP_MISS/401 2028 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
  


TCP_MISS/401 indicates the website returned a Not Authorized response, 
which should cause your browser to prompt for authentication.




Does connect:
[EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 
1211985582.423 71 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html

1211985605.978 27 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1211985606.002 25 170.211.xxx.31 TCP_MISS/304 414 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
1211985606.077 61 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher DIRECT/165.29.214.2 
text/html
1211985606.103 26 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1211985606.130 26 170.211.xxx.31 TCP_MISS/404 1991 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1211985606.234 71 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.259 24 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.263 49 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 
text/html
1211985606.267 53 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.281 21 170.211.xxx.31 TCP_MISS/304 413 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- -
1211985606.286 23 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 
text/html
1211985606.291 23 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.314 26 170.211.xxx.31 TCP_MISS/304 412 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- -
1211985606.314 22 170.211.xxx.31 TCP_MISS/304 413 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- -
  


Wow.  Not a single TCP_MISS/200 or TCP_HIT/200.  The only requests that 
succeeded were cached content (TCP_MISS/304, with a parent of NONE).  
So, from the evidence given, the machine that is working only appears 
to be working because it is able to wrest a response from the cache that 
allows it to use its locally cached copy...



Thanks,
Rob


-
Rob Asher
Network Systems Technician
Paragould School District
(870)236-7744 Ext. 169
  


Chris

[squid-users] Authentication problem

[Nick Duda]

Sorry to bring up an old post of mine, but I have one question about it.

First off, 2.6 did fix my problems, so thanks again. The problem I have
now is we decided to use SmartFilter by Secure Computing which fixes all
the ACL issues I have. The only problem is that they only support up to
2.5stable13 (they say 2.6 by Q2 this year). I've tried to use it with
2.6 and it's a no go.

Is there anyway to load via a patch the fixes that allow NTLM to work
(as in my older post below) with 2.5stable13? We really want to use
SmartFilter right away but this running only on 2.5stable13 is a real
bummer.

- Nick

-Original Message-
From: Nick Duda
Sent: Friday, September 01, 2006 10:47 AM
To: Henrik Nordstrom; Strandell, Ralf
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Authentication problem


Are you saying 2.6 can work with the microsoft broken authentication
schemes? This would be so nice...and solve lots of my problems.

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]

Sent: Friday, September 01, 2006 10:44 AM
To: Strandell, Ralf
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication problem

On Fri, 2006-09-01 at 12:42 +0300, Strandell, Ralf wrote:
 Hi


 I try to access a page that requires a username and a password. The

 page is hosted on IIS.

Which Squid version? Should work with current STABLE release
(2.6.STABLE3).

Squid-2.5 can only forward HTTP compliant authentication schemes (Basic
and Digest), not Microsoft broken authentication schemes (NTLM,
Negotiate and Kerberos).

Regards
Henrik


-
Confidentiality note
The information in this email and any attachment may contain confidential and 
proprietary information of VistaPrint and/or its affiliates and may be 
privileged or otherwise protected from disclosure. If you are not the intended 
recipient, you are hereby notified that any review, reliance or distribution by 
others or forwarding without express permission is strictly prohibited and may 
cause liability. In case you have received this message due to an error in 
transmission, please notify the sender immediately and delete this email and 
any attachment from your system.
-

Re: [squid-users] Authentication problem

[Henrik Nordstrom]

mån 2007-01-08 klockan 12:19 -0500 skrev Nick Duda:

 First off, 2.6 did fix my problems, so thanks again. The problem I have
 now is we decided to use SmartFilter by Secure Computing which fixes all
 the ACL issues I have. The only problem is that they only support up to
 2.5stable13 (they say 2.6 by Q2 this year). I've tried to use it with
 2.6 and it's a no go.

Sorry, no help there. Can't support vendor modified Squid versions
where the vendor of the modifications does not provide source.

 Is there anyway to load via a patch the fixes that allow NTLM to work
 (as in my older post below) with 2.5stable13? We really want to use
 SmartFilter right away but this running only on 2.5stable13 is a real
 bummer.

You are welcome to try backporting this. All the changes is at
http://www.squid-cache.org/Versions/v2/2.6/changesets/ (look for
connection pinning) but it's probably not going to be easy.. certainly
not with the SmartFilter modifications also in the mix.. 

I think it will be easier and more productive to forward-port the
SmartFilter changes.. Doing so would also give you valuable insight into
just how modified your SmartFilter Squid really is.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

[squid-users] Authentication problem

[Strandell, Ralf]

Hi

I try to access a page that requires a username and a password. The page
is hosted on IIS.

1) If I bypass Squid completely, I get through (after the XP
authentication dialog).

2) If I use Squid, I am asked for the username and password three times
(auth dialog by web browser) and then I get HTTP Error 401.1 -
Unauthorized: Access is denied due to invalid credentials. Each of
these three attempts generates a TCP_MISS/401 in access.log.

3) I then logged in to the proxy server and used lynx
-auth=user:password www.domain.com
Messages from Lynx:
Alert!: Invalid header 'WWW-Authenticate: Negotiate'
Alert!: Invalid header 'WWW-Authenticate: NTLM'
401.2 Unauthorized: Access is denied due to server configuration.

Any ideas how to solve this?

Re: [squid-users] Authentication problem

[Henrik Nordstrom]

On Fri, 2006-09-01 at 12:42 +0300, Strandell, Ralf wrote:
 Hi
 
 I try to access a page that requires a username and a password. The page
 is hosted on IIS.

Which Squid version? Should work with current STABLE release
(2.6.STABLE3).

Squid-2.5 can only forward HTTP compliant authentication schemes (Basic
and Digest), not Microsoft broken authentication schemes (NTLM,
Negotiate and Kerberos).

