Re: [squid-users] authentication via web page

[Al Zick]

Hello,


On Jan 31, 2014, at 12:12 PM, Amos Jeffries wrote:


On 31/01/2014 11:56 a.m., Al Zick wrote:

Hi,

I am considering switching to authentication via a web page. Are  
there
examples of how to do this somewhere? What are the pros and cons  
of this

configuration? I am very concerned about security with web page
authentication.


The Pro (singular) is that you can format the display to look any way
you like using HTML/CSS, images or other display technologies.


I was looking for a way to make it easy for the end user to find  
where they put their credentials.



The Cons are many, but these are the major ones:

* HTTP and web auth are unrelated systems. There is no way for the
client software to know what HTTP credentials to deliver on followup
traffic.
 Web browsers and servers typically use a Cookie value exchanged back
and forth to store the credentials. This has a whole pile of security
issues in and of itself, on top of the other issues in this list.


Would https help with this, or is it inherently insecure?

* Web authentication is tied securely to the server endpoint which  
does
the authentication. The login does not cross to other domains. Thus  
any
Cookie or login may be required to be repeated many times while  
browsing.



The above cons essentially mean that web authentication for a proxy is
not possible with todays technology. We have to use a session  
workaround.
 * redirecting the client to a page which both authenticates and  
starts

a session for that client on successful authentication.
 * authorizing any request which matches the session. Making the
assumption that it is the same user/login. This is somewhat  
unreliable,

but can be used if the clients have a fairly static IP or a detectable
unique signature.


What could be used as a detectable unique signature?




Also, I am not really sure if it is a good idea. For example, in most
emails the images in them are not sent as attachments, they are
downloaded from a web server and go through the proxy. If a re- 
write was

used to load the authentication page, then it would put that page in
place of the image. How would you authenticate the proxy with this
scenario?



The authentication will be linked to the URL redirected *to*. Not the
email embeded URL.


Okay.


I will probably need a consultant to help me through this project
because I have been working on this way too long. Would anyone be
available?


Maybe. If the session authorization scenario above sounds workable to
you take a look at the two session helpers bundled with Squid.

NOTE: that session by IP is for the *machine*. All software using it
shares the same session by IP address. If the IP is being NAT'ed for
multiple end-users they also all share the session.


This is going to be a real problem. I need it to be unique to the  
computer. Is there any work around for this?



1) the original squid_session / ext_session_acl helper acts in the  
same
was as a session for a browser when using a website. But for the  
machine

using the web proxy. The helper maintains its own BDB database of
sessions in the background.

 It has a passive mode (the default) where session are started
automatically on ever new IP address.

 It has an "active" mode. Where the session is not started until some
magic URL is requested. You create a login page that redirects to the
URL whereafter the session helper tells Squid an OK result. Then
redirect from there back to the original URL.

More details at:
http://www.squid-cache.org/Versions/v3/3.3/manuals/ 
ext_session_acl.html
http://www.squid-cache.org/Versions/v3/3.4/manuals/ 
ext_session_acl.html



2) the newer ext_sql_session_acl helper bundled with Squid-3.4+  
acts in
a slightly different way. It performs a SQL database lookup for a  
string

matching whatever fields you put in the external_acl_type format.
Returning OK/ERR results to Squid along with a username / label for an
existing session that matches.

 With this one you redirect to your authentication page like usual.  
But

instead of redirecting to a magic URL on success the auth script needs
to update the SQL database and redirect back to the original URL.

More details at:
http://www.squid-cache.org/Versions/v3/3.4/manuals/ 
ext_sql_session_acl.html


Still, there is a lot that needs to be done to make this work. I  
wonder if I would not be better off with some kind of thin client  
that would just put the proxy settings into a computer for win/mac  
and then give a place to put in a username and password. If this was  
to reside in the tray or dock then it would make it easy to change.  
Do you have, or know where I could get, a client for setting up the  
proxy?


Thanks,
Al

Re: [squid-users] authentication via web page

[Leonardo Rodrigues]

Em 30/01/14 20:56, Al Zick escreveu:

Hi,

I am considering switching to authentication via a web page. Are there 
examples of how to do this somewhere? What are the pros and cons of 
this configuration? I am very concerned about security with web page 
authentication.


