subject:"\[squid\-users\] Re\: Configuration to allow users to connect via user\-pass"

Re: [squid-users] Re: Configuration to allow users to connect via user-pass

2010-02-13 Thread Amos Jeffries


cio...@gmail.com wrote:

I'm having a big issue trying to configure squid to allow users to
connect only via user/pass. I have 8 ip's on my server and I want each
user to be able to connect to a single ip using their credentials but
all I get when I try in firefox is this message: The proxy server is
refusing connections so I must have done something wrong. I'm new to
squid. I'm willing to pay for assistance so please contact me if
interested. Anyhow, the help is much appreciated.



Firstly. Why the complexity with IPs?




Here's my squid config:


http_port 
visible_hostname weezie
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid-passwd
auth_param basic childred 5


 children


auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users


 http_access deny !ncsa_users
 http_access allow ncsa_users

Also check that the /etc/squid/squid-passwd has the right user/pass 
details inside. It should be created in the format NCSA uses.


 NP: Squid may need to be reconfigured (squid -k reconfigure) for the 
helper to pick up changes in this password file.




header_access Allow allow all
header_access Authorization allow all
header_access WWW-Authenticate allow all
header_access Proxy-Authorization allow all
header_access Proxy-Authenticate allow all
header_access Cache-Control allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Type allow all
header_access Date allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Last-Modified allow all
header_access Location allow all
header_access Pragma allow all
header_access Accept allow all
header_access Accept-Charset allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Content-Language allow all
header_access Mime-Version allow all
header_access Retry-After allow all
header_access Title allow all
header_access Connection allow all
header_access Proxy-Connection allow all
header_access User-Agent allow all
header_access Cookie allow all
header_access All deny all


Why for love of the Internet? why!!!?  /sigh.

Try and get it working without this violation of HTTP standards killing 
potentially useful information.




acl ip1 myip x.x.x.x

tcp_outgoing_address x.x.x.x ip1

acl user1 proxy_auth manilodisan


acl all src 0.0.0.0/0.0.0.0


acl all src all


acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255


acl localhost src 127.0.0.1


acl to_localhost dst 127.0.0.0/8


acl to_localhost dst 127.0.0.0/8 0.0.0.0/32


acl SSL_ports port 443# https
acl SSL_ports port 563# snews
acl SSL_ports port 873# rsync
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl Safe_ports port 631# cups
acl Safe_ports port 873# rsync
acl Safe_ports port 901# SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


The above http_access lines are what we consider to be the basic safety 
net for HTTP.


Please move your custom login http_access below them. Right now anyone 
who can login has unlimited access to do anything nasty to your network 
and the rest of the Internet both.



http_access allow localhost


Stick your alterations to http_access in right here.


http_access deny all
icp_access allow all


An open ICP port. Yay, anyone can cache scan you for content :)


http_port 3128


Open port 3128 and  ? why not just one?


hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY


You want to remove those QUERY bits.


refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440


Missing:
  refresh_pattern -i (/cgi-bin/|\?) 0 0% 0


refresh_pattern .020%4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache



extension_methods REPORT MERGE MKACTIVITY CHECKOUT


Strange to be allowing Microsoft WebDAV requests through, but stripping 
the headers they require to work... oh well.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
  Current Beta Squid 3.1.0.16

Re: [squid-users] Re: Configuration to allow users to connect via user-pass

2010-02-13 Thread Henrik Nordström

lör 2010-02-13 klockan 08:13 +0200 skrev cio...@gmail.com:

 all I get when I try in firefox is this message: The proxy server is
 refusing connections so I must have done something wrong.

Three possible causes:

1. Squid is not listening on the IP in question. See your http_port
directive(s).

2. Squid isn't running.

3. There is a firewall of some kind blocking access. Watch out for local
firewall rules on the server which often blocks all unknown incoming
connections.

Regards
Henrik

[squid-users] Re: Configuration to allow users to connect via user-pass

2010-02-12 Thread cio...@gmail.com

I'm having a big issue trying to configure squid to allow users to
connect only via user/pass. I have 8 ip's on my server and I want each
user to be able to connect to a single ip using their credentials but
all I get when I try in firefox is this message: The proxy server is
refusing connections so I must have done something wrong. I'm new to
squid. I'm willing to pay for assistance so please contact me if
interested. Anyhow, the help is much appreciated.

Here's my squid config:


http_port 
visible_hostname weezie
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid-passwd
auth_param basic childred 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

header_access Allow allow all
header_access Authorization allow all
header_access WWW-Authenticate allow all
header_access Proxy-Authorization allow all
header_access Proxy-Authenticate allow all
header_access Cache-Control allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Type allow all
header_access Date allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Last-Modified allow all
header_access Location allow all
header_access Pragma allow all
header_access Accept allow all
header_access Accept-Charset allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Content-Language allow all
header_access Mime-Version allow all
header_access Retry-After allow all
header_access Title allow all
header_access Connection allow all
header_access Proxy-Connection allow all
header_access User-Agent allow all
header_access Cookie allow all
header_access All deny all

acl ip1 myip x.x.x.x

tcp_outgoing_address x.x.x.x ip1

acl user1 proxy_auth manilodisan


acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443        # https
acl SSL_ports port 563        # snews
acl SSL_ports port 873        # rsync
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl Safe_ports port 631        # cups
acl Safe_ports port 873        # rsync
acl Safe_ports port 901        # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern .        0    20%    4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid

Re: [squid-users] Re: Configuration to allow users to connect via user-pass

Re: [squid-users] Re: Configuration to allow users to connect via user-pass

[squid-users] Re: Configuration to allow users to connect via user-pass

3 matches

Site Navigation

Mail list logo

Footer information