Regards
Henrik

RE: [squid-users] Authentication problem

[Nick Duda]

Are you saying 2.6 can work with the microsoft broken authentication
schemes? This would be so nice...and solve lots of my problems.

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: Friday, September 01, 2006 10:44 AM
To: Strandell, Ralf
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication problem

On Fri, 2006-09-01 at 12:42 +0300, Strandell, Ralf wrote:
 Hi

 I try to access a page that requires a username and a password. The
 page is hosted on IIS.

Which Squid version? Should work with current STABLE release
(2.6.STABLE3).

Squid-2.5 can only forward HTTP compliant authentication schemes (Basic
and Digest), not Microsoft broken authentication schemes (NTLM,
Negotiate and Kerberos).

Regards
Henrik


-
Confidentiality note
The information in this email and any attachment may contain confidential and 
proprietary information of VistaPrint and/or its affiliates and may be 
privileged or otherwise protected from disclosure. If you are not the intended 
recipient, you are hereby notified that any review, reliance or distribution by 
others or forwarding without express permission is strictly prohibited and may 
cause liability. In case you have received this message due to an error in 
transmission, please notify the sender immediately and delete this email and 
any attachment from your system.
-

RE: [squid-users] Authentication problem

[Henrik Nordstrom]

On Fri, 2006-09-01 at 10:47 -0400, Nick Duda wrote:
 Are you saying 2.6 can work with the microsoft broken authentication
 schemes?

Yes.

Regards
Henrik

Re: [squid-users] Authentication problem

[Chris Robertson]

Scott Jarkoff wrote:


I have Squid setup so that it performs NTLM authentication from a
Windows 2003 Active Directory domain controller.  It currently works
without issue, allowing only properly authenticated users web browsing
access and denying others.

What I would like to do is block certain accounts from web browsing.
When I implement such a block the users are presented with an
authentication dialog box, and then ultimately receive the proper deny
message in the browser.  The problem is that I do not want them to be
prompted for valid credentials; they should be immediately denied
access.

Here is the appropriate areas of my configuration:

acl authenticated_users proxy_auth REQUIRED
acl denied_admin proxy_auth_regex -i /etc/squid/denied_admin
acl denied_users proxy_auth_regex -i /etc/squid/denied_users

http_access deny denied_users
http_access deny denied_admin
deny_info ERR_ACCESS_DENIED_ADMIN denied_admin

http_access allow authenticated_users
http_access allow localhost
http_access allow local_network
http_access deny all

Any ideas how I can get rid of the authentication dialog box that pops
up and just have the deny message issued immediately?

See http://www.squid-cache.org/mail-archive/squid-users/200603/0845.html 
and http://www.squid-cache.org/mail-archive/squid-users/200603/0851.html


Chris

Re: [squid-users] Authentication problem

[Scott Jarkoff]

On 5/24/06, Chris Robertson [EMAIL PROTECTED] wrote:


See http://www.squid-cache.org/mail-archive/squid-users/200603/0845.html
and http://www.squid-cache.org/mail-archive/squid-users/200603/0851.html


Thanks very much Chris.  Those links were exactly what I was looking
for.  Much appreciated!

--
Scott Jarkoff

[squid-users] Authentication problem

[Scott Jarkoff]

I have Squid setup so that it performs NTLM authentication from a
Windows 2003 Active Directory domain controller.  It currently works
without issue, allowing only properly authenticated users web browsing
access and denying others.

What I would like to do is block certain accounts from web browsing.
When I implement such a block the users are presented with an
authentication dialog box, and then ultimately receive the proper deny
message in the browser.  The problem is that I do not want them to be
prompted for valid credentials; they should be immediately denied
access.

Here is the appropriate areas of my configuration:

acl authenticated_users proxy_auth REQUIRED
acl denied_admin proxy_auth_regex -i /etc/squid/denied_admin
acl denied_users proxy_auth_regex -i /etc/squid/denied_users

http_access deny denied_users
http_access deny denied_admin
deny_info ERR_ACCESS_DENIED_ADMIN denied_admin

http_access allow authenticated_users
http_access allow localhost
http_access allow local_network
http_access deny all

Any ideas how I can get rid of the authentication dialog box that pops
up and just have the deny message issued immediately?

--
Scott Jarkoff

[squid-users] Authentication problem

[Casey King]

I am running CentOS 4.1 with squid-2.5.STABLE6-3.4E.5

I am able to go and do as I please, except for one site.

http://usarmy.skillport.com

I am able to get to the site, and do my sign-in, but as the site is
trying to log me in, I continually get a pop-up from my proxy server
wanting me to authenticate and I cannot get beyond the authentication. I
put my information in, and it will come back up after about 15-30
seconds.  From what I can see, it does not recognize the information I
am putting in.  Normally I would see *Doman\*username, but I don't, and
I am sure this is why I cannot get beyond authentication, but again.
This is the only site I am having an issue with. Here is what my log
looks like:


1139498358.467  1 172.16.12.219 TCP_DENIED/407 1741 CONNECT
usarmy.skillport.com:443 - NONE/- text/html
1139498358.490  1 172.16.12.219 TCP_DENIED/407 1740 CONNECT
usarmy.skillport.com:443 - NONE/- text/html
1139498358.499  1 172.16.12.219 TCP_DENIED/407 1740 CONNECT
usarmy.skillport.com:443 - NONE/- text/html
1139498358.505  0 172.16.12.219 TCP_DENIED/407 413 HEAD
http://usarmy.skillport.com:443/rkusarmy/APPLET/snifferSimple/class.clas
s - NONE/- text/html
1139498358.508  0 172.16.12.219 TCP_DENIED/407 417 HEAD
http://usarmy.skillport.com:443/rkusarmy/APPLET/snifferSimple/class.clas
s - NONE/- text/html