Also, I am not really sure if it is a good idea. For example, in most 
emails the images in them are not sent as attachments, they are 
downloaded from a web server and go through the proxy. If a re-write 
was used to load the authentication page, then it would put that page 
in place of the image. How would you authenticate the proxy with this 
scenario?


i would consider that a good idea on a guests network, for example, 
some sort of wifi hotspot. On a corporate environment, i would never 
consider that :/



--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it

Re: [squid-users] authentication via web page

[Amos Jeffries]

On 31/01/2014 11:56 a.m., Al Zick wrote:
> Hi,
> 
> I am considering switching to authentication via a web page. Are there
> examples of how to do this somewhere? What are the pros and cons of this
> configuration? I am very concerned about security with web page
> authentication.

The Pro (singular) is that you can format the display to look any way
you like using HTML/CSS, images or other display technologies.


The Cons are many, but these are the major ones:

* HTTP and web auth are unrelated systems. There is no way for the
client software to know what HTTP credentials to deliver on followup
traffic.
 Web browsers and servers typically use a Cookie value exchanged back
and forth to store the credentials. This has a whole pile of security
issues in and of itself, on top of the other issues in this list.

* Web authentication is tied securely to the server endpoint which does
the authentication. The login does not cross to other domains. Thus any
Cookie or login may be required to be repeated many times while browsing.


The above cons essentially mean that web authentication for a proxy is
not possible with todays technology. We have to use a session workaround.
 * redirecting the client to a page which both authenticates and starts
a session for that client on successful authentication.
 * authorizing any request which matches the session. Making the
assumption that it is the same user/login. This is somewhat unreliable,
but can be used if the clients have a fairly static IP or a detectable
unique signature.



> 
> Also, I am not really sure if it is a good idea. For example, in most
> emails the images in them are not sent as attachments, they are
> downloaded from a web server and go through the proxy. If a re-write was
> used to load the authentication page, then it would put that page in
> place of the image. How would you authenticate the proxy with this
> scenario?
> 

The authentication will be linked to the URL redirected *to*. Not the
email embeded URL.


> I will probably need a consultant to help me through this project
> because I have been working on this way too long. Would anyone be
> available?

Maybe. If the session authorization scenario above sounds workable to
you take a look at the two session helpers bundled with Squid.

NOTE: that session by IP is for the *machine*. All software using it
shares the same session by IP address. If the IP is being NAT'ed for
multiple end-users they also all share the session.


1) the original squid_session / ext_session_acl helper acts in the same
was as a session for a browser when using a website. But for the machine
using the web proxy. The helper maintains its own BDB database of
sessions in the background.

 It has a passive mode (the default) where session are started
automatically on ever new IP address.

 It has an "active" mode. Where the session is not started until some
magic URL is requested. You create a login page that redirects to the
URL whereafter the session helper tells Squid an OK result. Then
redirect from there back to the original URL.

More details at:
http://www.squid-cache.org/Versions/v3/3.3/manuals/ext_session_acl.html
http://www.squid-cache.org/Versions/v3/3.4/manuals/ext_session_acl.html


2) the newer ext_sql_session_acl helper bundled with Squid-3.4+ acts in
a slightly different way. It performs a SQL database lookup for a string
matching whatever fields you put in the external_acl_type format.
Returning OK/ERR results to Squid along with a username / label for an
existing session that matches.

 With this one you redirect to your authentication page like usual. But
instead of redirecting to a magic URL on success the auth script needs
to update the SQL database and redirect back to the original URL.

More details at:
http://www.squid-cache.org/Versions/v3/3.4/manuals/ext_sql_session_acl.html


Amos

[squid-users] authentication via web page

[Al Zick]

Hi,

I am considering switching to authentication via a web page. Are  
there examples of how to do this somewhere? What are the pros and  
cons of this configuration? I am very concerned about security with  
web page authentication.


Also, I am not really sure if it is a good idea. For example, in most  
emails the images in them are not sent as attachments, they are  
downloaded from a web server and go through the proxy. If a re-write  
was used to load the authentication page, then it would put that page  
in place of the image. How would you authenticate the proxy with this  
scenario?


I will probably need a consultant to help me through this project  
because I have been working on this way too long. Would anyone be  
available?


