RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny
Hi, I am now having issues with custom error pages, I have the deny_info line for the accessdeny acl, but it isn't getting used (I assume because the access deny line finished with all). Eg: deny_info ERR_ACCESS_DENIED_MISUSE accessdenied http_access deny accessdenied all I have tried removing the all, but that puts me back into a re-challenge loop (which is why all was included). I am hoping to have a list of denied messages which give instructions to the user on the steps required to fix the issue, depending on what reason they were denied for. Is there any suggestions someone can offer, or is there relevant variables (eg. The acl which denied them) which can be passed to an external handler? I'd rather do it with static ERR pages, but whatever works! Regards, Dion -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, 14 September 2009 12:20 PM To: Dion Beauglehall Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny On Mon, 14 Sep 2009 12:12:27 +1000, Dion Beauglehall beaugleha...@vermontsc.vic.edu.au wrote: Hi Amos, The changes you suggested worked perfectly. Thankyou. What I'm not quite sure of is why. I assume in this context, the all at the end of the line is not acting as a user list, but a URL list or something else? It's an IP-based test doing a very fast catch-all. This changing the type of ACL last seen at denial so Squid does not equate the deny with unusable credentials and re-challenge. Amos Regards, Dion -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, 10 September 2009 11:30 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid/LDAP re-challenges browser on http_access deny On Thu, 10 Sep 2009 10:55:58 +1000, Dion Beauglehall beaugleha...@vermontsc.vic.edu.au wrote: Hi, I’m configuring a squid proxy box with LDAP authentication, and ACLs based on LDAP groups. I have the LDAP authentication working, as are groups. However, when I add a user to an “Access Denied” group, squid then causes the browser to bring up a authentication dialog box. Most squid installs I have seen bring up a squid “Cache Access Denied” screen at this point. This is what I would like it to do. I am unsure if what I am experiencing is expected behaviour, or whether I have an error in my config file. I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines from squid.conf are below. Note that the LDAP works correctly, and so I have not provided details. What is not acting as I expected is the behaviour of Squid when it hits the “http_access deny accessdenied” line. This seems to be what re-challenges the browser. As we are a school, we need to ensure that both the user is a valid user (from the initial challenge, which collects their machine login, invisible to the user), and that they have not been denied for some reason (hence the denied group). The re-challenge will lead to students logging into squid with their friends account. A Cache Access Denied screen is a much better alternative. Yes it was a config issue. Re-writing your ACLs slightly to follow that exact logic as described above should solve your problem. Note that once I have this working, there will be other “denied” groups to deny on, prior to allowing access. Any suggestions or ideas are appreciated. Regards, Dion auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. auth_param basic children 5 auth_param basic realm VSC auth_param basic credentialsttl 5 minutes external_acl_type ldapgroup LOGIN .. acl ldap-auth proxy_auth REQUIRED acl accessdenied external ldapgroup InternetAccessDeny acl accessallowed external ldapgroup InternetAccess http_access deny accessdenied Change the above line to: http_access deny accessdenied all ... which will produce the Access Denied page instead of a challenge. Any other denied groups need to go in here one to a line with all at the end of each line. After all them add a new line: http_access deny !ldap-auth ... which will cause Squid to challenge if no credentials are given yet. People who have given _any_ valid credentials will not be asked twice. This action was being done as side-effect of the accessdenied ACL test, but with the new version it needs to be done separately. http_access allow accessallowed http_access deny all Amos --- Scanned by M+ Guardian Messaging Firewall --- --- Scanned by M+ Guardian Messaging Firewall ---
RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny
HI, It works fine for the straight deny, but I have one acl (from an external helper) which has been designed to be used as an allow list, which (of course), I want to use as a deny. Putting deny !papercutallow dummy Seems to just hang squid. Thoughts? Suggestions? In the meantime, I've contacted papercut about whether the external helper can work as a deny group... Regards, Dion -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, 7 October 2009 2:53 PM To: Dion Beauglehall Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny On Wed, 7 Oct 2009 14:23:45 +1100, Dion Beauglehall beaugleha...@vermontsc.vic.edu.au wrote: Hi, I am now having issues with custom error pages, I have the deny_info line for the accessdeny acl, but it isn't getting used (I assume because the access deny line finished with all). Eg: deny_info ERR_ACCESS_DENIED_MISUSE accessdenied http_access deny accessdenied all I have tried removing the all, but that puts me back into a re-challenge loop (which is why all was included). I am hoping to have a list of denied messages which give instructions to the user on the steps required to fix the issue, depending on what reason they were denied for. Is there any suggestions someone can offer, or is there relevant variables (eg. The acl which denied them) which can be passed to an external handler? I'd rather do it with static ERR pages, but whatever works! Magic voodoo: acl dummy src all deny_info ERR_ACCESS_DENIED_MISUSE dummy http_access deny accessdenied dummy See how it works? ;) Amos -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, 14 September 2009 12:20 PM To: Dion Beauglehall Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny On Mon, 14 Sep 2009 12:12:27 +1000, Dion Beauglehall beaugleha...