Re: [squid-users] Authentication problem

[Mark Elsen]

 I am running CentOS 4.1 with squid-2.5.STABLE6-3.4E.5

 I am able to go and do as I please, except for one site.

 http://usarmy.skillport.com

 I am able to get to the site, and do my sign-in, but as the site is
 trying to log me in, I continually get a pop-up from my proxy server
 wanting me to authenticate and I cannot get beyond the authentication. I
 put my information in, and it will come back up after about 15-30
 seconds.  From what I can see, it does not recognize the information I
 am putting in.  Normally I would see *Doman\*username, but I don't, and
 I am sure this is why I cannot get beyond authentication, but again.
 This is the only site I am having an issue with. Here is what my log
 looks like:


 1139498358.467  1 172.16.12.219 TCP_DENIED/407 1741 CONNECT
 usarmy.skillport.com:443 - NONE/- text/html
 1139498358.490  1 172.16.12.219 TCP_DENIED/407 1740 CONNECT
 usarmy.skillport.com:443 - NONE/- text/html
 1139498358.499  1 172.16.12.219 TCP_DENIED/407 1740 CONNECT
 usarmy.skillport.com:443 - NONE/- text/html
 1139498358.505  0 172.16.12.219 TCP_DENIED/407 413 HEAD
 http://usarmy.skillport.com:443/rkusarmy/APPLET/snifferSimple/class.clas
 s - NONE/- text/html
 1139498358.508  0 172.16.12.219 TCP_DENIED/407 417 HEAD
 http://usarmy.skillport.com:443/rkusarmy/APPLET/snifferSimple/class.clas
 s - NONE/- text/html




  The site, probably uses the NTLM auth. scheme, which  is not proxyable.
  Even MS advices against using NTLM on internet-targeted webservers.

  M.

RE: [squid-users] Authentication problem

[Casey King]

Okay thanks for the information.  Guess I will mess around with this
site from home then.

-Original Message-
From: Mark Elsen [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 10, 2006 11:06 AM
To: Casey King
Cc: Squid Mailing List
Subject: Re: [squid-users] Authentication problem


 I am running CentOS 4.1 with squid-2.5.STABLE6-3.4E.5

 I am able to go and do as I please, except for one site.

 http://usarmy.skillport.com

 I am able to get to the site, and do my sign-in, but as the site is 
 trying to log me in, I continually get a pop-up from my proxy server 
 wanting me to authenticate and I cannot get beyond the authentication.

 I put my information in, and it will come back up after about 15-30 
 seconds.  From what I can see, it does not recognize the information I

 am putting in.  Normally I would see *Doman\*username, but I don't, 
 and I am sure this is why I cannot get beyond authentication, but 
 again. This is the only site I am having an issue with. Here is what 
 my log looks like:


 1139498358.467  1 172.16.12.219 TCP_DENIED/407 1741 CONNECT
 usarmy.skillport.com:443 - NONE/- text/html
 1139498358.490  1 172.16.12.219 TCP_DENIED/407 1740 CONNECT
 usarmy.skillport.com:443 - NONE/- text/html
 1139498358.499  1 172.16.12.219 TCP_DENIED/407 1740 CONNECT
 usarmy.skillport.com:443 - NONE/- text/html
 1139498358.505  0 172.16.12.219 TCP_DENIED/407 413 HEAD
 http://usarmy.skillport.com:443/rkusarmy/APPLET/snifferSimple/class.cl
 as
 s - NONE/- text/html
 1139498358.508  0 172.16.12.219 TCP_DENIED/407 417 HEAD

http://usarmy.skillport.com:443/rkusarmy/APPLET/snifferSimple/class.clas
 s - NONE/- text/html




  The site, probably uses the NTLM auth. scheme, which  is not
proxyable.
  Even MS advices against using NTLM on internet-targeted webservers.

  M.

AW: AW: AW: [squid-users] authentication problem with squid_ldap_group

[Joachim JS. Schuster]

Hello Yong,
I compiled squid version 2.5STABLE6 with ./configure --prefix=/usr/local/squid 
--enable-external-acl-helpers and it works.
When i use the same command with squid2.5 STABLE7 it don`t works. Do you have a 
idea why not ?

Regard
Joachim


-Ursprüngliche Nachricht-
Von: Yong Bong Fong [mailto:[EMAIL PROTECTED] 
Gesendet: Freitag, 14. Januar 2005 01:23
An: Joachim JS. Schuster
Betreff: AW: AW: AW: [squid-users] authentication problem with squid_ldap_group


Hi Joachim,

  I don't think its compiling problem. You can just compile with 
./configure

Ever think of trying out with rpm ?

Regards
Yong

Hi Yong,
I mean i found the error. i installed a squid 2.5.Stable6 Version and it yust 
works. The squid version 2.5.Stable7 dont`t work. The squid_ldap_group file 
from stbale 2.7 is bigger. here is a diffrent. 
Or is this a compiling problem. I compile with ./configure 
--prefix=/usr/local/squid . Is this correct ?

Regard 
Joachim

Re: AW: AW: AW: [squid-users] authentication problem with squid_ldap_group

[Henrik Nordstrom]

On Fri, 14 Jan 2005, Joachim JS. Schuster wrote:
I compiled squid version 2.5STABLE6 with ./configure --prefix=/usr/local/squid 
--enable-external-acl-helpers and it works.
When i use the same command with squid2.5 STABLE7 it don`t works. Do you have a 
idea why not ?
Please post command line tests of both versions of squid_ldap_group.
Regards
Henrik

AW: AW: AW: [squid-users] authentication problem with squid_ldap_group

[Joachim JS. Schuster]

Hi Yong,
I mean i found the error. i installed a squid 2.5.Stable6 Version and it yust 
works. The squid version 2.5.Stable7 dont`t work. The squid_ldap_group file 
from stbale 2.7 is bigger. here is a diffrent. 
Or is this a compiling problem. I compile with ./configure 
--prefix=/usr/local/squid . Is this correct ?