Thanks,
Al

[squid-users] Authentication problem upgrading from squid 2 to squid 3

[Javier Smaldone]

I've been using squid 2.6.STABLE5 for a long time. Now, I'm upgrading
to 3.1.19 (Ubuntu 12.04). On my previous setup i've used ldap_auth
(with basic authentication) and after tuning my configuration I made
it work for squid3.

But now I have a problem with some (allowed) sites that load some
(forbidden) content (as twitter and facebook javascript, for example):
When loading such a page, the user get prompted (again) for the login
credentials.

I've raised the loglevel to 9 and found some differences on the log
for exactly the same request.

Please, take a look at my config and logfile and save my life!

Thanks in advance.

--
Javier


This is the relevant part of my squid.conf file:

auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
"dc=mycompany,dc=com,dc=ar" -D
"cn=ldaplinux,ou=ati,dc=mycompany,dc=com,dc=ar" -W /etc/squid3/secret
-f "sAMAccountName=%s" -h ldapserver
auth_param basic children 5
auth_param basic credentialsttl 2 hours
auth_param basic realm Internet access

external_acl_type adsgroup %LOGIN  /usr/lib/squid3/squid_ldap_group
-b "dc=mycompany,dc=com,dc=ar" -D
"cn=ldaplinux,ou=ati,dc=mycompany,dc=com,dc=ar" -W /etc/squid3/secret
-f 
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=mycompany,dc=com,dc=ar))"
-h ldapserver -v 3

http_access allow manager localhost
http_access deny manager

acl forbidden_ip src "/var/squid/acls/noips"
http_access deny forbidden_ip

acl users.privileged external adsgroup internet.privileged
http_access allow users.privileged

[...lot of acl and http_access rules...]\.twitter\

acl domains.banned.re dstdom_regex "/var/squid/acls/domains.banned.re"
http_access deny domains.banned.re
# domains.banned.re includes '\.twitter\'


For the request "GET http://platform.twitter.com/widgets.js";, the
first part of the log info is always the same (and it is the expected
behaviour):


| HttpMsg.cc(445) parseRequestFirstLine: parsing possible request:
GEThttp://platform.twitter.com/widgets.js HTTP/1.1
Host: platform.twitter.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: */*
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: 
http://www.infobae.com/notas/687652-Cromanon-todos-los-condenados-seran-detenidos-inmediatamente.html
Proxy-Authorization: Basic XXX


| Parser: retval 1: from 0->52: method 0->2; url 4->41; version 43->50 (1/1)
| parseHttpRequest: req_hdr = {Host: platform.twitter.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: */*
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: 
http://www.infobae.com/notas/687652-Cromanon-todos-los-condenados-seran-detenidos-inmediatamente.html
Proxy-Authorization: Basic XXX

}
| parseHttpRequest: end = {
}

[...]

| parsing HttpHeaderEntry: near 'Proxy-Authorization: Basic
XXX'
| parsed HttpHeaderEntry: 'Proxy-Authorization: Basic XXX'
| created HttpHeaderEntry 0x7f6b92f4d790: 'Proxy-Authorization : Basic
XXX
| 0x7f6b7dc43150 adding entry: 40 at 7

[...]

| ACLChecklist::preCheck: 0x7f6b80288658 checking 'http_access deny
forbidden_ip'
| ACLList::matches: checking forbidden_ip
| ACL::checklistMatches: checking 'forbidden_ip'
| aclIpMatchIp: '192.168.1.1:53563' NOT found
| ACL::ChecklistMatches: result for 'forbidden_ip' is 0
| ACLList::matches: result is false
| aclmatchAclList: 0x7f6b80288658 returning false (AND list entry
failed to match)
| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0
lastACLResult() = 0 finished() = 0


Now, the important part: Checking user credentials (and group membership).

Despite the presence of the "Proxy-Authorization" field on the
request, the log shows:

| ACLChecklist::preCheck: 0x7f6b80288658 checking 'http_access allow
users.privileged'
| ACLList::matches: checking users.privileged
| ACL::checklistMatches: checking 'users.privileged'
| aclMatchExternal: acl="adsgroup"
| authenticateAuthenticate: broken auth or no proxy_auth header.
Requesting auth header.
| Acl.cc(70) AuthenticateAcl: returning 0 sending authentication challenge.
| aclMatchExternal: adsgroup user not authenticated (0)
| ACL::ChecklistMatches: result for 'users.privileged' is 0
| ACLList::matches: result is false
| aclmatchAclList: 0x7f6b80288658 returning false (AND list entry
failed to match)
| ACLChecklist::checkForAsync: requiring Proxy Auth header.