@vermontsc.vic.edu.au wrote: Hi Amos, The changes you suggested worked perfectly. Thankyou. What I'm not quite sure of is why. I assume in this context, the all at the end of the line is not acting as a user list, but a URL list or something else? It's an IP-based test doing a very fast catch-all. This changing the type of ACL last seen at denial so Squid does not equate the deny with unusable credentials and re-challenge. Amos Regards, Dion -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, 10 September 2009 11:30 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid/LDAP re-challenges browser on http_access deny On Thu, 10 Sep 2009 10:55:58 +1000, Dion Beauglehall beaugleha...@vermontsc.vic.edu.au wrote: Hi, I’m configuring a squid proxy box with LDAP authentication, and ACLs based on LDAP groups. I have the LDAP authentication working, as are groups. However, when I add a user to an “Access Denied” group, squid then causes the browser to bring up a authentication dialog box. Most squid installs I have seen bring up a squid “Cache Access Denied” screen at this point. This is what I would like it to do. I am unsure if what I am experiencing is expected behaviour, or whether I have an error in my config file. I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines from squid.conf are below. Note that the LDAP works correctly, and so I have not provided details. What is not acting as I expected is the behaviour of Squid when it hits the “http_access deny accessdenied” line. This seems to be what re-challenges the browser. As we are a school, we need to ensure that both the user is a valid user (from the initial challenge, which collects their machine login, invisible to the user), and that they have not been denied for some reason (hence the denied group). The re-challenge will lead to students logging into squid with their friends account. A Cache Access Denied screen is a much better alternative. Yes it was a config issue. Re-writing your ACLs slightly to follow that exact logic as described above should solve your problem. Note that once I have this working, there will be other “denied” groups to deny on, prior to allowing access. Any suggestions or ideas are appreciated. Regards, Dion auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. auth_param basic children 5 auth_param basic realm VSC auth_param basic credentialsttl 5 minutes external_acl_type ldapgroup LOGIN .. acl ldap-auth proxy_auth REQUIRED acl accessdenied external ldapgroup InternetAccessDeny acl accessallowed external ldapgroup InternetAccess http_access deny accessdenied Change the above line to: http_access deny accessdenied all ... which will produce the Access Denied page instead of a challenge. Any other denied groups need to go
RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny
Hi, This has worked, but what I am now experiencing is that external sites that require (challenge-based?) authentication do not present the pop-up for the password (and hence log-in into the site fails, or falls into a loop). Am I now in a catch-22 position, or is there a way around this too? Regards, Dion -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, 10 September 2009 11:30 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid/LDAP re-challenges browser on http_access deny On Thu, 10 Sep 2009 10:55:58 +1000, Dion Beauglehall beaugleha...@vermontsc.vic.edu.au wrote: Hi, I’m configuring a squid proxy box with LDAP authentication, and ACLs based on LDAP groups. I have the LDAP authentication working, as are groups. However, when I add a user to an “Access Denied” group, squid then causes the browser to bring up a authentication dialog box. Most squid installs I have seen bring up a squid “Cache Access Denied” screen at this point. This is what I would like it to do. I am unsure if what I am experiencing is expected behaviour, or whether I have an error in my config file. I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines from squid.conf are below. Note that the LDAP works correctly, and so I have not provided details. What is not acting as I expected is the behaviour of Squid when it hits the “http_access deny accessdenied” line. This seems to be what re-challenges the browser. As we are a school, we need to ensure that both the user is a valid user (from the initial challenge, which collects their machine login, invisible to the user), and that they have not been denied for some reason (hence the denied group). The re-challenge will lead to students logging into squid with their friends account. A Cache Access Denied screen is a much better alternative. Yes it was a config issue. Re-writing your ACLs slightly to follow that exact logic as described above should solve your problem. Note that once I have this working, there will be other “denied” groups to deny on, prior to allowing access. Any suggestions or ideas are appreciated. Regards, Dion auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. auth_param basic children 5 auth_param basic realm VSC auth_param basic credentialsttl 5 minutes external_acl_type ldapgroup LOGIN .. acl ldap-auth proxy_auth REQUIRED acl accessdenied external ldapgroup InternetAccessDeny acl accessallowed external ldapgroup InternetAccess http_access deny accessdenied Change the above line to: http_access deny accessdenied all ... which will produce the Access Denied page instead of a challenge. Any other denied groups need to go in here one to a line with all at the end of each line. After all them add a new line: http_access deny !ldap-auth ... which will cause Squid to challenge if no credentials are given yet. People who have given _any_ valid credentials will not be asked twice. This action was being done as side-effect of the accessdenied ACL test, but with the new version it needs to be done separately. http_access allow accessallowed http_access deny all Amos --- Scanned by M+ Guardian Messaging Firewall ---
RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny
Hi Amos, The changes you suggested worked perfectly. Thankyou. What I'm not quite sure of is why. I assume in this context, the all at the end of the line is not acting as a user list, but a URL list or something else? Regards, Dion -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, 10 September 2009 11:30 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid/LDAP re-challenges browser on http_access deny On Thu, 10 Sep 2009 10:55:58 +1000, Dion Beauglehall beaugleha...@vermontsc.vic.edu.au wrote: Hi, I’m configuring a squid proxy box with LDAP authentication, and ACLs based on LDAP groups. I have the LDAP authentication working, as are groups. However, when I add a user to an “Access Denied” group, squid then causes the browser to bring up a authentication dialog box. Most squid installs I have seen bring up a squid “Cache Access Denied” screen at this point. This is what I would like it to do. I am unsure if what I am experiencing is expected behaviour, or whether I have an error in my config file. I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines from squid.conf are below. Note that the LDAP works correctly, and so I have not provided details. What is not acting as I expected is the behaviour of Squid when it hits the “http_access deny accessdenied” line. This seems to be what re-challenges the browser. As we are a school, we need to ensure that both the user is a valid user (from the initial challenge, which collects their machine login, invisible to the user), and that they have not been denied for some reason (hence the denied group). The re-challenge will lead to students logging into squid with their friends account. A Cache Access Denied screen is a much better alternative. Yes it was a config issue. Re-writing your ACLs slightly to follow that exact logic as described above should solve your problem. Note that once I have this working, there will be other “denied” groups to deny on, prior to allowing access. Any suggestions or ideas are appreciated. Regards, Dion auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. auth_param basic children 5 auth_param basic realm VSC auth_param basic credentialsttl 5 minutes external_acl_type ldapgroup LOGIN .. acl ldap-auth proxy_auth REQUIRED acl accessdenied external ldapgroup InternetAccessDeny acl accessallowed external ldapgroup InternetAccess http_access deny accessdenied Change the above line to: http_access deny accessdenied all ... which will produce the Access Denied page instead of a challenge. Any other denied groups need to go in here one to a line with all at the end of each line. After all them add a new line: http_access deny !ldap-auth ... which will cause Squid to challenge if no credentials are given yet. People who have given _any_ valid credentials will not be asked twice. This action was being done as side-effect of the accessdenied ACL test, but with the new version it needs to be done separately. http_access allow accessallowed http_access deny all Amos --- Scanned by M+ Guardian Messaging Firewall ---
[squid-users] Squid/LDAP re-challenges browser on http_access deny
Hi, I’m configuring a squid proxy box with LDAP authentication, and ACLs based on LDAP groups. I have the LDAP authentication working, as are groups. However, when I add a user to an “Access Denied” group, squid then causes the browser to bring up a authentication dialog box. Most squid installs I have seen bring up a squid “Cache Access Denied” screen at this point. This is what I would like it to do. I am unsure if what I am experiencing is expected behaviour, or whether I have an error in my config file. I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines from squid.conf are below. Note that the LDAP works correctly, and so I have not provided details. What is not acting as I expected is the behaviour of Squid when it hits the “http_access deny accessdenied” line. This seems to be what re-challenges the browser. As we are a school, we need to ensure that both the user is a valid user (from the initial challenge, which collects their machine login, invisible to the user), and that they have not been denied for some reason (hence the denied group). The re-challenge will lead to students logging into squid with their friends account. A Cache Access Denied screen is a much better alternative. Note that once I have this working, there will be other “denied” groups to deny on, prior to allowing access. Any suggestions or ideas are appreciated. Regards, Dion auth_param basic program c:/squid/libexec/squid_ldap_auth.exe .. auth_param basic children 5 auth_param basic realm VSC auth_param basic credentialsttl 5 minutes external_acl_type ldapgroup LOGIN .. acl ldap-auth proxy_auth REQUIRED acl accessdenied external ldapgroup InternetAccessDeny acl accessallowed external ldapgroup InternetAccess http_access deny accessdenied http_access allow accessallowed http_access deny all