Regard 
Joachim


-Ursprüngliche Nachricht-
Von: Yong Bong Fong [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 13. Januar 2005 08:00
An: Joachim JS. Schuster
Betreff: Re: AW: AW: [squid-users] authentication problem with squid_ldap_group


Hi Joachim,

   I am using squid-2.5.STABLE5-2, comes with FC2.
Actually for your case, is it when you do it from command prompt, its ok 
but from browser it cannot pass through?

I had a case before when I got OK from terminal but on browser it cannot 
go through. It just kept reprompting for username and password from the 
browser. Then I changed the %u - %v and %g - %a and worked.

regards
Yong

Joachim JS. Schuster wrote:

Hi Yong,
What squid version do you use ?

regards

Joachim


-Ursprüngliche Nachricht-
Von: Yong Bong Fong [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 13. Januar 2005 01:27
An: Joachim JS. Schuster
Betreff: Re: AW: [squid-users] authentication problem with squid_ldap_group


Hi Joachim,

   This is my acl which works. Maybe you can copy exactly mine,
especially the order of the http_access part. And see if it works.

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl ldap_group-admin external ldap_group admin



http_access allow manager localhost
http_access allow manager
http_access allow ldap_group-admin
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

Regards
Yong


Joachim JS. Schuster wrote:

  

Hi,
Please have a look on the lines below:


acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl ldapproxygroup external ldapgroup webaccess

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow ldapproxygroup
http_access deny all

Regards

Joachim


-Ursprüngliche Nachricht-
Von: Yong Bong Fong [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 12. Januar 2005 02:29
An: Joachim JS. Schuster
Betreff: Re: [squid-users] authentication problem with 
squid_ldap_group


Hi Joachim,

 Can you post your acl list and http_access?
Maybe we can spot some mistakes from your acl and http_access.



Joachim JS. Schuster wrote:

 



Dear squid users,
I need help about my authentifaction problem with squid_ldap_group.

first i create a entry for squid_ldap_auth. i can login and i have 
web access and it works fine.

auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b 
dc=mb,dc=local -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 
-f ((sAMAccountName=%s)(objectClass=Person)) -h 192.168.3.1 acl 
USERS proxy_auth REQUIRED

http_access allow USERS

in the next step i create this lines for my ldap group access.

external_acl_type ldapgroup concurrency=15 %LOGIN 
/usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f 
((cn=%g)(member=%u)) -F 
((sAMAccountName=%s)(objectClass=Person))
-D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1

acl ldapproxygroup external ldapgroup webaccess

http_access allow ldapproxygroup

i can login but i have no webaccess. i see the 407 error access 
denied in squid conf.

when i execute

heins:~ # /usr/sbin/squid_ldap_group -P -R -b 
ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F 
((sAMAccountName=%s)(objectClass=Person)) -D 
cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 cwm 
webaccess OK

i get ok but the user cwm can´t use the proxy.

Thank you for all the help.

Best Regards

Joachim




   

  


 






  

Re: AW: AW: AW: [squid-users] authentication problem with squid_ldap_group

[Henrik Nordstrom]

On Thu, 13 Jan 2005, Joachim JS. Schuster wrote:
I mean i found the error. i installed a squid 2.5.Stable6 Version and it 
yust works. The squid version 2.5.Stable7 dont`t work. The 
squid_ldap_group file from stbale 2.7 is bigger. here is a diffrent.
There is two related patches in the 2.5.STABLE7 release:
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-basic_auth_caseinsensitive
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-ldap_helpers
The first is quite self explanatory..
The second changes some of the code in both squid_ldap_auth and 
squid_ldap_group mainly to work better with different LDAP servers having 
restrictions on how one may login to their directory services...

If you can detail what problem you are seeing, and what exact auth_param 
and external_acl_type parameters you are using then maybe your problem can 
be better understood.

Regards
Henrik

Re: [squid-users] authentication problem with squid_ldap_group

[Henrik Nordstrom]

On Wed, 12 Jan 2005, Oliver Hookins wrote:
The only thing I could suggest is trying the -S parameter anyway. I don't 
know any really good ways to find out what is happening, unless you can write 
a test-program to replace squid_ldap_group that logs what options and input 
were passed to it. It either works or it doesn't!
The -d flag to squid_ldap_group makes it more verbose about it's 
operations.

Regards
Henrik

AW: [squid-users] authentication problem with squid_ldap_group

[Joachim JS. Schuster]

Hallo Henrik,
I can`t find the discription for -d and for the -S flag in the documentation. 
Can you tell me how i must use it ?

Regards 
Joachim


-Ursprüngliche Nachricht-
Von: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Gesendet: Mittwoch, 12. Januar 2005 16:11
An: Oliver Hookins
Cc: squid-users@squid-cache.org; Joachim JS. Schuster
Betreff: Re: [squid-users] authentication problem with squid_ldap_group


On Wed, 12 Jan 2005, Oliver Hookins wrote:

 The only thing I could suggest is trying the -S parameter anyway. I 
 don't
 know any really good ways to find out what is happening, unless you can write 
 a test-program to replace squid_ldap_group that logs what options and input 
 were passed to it. It either works or it doesn't!

The -d flag to squid_ldap_group makes it more verbose about it's 
operations.