As a result, the browser asks the user for credentials again. When
entered, the requests shows exactly the same for the firs ACL checks,
but when checking "http_access allow users.privileged" it shows:

| ACLChecklist::preCheck: 0x7f6b80288658 checking 'http_access allow
users.privileged'
| ACLList::matches: checking users.privileged
| ACL::checklistMatches: checking 'users.privileged'
| aclMatchExternal: acl="ads

Re: Re: [squid-users] Authentication of non-standard methods

[Trever L. Adams]

On 12/11/2012 05:32 PM, Amos Jeffries wrote:
> On 12.12.2012 11:33, Trever L. Adams wrote:
>> Hello Everyone,
>>
>> I am looking at Shibboleth. I have seen one example
>>
>> (http://www.switch.ch/aai/support/presentations/opcom-201105/AAI-OpCom-AAI_for_mandatory_authentication_and_proxy_usage.pdf)
>>
>> for using it with Squid. I am afraid it makes no sense to me.
>>
>> I am afraid I do not know much about Shibboleth yet. It has three
>> components for authentication, user, password, domain. It has to use
>> redirects, etc.
>>
>> I see an easy way for this to work, but need help figuring it out.
>>
>> If a user isn't authenticated, I need to send them to a url.
>
>
>  acl bounce src all
>  acl auth proxy_auth REQUIRED
>  deny_info 307:http://example.com/ bounce
>  http_access deny !auth bounce
>
> ... but see below...
>
>>
>> How do I know if a user is authenticated? Well, it seems that this is
>> going to have to be passing the requesting client's ip address to a
>> program and get the response back if they are authenticated or not.
>
> NOTE: user != IP address. Therefore user authentication doe not imply
> IP address is authenticated, particularly in HTTP where one client (IP
> address) can be presenting traffic from multiple users.
>  Essentially stateful connection-based authentication and stateless
> HTTP do not mix well - as is constantly being 'discovered' by NTLM
> people.
Yes, I had this reservation, but I need to figure out something. This is
a private proxy to general Internet, so some fudging for the time being
may be ok.
>
>
>> It
>> would be nice if I could pass a user name, but I am not sure how to do
>> this as this would require interaction with the browser and this should
>> be SSO.
>
> The ACLs above pass the Proxy-Authenticate header to a helper program
> for authentication tests. That header contains username and security
> token, sometimes domain if the auth type uses domains.
>
> SSO is a property of the *backend* accepting the credentials supplied
> by the client to Squid. SSO is simply the process of the backend
> accepting the same credentials from multiple services (Squid being one).
>  It is no more different than a user signing up at two separate
> websites with identical username/password details and being able to
> login to both.
The problem with Shibboleth is it is SAML and requires a domain that is
plain text (select from a drop down dialog). Hence the need to redirect
to a webpage to select and enter things.

RFC 6128 (is that right? the http auth stuff?) doesn't seem to allow a
webpage to give credentials to be used for the next page. I do not know
even if it does, if it would work for proxy auth.

I suppose it might be possible to have them enter a bogus password and
their full home user name (u...@example.org) which seems to be returned
by Shibboleth authentication. The problem then is, I need a secure way
of sharing the data between the proxy_auth stuff and the page where they
get redirected so that the two can be linked in a common database.

Is there a way to do this?
>
>>
>> If no, then do a url_rewrite_access (I am assuming this is correct)?
>
> redirector helper is one way to do it. But these must first accept the
> request for processing (http_access allow). It is more efficient to do
> the above ACLs I listed and alter the denial message sent by Squid
> into a 307 redirect message.
>
> ** redirectors like external ACL helpers, do not perform HTTP
> authentication. Just authorization.
Can you show me an example of a redirector? (If I am just missing one in
the docs, a url is fantastic)

I think a redirector is how the url I posted did things, but I couldn't
figure it out.
>
>>
>> Finally, is it possible to have multiple authentication algorithms?
>
> When using Proxy-Authenticate: yes of course.
But not with redirector?
>
>> Some
>> of the users will be local and be able to do krb5/spnego. So, if at all
>> possible, I would like to have the option of trying krb5, then spnego,
>> then Shibboleth.
>
> I suggest you work along the lines of using an external_acl_type
> helper for Shibboleth. Since it is more about authorization of a
> request to be processed than authenticating that the source IP is a
> genuine user account.
>
>
> You can use localnet ACL or a similar check for internal/external
> clients to skip or require the authentication with Negotiate/kerberos.
>
>
> Amos
Well, this is on a home network where various filtering would be
required for different users (think of that for homes where parents
think porn is ok for them but bad for children, or more likely that
certain health or other categories are appropriate/needed by certain
people, but inappropriate for young children, etc.)