Regards
Henrik

Re: AW: [squid-users] authentication problem with squid_ldap_group

[Henrik Nordstrom]

On Wed, 12 Jan 2005, Joachim JS. Schuster wrote:
Hallo Henrik,
I can`t find the discription for -d and for the -S flag in the documentation.
Can you tell me how i must use it ?

From the squid_ldap_group man page:
   -S Strip  NT  domain name component from user names (/
  or \ separated)
   -d Debug mode where each step taken will get  reported
  in  detail.   Useful  for  understanding  what goes
  wrong if the results is not what is expected.
Based on the access.log output you shown -S is not your problem.
Regards
Henrik

AW: AW: [squid-users] authentication problem with squid_ldap_group

[Joachim JS. Schuster]

Hi Yong,
What squid version do you use ?

regards

Joachim


-Ursprüngliche Nachricht-
Von: Yong Bong Fong [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 13. Januar 2005 01:27
An: Joachim JS. Schuster
Betreff: Re: AW: [squid-users] authentication problem with squid_ldap_group


Hi Joachim,

   This is my acl which works. Maybe you can copy exactly mine, 
especially the order of the http_access part. And see if it works.

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl ldap_group-admin external ldap_group admin



http_access allow manager localhost
http_access allow manager
http_access allow ldap_group-admin
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

Regards
Yong


Joachim JS. Schuster wrote:

Hi,
Please have a look on the lines below:


acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl ldapproxygroup external ldapgroup webaccess

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow ldapproxygroup
http_access deny all

Regards

Joachim


-Ursprüngliche Nachricht-
Von: Yong Bong Fong [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 12. Januar 2005 02:29
An: Joachim JS. Schuster
Betreff: Re: [squid-users] authentication problem with squid_ldap_group


Hi Joachim,

  Can you post your acl list and http_access?
Maybe we can spot some mistakes from your acl and http_access.



Joachim JS. Schuster wrote:

  

Dear squid users,
I need help about my authentifaction problem with squid_ldap_group.

first i create a entry for squid_ldap_auth. i can login and i have web
access and it works fine.

auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b
dc=mb,dc=local -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -f 
((sAMAccountName=%s)(objectClass=Person)) -h 192.168.3.1 acl USERS 
proxy_auth REQUIRED

http_access allow USERS

in the next step i create this lines for my ldap group access.

external_acl_type ldapgroup concurrency=15 %LOGIN
/usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f 
((cn=%g)(member=%u)) -F ((sAMAccountName=%s)(objectClass=Person)) 
-D cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1

acl ldapproxygroup external ldapgroup webaccess

http_access allow ldapproxygroup

i can login but i have no webaccess. i see the 407 error access denied
in squid conf.

when i execute

heins:~ # /usr/sbin/squid_ldap_group -P -R -b
ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F 
((sAMAccountName=%s)(objectClass=Person)) -D 
cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 cwm 
webaccess OK

i get ok but the user cwm can´t use the proxy.

Thank you for all the help.

Best Regards

Joachim


 






  

[squid-users] authentication problem with squid_ldap_group

[Joachim JS. Schuster]

Dear squid users,
I need help about my authentifaction problem with squid_ldap_group.
 
first i create a entry for squid_ldap_auth. i can login and i have web access 
and it works fine.
 
auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b dc=mb,dc=local -D 
cn=squid,cn=users,dc=mb,dc=local -w secret1998 -f 
((sAMAccountName=%s)(objectClass=Person)) -h 192.168.3.1
acl USERS proxy_auth REQUIRED

http_access allow USERS

in the next step i create this lines for my ldap group access.

external_acl_type ldapgroup concurrency=15 %LOGIN /usr/sbin/squid_ldap_group -P 
-R -b ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F 
((sAMAccountName=%s)(objectClass=Person)) -D 
cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1

acl ldapproxygroup external ldapgroup webaccess

http_access allow ldapproxygroup

i can login but i have no webaccess. i see the 407 error access denied in squid 
conf.

when i execute 

heins:~ # /usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f 
((cn=%g)(member=%u)) -F ((sAMAccountName=%s)(objectClass=Person)) -D 
cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1
cwm webaccess
OK

i get ok but the user cwm can´t use the proxy.

Thank you for all the help.

Best Regards

Joachim

Re: [squid-users] authentication problem with squid_ldap_group

[Oliver Hookins]

Joachim JS. Schuster wrote:
Joachim JS. Schuster wrote:
Dear squid users,
I need help about my authentifaction problem with squid_ldap_group.
first i create a entry for squid_ldap_auth. i can login and i have web 
access and it works fine.

auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b 
dc=mb,dc=local -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 
-f ((sAMAccountName=%s)(objectClass=Person)) -h 192.168.3.1 acl 
USERS proxy_auth REQUIRED

http_access allow USERS
in the next step i create this lines for my ldap group access.
external_acl_type ldapgroup concurrency=15 %LOGIN 
/usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f 
((cn=%g)(member=%u)) -F 
((sAMAccountName=%s)(objectClass=Person)) -D 
cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1

acl ldapproxygroup external ldapgroup webaccess
http_access allow ldapproxygroup
i can login but i have no webaccess. i see the 407 error access denied 
in squid conf.

when i execute
heins:~ # /usr/sbin/squid_ldap_group -P -R -b 
ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F 
((sAMAccountName=%s)(objectClass=Person)) -D 
cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 cwm 
webaccess OK

i get ok but the user cwm can´t use the proxy.

Can you quote some of the logs that shows the problem? Is the username 
in the logs exactly as you are typing it on the command line? What I am 
getting at is that it might have the domain name attached to the 
username in which case you need the -S option for squid_ldap_group.

Regards,
Oliver
Sorry im am new in this list. On wich way i must contact you ?
By your mail adresse or over a squid-users@squid-cache.org ?
The access.log entries:
1105494666.537  0 192.168.5.2 TCP_DENIED/407 2470 GET http://www.google.de/ 
- NONE/- text/html
1105494675.258 24 192.168.5.2 TCP_DENIED/403 2217 GET http://www.google.de/ 
cwm NONE/- text/html
The username cwm ist correct. I can add more users to the webaccess. I checked all the new users with the comandline below and the test ist ok.
/usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F ((sAMAccountName=%s)(objectClass=Person)) -D 
 cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1

Regards
Joachim
Sorry, my mail program doesn't automatically reply to the list - yes you 
 should reply to the list unless you want to converse directly with one 
of the members.

The only thing I could suggest is trying the -S parameter anyway. I 
don't know any really good ways to find out what is happening, unless 
you can write a test-program to replace squid_ldap_group that logs what 
options and input were passed to it. It either works or it doesn't!

Regards,
Oliver

Re: AW: [squid-users] authentication problem with squid_ldap_group

[Oliver Hookins]

Joachim JS. Schuster wrote:
-Ursprüngliche Nachricht-
Von: Oliver Hookins [mailto:[EMAIL PROTECTED] 
Gesendet: Mittwoch, 12. Januar 2005 01:07
An: squid-users@squid-cache.org
Cc: Joachim JS. Schuster
Betreff: Re: [squid-users] authentication problem with squid_ldap_group

Joachim JS. Schuster wrote:
Joachim JS. Schuster wrote:

Dear squid users,
I need help about my authentifaction problem with squid_ldap_group.
first i create a entry for squid_ldap_auth. i can login and i have web
access and it works fine.
auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b
dc=mb,dc=local -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 
-f ((sAMAccountName=%s)(objectClass=Person)) -h 192.168.3.1 acl 
USERS proxy_auth REQUIRED

http_access allow USERS
in the next step i create this lines for my ldap group access.
external_acl_type ldapgroup concurrency=15 %LOGIN
/usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f 
((cn=%g)(member=%u)) -F 
((sAMAccountName=%s)(objectClass=Person)) -D 
cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1

acl ldapproxygroup external ldapgroup webaccess
http_access allow ldapproxygroup
i can login but i have no webaccess. i see the 407 error access denied
in squid conf.
when i execute
heins:~ # /usr/sbin/squid_ldap_group -P -R -b
ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F 
((sAMAccountName=%s)(objectClass=Person)) -D 
cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 cwm 
webaccess OK

i get ok but the user cwm can´t use the proxy.

Can you quote some of the logs that shows the problem? Is the username
in the logs exactly as you are typing it on the command line? What I am 
getting at is that it might have the domain name attached to the 
username in which case you need the -S option for squid_ldap_group.

Regards,
Oliver
Sorry im am new in this list. On wich way i must contact you ? By your 
mail adresse or over a squid-users@squid-cache.org ?

The access.log entries:
1105494666.537  0 192.168.5.2 TCP_DENIED/407 2470 GET http://www.google.de/ 
- NONE/- text/html
1105494675.258 24 192.168.5.2 TCP_DENIED/403 2217 GET http://www.google.de/ 
cwm NONE/- text/html
The username cwm ist correct. I can add more users to the webaccess. I 
checked all the new users with the comandline below and the test ist 
ok. /usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f 
((cn=%g)(member=%u)) -F 
((sAMAccountName=%s)(objectClass=Person)) -D  
cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1

Regards
Joachim

Sorry, my mail program doesn't automatically reply to the list - yes you 
  should reply to the list unless you want to converse directly with one 
of the members.

The only thing I could suggest is trying the -S parameter anyway. I 
don't know any really good ways to find out what is happening, unless 
you can write a test-program to replace squid_ldap_group that logs what 
options and input were passed to it. It either works or it doesn't!

Regards,
Oliver
Do you mean the -S (Strip NT domain from usernames)parameter ?
Regards
Joachim
Yes.
Oliver

[squid-users] authentication problem

[Victor Souza Menezes]

hello, evereybory

i hope somebody can help me!!!

i am running squid-2.5.STABLE1-2 and having problems authenticating users
against a win2000 ADS/LDAP directory.When installed win2000 i created the
following domain: tre-pb.gov.br. I didn't create any organization unit, so the
users that i created stays under the standard organization unit (Users).

this is the line that i have in squid.conf to define the external helper:

auth_param basic program /usr/lib/squid/squid_ldap_auth -b ou=Users,
dc=tre-pb, dc=gov, dc=br -h 10.12.1.15
 
the following error message appears on /var/log/squid/access.log

TCP_DENIED/407 1755 GET http://www.google.com.

am i doing something wrong??? 
if so, please help me

Re: [squid-users] authentication problem

[Henrik Nordstrom]

On Thu, 11 Dec 2003, Victor Souza Menezes wrote:

 following domain: tre-pb.gov.br. I didn't create any organization unit, so the
 users that i created stays under the standard organization unit (Users).
 
 this is the line that i have in squid.conf to define the external helper:
 
 auth_param basic program /usr/lib/squid/squid_ldap_auth -b ou=Users,
 dc=tre-pb, dc=gov, dc=br -h 10.12.1.15

You still need to use the search mode of the helper. See the 
squid_ldap_auth manual. You can also find a couple of MSAD examples in the 
squid_ldap_auth manual.

Regards
Henrik

Re: [squid-users] authentication problem and Server redirected too many times (20) error message

[Henrik Nordstrom]

Then check your acl and http_access lines related to authentication.

Regards
Henrik


On Tue, 2 Dec 2003, Rami Jaamour wrote:

 I ran this test again as 'rjaamour' the cache effective user (as you can 
 notice from my conf file) and it still succeeds on correct 
 username/password pairs.
 