Thank you for the help,
Trever





signature.asc
Description: OpenPGP digital signature

Re: [squid-users] Authentication of non-standard methods

[Amos Jeffries]

On 12.12.2012 11:33, Trever L. Adams wrote:

Hello Everyone,

I am looking at Shibboleth. I have seen one example

(http://www.switch.ch/aai/support/presentations/opcom-201105/AAI-OpCom-AAI_for_mandatory_authentication_and_proxy_usage.pdf)
for using it with Squid. I am afraid it makes no sense to me.

I am afraid I do not know much about Shibboleth yet. It has three
components for authentication, user, password, domain. It has to use
redirects, etc.

I see an easy way for this to work, but need help figuring it out.

If a user isn't authenticated, I need to send them to a url.



 acl bounce src all
 acl auth proxy_auth REQUIRED
 deny_info 307:http://example.com/ bounce
 http_access deny !auth bounce

... but see below...



How do I know if a user is authenticated? Well, it seems that this is
going to have to be passing the requesting client's ip address to a
program and get the response back if they are authenticated or not.


NOTE: user != IP address. Therefore user authentication doe not imply 
IP address is authenticated, particularly in HTTP where one client (IP 
address) can be presenting traffic from multiple users.
 Essentially stateful connection-based authentication and stateless 
HTTP do not mix well - as is constantly being 'discovered' by NTLM 
people.




It
would be nice if I could pass a user name, but I am not sure how to 
do
this as this would require interaction with the browser and this 
should

be SSO.


The ACLs above pass the Proxy-Authenticate header to a helper program 
for authentication tests. That header contains username and security 
token, sometimes domain if the auth type uses domains.


SSO is a property of the *backend* accepting the credentials supplied 
by the client to Squid. SSO is simply the process of the backend 
accepting the same credentials from multiple services (Squid being one).
 It is no more different than a user signing up at two separate 
websites with identical username/password details and being able to 
login to both.





So, is it possible to do an auth_param to a special program that just
looks at the ip address? Have it return yes/no for if it is an
authenticated session?


No. auth_param is about verifying that the user is who they say they 
are. Cousin Bob arriving in Alices car ('from' IP address) does not 
verify that Bob == Alice, only that the vehicle is a car not a truck.


IP can at most be used as an authorization check to make some handling 
decision about the particular request. Authorization is done with 
external_acl_type helpers.





If no, then do a url_rewrite_access (I am assuming this is correct)?


redirector helper is one way to do it. But these must first accept the 
request for processing (http_access allow). It is more efficient to do 
the above ACLs I listed and alter the denial message sent by Squid into 
a 307 redirect message.


** redirectors like external ACL helpers, do not perform HTTP 
authentication. Just authorization.




Finally, is it possible to have multiple authentication algorithms?


When using Proxy-Authenticate: yes of course.


Some
of the users will be local and be able to do krb5/spnego. So, if at 
all
possible, I would like to have the option of trying krb5, then 
spnego,

then Shibboleth.


I suggest you work along the lines of using an external_acl_type helper 
for Shibboleth. Since it is more about authorization of a request to be 
processed than authenticating that the source IP is a genuine user 
account.



You can use localnet ACL or a similar check for internal/external 
clients to skip or require the authentication with Negotiate/kerberos.



Amos

[squid-users] Authentication of non-standard methods

[Trever L. Adams]

Hello Everyone,

I am looking at Shibboleth. I have seen one example
(http://www.switch.ch/aai/support/presentations/opcom-201105/AAI-OpCom-AAI_for_mandatory_authentication_and_proxy_usage.pdf)
for using it with Squid. I am afraid it makes no sense to me.