 Thank you for your help.
 Rami
 
 
 Henrik Nordstrom wrote:
 
 Did you run this test as the cache_effective_user or as root?
 
 If as root, make sure to run the test as your cache_effective_user.
 
 Regards
 Henrik
 
 On Tue, 2 Dec 2003, Rami Jaamour wrote:
 
   
 
 I did that already.  It gives ERR on wrong username/password pairs and 
 OK on the correct one.
 
 Henrik Nordstrom wrote:
 
 
 
 On Mon, 1 Dec 2003, Rami Jaamour wrote:
 
  
 
   
 
 I do configure Mozilla to use the proxy, giving it the host name and 
 port and it worked in the past before I did the authentication, but when 
 Squid is configured to require authentication, then the browser (both 
 mozilla and IE) keep prompting for username and password.  Is my 
 squid.conf correct to do the proxy authentication?

 
 
 
 Then most likely there is a configuration error.
 
 First test is if the password file is correcly created.  Start the 
 auth_param basic program command manually and then type a username password 
 pair as input.
 
 Regards
 Henrik
 
 
 
  
 
   
 
 
 
 
 
   
 
 
 

Re: [squid-users] authentication problem and Server redirected too many times (20) error message

[Rami Jaamour]

I did that already.  It gives ERR on wrong username/password pairs and 
OK on the correct one.

Henrik Nordstrom wrote:

On Mon, 1 Dec 2003, Rami Jaamour wrote:

 

I do configure Mozilla to use the proxy, giving it the host name and 
port and it worked in the past before I did the authentication, but when 
Squid is configured to require authentication, then the browser (both 
mozilla and IE) keep prompting for username and password.  Is my 
squid.conf correct to do the proxy authentication?
   

Then most likely there is a configuration error.

First test is if the password file is correcly created.  Start the 
auth_param basic program command manually and then type a username password 
pair as input.

Regards
Henrik


 

--
Rami Jaamour
SOAPtest http://www.parasoft.com/jsp/products/home.jsp?product=SOAP 
Development
ParaSoft Corporation http://www.parasoft.com
(626) 256-3680 ext. 1217

Re: [squid-users] authentication problem and Server redirected too many times (20) error message

[Henrik Nordstrom]

Did you run this test as the cache_effective_user or as root?

If as root, make sure to run the test as your cache_effective_user.

Regards
Henrik

On Tue, 2 Dec 2003, Rami Jaamour wrote:

 I did that already.  It gives ERR on wrong username/password pairs and 
 OK on the correct one.
 
 Henrik Nordstrom wrote:
 
 On Mon, 1 Dec 2003, Rami Jaamour wrote:
 
   
 
 I do configure Mozilla to use the proxy, giving it the host name and 
 port and it worked in the past before I did the authentication, but when 
 Squid is configured to require authentication, then the browser (both 
 mozilla and IE) keep prompting for username and password.  Is my 
 squid.conf correct to do the proxy authentication?
 
 
 
 Then most likely there is a configuration error.
 
 First test is if the password file is correcly created.  Start the 
 auth_param basic program command manually and then type a username password 
 pair as input.
 
 Regards
 Henrik
 
 
 
   
 
 
 

Re: [squid-users] authentication problem and Server redirected too many times (20) error message

[Rami Jaamour]

I ran this test again as 'rjaamour' the cache effective user (as you can 
notice from my conf file) and it still succeeds on correct 
username/password pairs.

Thank you for your help.
Rami
Henrik Nordstrom wrote:

Did you run this test as the cache_effective_user or as root?

If as root, make sure to run the test as your cache_effective_user.

Regards
Henrik
On Tue, 2 Dec 2003, Rami Jaamour wrote:

 

I did that already.  It gives ERR on wrong username/password pairs and 
OK on the correct one.

Henrik Nordstrom wrote:

   

On Mon, 1 Dec 2003, Rami Jaamour wrote:



 

I do configure Mozilla to use the proxy, giving it the host name and 
port and it worked in the past before I did the authentication, but when 
Squid is configured to require authentication, then the browser (both 
mozilla and IE) keep prompting for username and password.  Is my 
squid.conf correct to do the proxy authentication?
  

   

Then most likely there is a configuration error.

First test is if the password file is correcly created.  Start the 
auth_param basic program command manually and then type a username password 
pair as input.

Regards
Henrik




 

   



 

--
Rami Jaamour
SOAPtest http://www.parasoft.com/jsp/products/home.jsp?product=SOAP 
Development
ParaSoft Corporation http://www.parasoft.com

[squid-users] authentication problem and Server redirected too many times (20) error message

[Rami Jaamour]

Hello,

My Squid works fine without authentication but when I try to use
ncsa_auth I get problems.
When attempting to make a HTTP connection from a Java app, I get:
java.net.ProtocolException: Server redirected too many  times (20)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:800)
When I use mozilla with the proxy settings configured to my squid, it
keeps infinitely prompting for the username and password even though I
give it the correct username and password.
Here is the diff -w of my squid.conf against squid.conf.default:

1007a1008
  redirect_program /usr/local/squid/libexec/redirector.pl
1073c1074,1076
 # auth_param basic program /usr/local/squid/bin/ncsa_auth
/usr/local/squid/etc/passwd
---
  auth_param basic program /usr/local/squid/bin/ncsa_auth
/usr/local/squid/etc/users
 
1726a1730,1732
  acl authenticated_user proxy_auth REQUIRED
 
1765a1772,1773
  http_access allow authenticated_user
1986a1995,1996
  cache_effective_user rjaamour
  cache_effective_group root
The users password file was created using httpass -c users username
and it works fine when I validate it using
ncsa_auth users
meaning, only when I type the correct username and password pair it
returns OK and it returns ERR otherwise.
My redirector.pl is just

#!/usr/bin/perl
$|=1;
while () {
[EMAIL PROTECTED]://[EMAIL PROTECTED]://fox@;
[EMAIL PROTECTED]://[EMAIL PROTECTED]://trout@;
print;
}
Which appears to work fine when I run it alone.

I'm using Squid 2.5.STABLE-4 on Mandrake 9.2 (kernel 2.4.22), apache 2.0.48. Help!

Sincerely,
--
Rami Jaamour
SOAPtest http://www.parasoft.com/jsp/products/home.jsp?product=SOAP
Development
ParaSoft Corporation http://www.parasoft.com

Re: [squid-users] authentication problem and Server redirected too many times (20) error message

[Henrik Nordstrom]

On Mon, 1 Dec 2003, Rami Jaamour wrote:

 My Squid works fine without authentication but when I try to use
 ncsa_auth I get problems.
 
 When I use mozilla with the proxy settings configured to my squid, it
 keeps infinitely prompting for the username and password even though I
 give it the correct username and password.

Are you running Squid as a transparently intercepting proxy?

To use proxy authentication your browser MUST be configured to use a 
proxy.

Regards
Henrik

Re: [squid-users] authentication problem and Server redirected too many times (20) error message

[Rami Jaamour]

I do configure Mozilla to use the proxy, giving it the host name and 
port and it worked in the past before I did the authentication, but when 
Squid is configured to require authentication, then the browser (both 
mozilla and IE) keep prompting for username and password.  Is my 
squid.conf correct to do the proxy authentication?  When I hit cancel, I 
get the following HTML error page:

 ERROR

   Cache Access Denied

While trying to retrieve the URL: 
http://soaptest.parasoft.com/calculator.wsdl

The following error was encountered:

   * Cache Access Denied.

Sorry, you are not currently allowed to request:

   http://soaptest.parasoft.com/calculator.wsdl

from this cache until you have authenticated yourself.

You need to use Netscape version 2.0 or greater, or Microsoft Internet 
Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please 
contact the cache administrator mailto:webmaster if you have 
difficulties authenticating yourself or change 
http://katze.parasoft.com/cgi-bin/chpasswd.cgi your default password.

Generated Tue, 02 Dec 2003 03:19:40 GMT by katze.parasoft.com 
(squid/2.5.STABLE4)



Henrik Nordstrom wrote:

On Mon, 1 Dec 2003, Rami Jaamour wrote:

 

My Squid works fine without authentication but when I try to use
ncsa_auth I get problems.
When I use mozilla with the proxy settings configured to my squid, it
keeps infinitely prompting for the username and password even though I
give it the correct username and password.
   

Are you running Squid as a transparently intercepting proxy?

To use proxy authentication your browser MUST be configured to use a 
proxy.

Regards
Henrik
 

--
Rami Jaamour
SOAPtest http://www.parasoft.com/jsp/products/home.jsp?product=SOAP 
Development
ParaSoft Corporation http://www.parasoft.com
(626) 256-3680 ext. 1217

[squid-users] Authentication problem in squid

[Chaman Rana]

Hi,
  I want to implement authentication in Squid proxy in Red Hat Linux 9
. Normal configuration is working fine. I tried with smb_auth but I get
authentication window which asks for username and password but if I give
valid username and password it keeps asking for 4 times and access denied
page comes up. Samba server is working fine and authenticate with same
username and password and it works .My network is not in domain environment
but workgroup environment. All windows machine access web through the squid
server. What all  are the procedures to follow to configure authentication
through samba. My configuration  are as follows

auth_param basic program /usr/lib/squid/smb_auth  /etc/samba/smbpasswd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl xpassword proxy_auth REQUIRED
acl xpassword proxy_auth

http_access allow xpassword

If possible please send me configured squid.conf files.

Thanking You,

Warm Regards,
Chaman Rana
Engineer - Technical Services

[EMAIL PROTECTED]

Re: [squid-users] Authentication problem in squid

[Henrik Nordstrom]

On Thu, 20 Nov 2003, Chaman Rana wrote:

 through samba. My configuration  are as follows
 
 auth_param basic program /usr/lib/squid/smb_auth  /etc/samba/smbpasswd

Please see the smb_auth documentation.
url:http://www.hacom.nl/~richard/software/smb_auth.html

Regards
Henrik

RE: [squid-users] Authentication problem

[Deepa D]

Hi,
   Yes, we need to screen all the url requests even if
the client machines are not configured to use a proxy.
Kindly mail me any solutions that we could use to
overcome this problem.
  Regards and TIA,
  Deepa
 
 --- Adam Aube [EMAIL PROTECTED] wrote:  
   The browsers are not configured to use the
 proxy -
  hence the pam_auth of the squid proxy cannot be
 used
  for authentication.
 
 Is there a particular reason you're using a
 transparent proxy?
 
 Adam 


Yahoo! India Matrimony: Find your partner online.
Go to http://yahoo.shaadi.com

[squid-users] authentication problem

[Wes Crabtree]

Greetings,

I am authenticating using group ldap.  Works great as long as I don't
use special characters in my password.Any password works when I test
the group ldap program from a command line, it only fails when it passes
thru Squid.  Any help would be greatly apprecitated.

Re: [squid-users] authentication problem

[Henrik Nordstrom]

On Thursday 24 July 2003 23.42, Wes Crabtree wrote:
 Greetings,

 I am authenticating using group ldap.  Works great as long as I
 don't use special characters in my password.Any password works
 when I test the group ldap program from a command line, it only
 fails when it passes thru Squid.  Any help would be greatly
 apprecitated.

Which LDAP helper program are you using?

For Squid-2.5 you should be using the helper shipped with Squid-2.5. 
Using another LDAP helper will give problems with special characters.

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]