I am afraid I do not know much about Shibboleth yet. It has three
components for authentication, user, password, domain. It has to use
redirects, etc.

I see an easy way for this to work, but need help figuring it out.

If a user isn't authenticated, I need to send them to a url.

How do I know if a user is authenticated? Well, it seems that this is
going to have to be passing the requesting client's ip address to a
program and get the response back if they are authenticated or not. It
would be nice if I could pass a user name, but I am not sure how to do
this as this would require interaction with the browser and this should
be SSO.

So, is it possible to do an auth_param to a special program that just
looks at the ip address? Have it return yes/no for if it is an
authenticated session?

If no, then do a url_rewrite_access (I am assuming this is correct)?

Finally, is it possible to have multiple authentication algorithms? Some
of the users will be local and be able to do krb5/spnego. So, if at all
possible, I would like to have the option of trying krb5, then spnego,
then Shibboleth.

Thank you for any help,
Trever



signature.asc
Description: OpenPGP digital signature

[squid-users] Authentication problem

[Warren Baker]

HI List

I have squid-3.2.3 configured to make use of negotiate, and to
authenticate certain users. However the following config doesn't work


acl userA proxy_auth warren
acl userB proxy_auth testb

http_access allow userA
http_access allow userB
http_access deny all

userA successfully authenticates and can browse. userB however
obviously doesn't match userA acl and just gets presented with the
cache denied page.
Debugging the acl shows that it never moves passed the userA acl and
doesn't continue onto authenticating the 'testb' user.

What am I doing wrong here?

thx

-- 
.warren

Re: [squid-users] Authentication problems with NTLM

[Bruno Santos]

Hi !

Thanks for the reply Amos !

For some reason, i get the squid mailing list emails with a delay...
While i wasn't getting any response (thank you for your response) i dig a bit 
myself and i found in the squid wiki a page about CentOS 5.5 (i'm using 6.2 but 
is different than the page about CentOS)

http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5

some notes about ntlm authentication.

I didn't need samba or nmb running, so i shutdown those services and kept 
winbind running.

Removed the basic authentication from squid.conf (i've already tried in Firefox 
3 and Firefox 2 in a Ubuntu 7.10 - The oldest Linux i'm running around here) 
and the authentication page appears, the user types it's credentials and 
everything is fine.

I've also changed a line in my squid.conf :

From:
http_access allow ntlmAuth

to:
http_access allow HomeNetworks ntlmAuth

and it just start working - no authentication in windows...

Thank you all !


- Original Message -
From: "Amos Jeffries" 
To: squid-users@squid-cache.org
Sent: Friday, 6 July, 2012 2:08:19 PM
Subject: Re: [squid-users] Authentication problems with NTLM

On 6/07/2012 11:42 p.m., Bruno Santos wrote:
> Hi !
>
>
> I've configure squid 3.1.10-1 (latest available for CentOS 6.2) with NTLM 
> authentication, but squid keeps asking for username and password. And 
> sometimes more than once...
>
>
> Users are authenticated in the domain, using IE6/7/9, but squid keeps asking 
> for username/password.
>
>
> Those with other browsers and Linux it's normal, but in windows no. I don't 
> know if Firefox in windows is supposed to ask for password or not, but it 
> asks.

For machines logged into the domain being logged into a proxy which uses
the domain credentials - the browser should never ask. This is a strong
sign that the proxy is using different credentials than the ones used to
log into the machine, or is loosing them somehow..

>
>
> I have everything working with samba and winbind.
>
>
> Samba recognizes the user and winbind too.
>
>
> Wbinfo authentication:
>
>
>
> wbinfo -a teste%12345
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
>
> Squid ntlm_auth also is working ok
>
>
>
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> teste 12345
> OK

How much delay is the next thing to look for: I suspect 0.2sec?

>
> I notice something in the logs that are also a lots of TCP_DENIED before 
> TCP_MISS (and squid din't ask for password)
> An example of access a website:
>
>
>
> 111.111.11.11 TCP_DENIED/407 4758 GET 
> http://www.venezuelatuya.com/tour/minitour.JPG - NONE/- text/html
> 1341573268.467 8 111.111.11.11 TCP_DENIED/407 4778 GET 
> http://www.venezuelatuya.com/tour/minioccidente.jpg - NONE/- text/html
> 1341573268.469 9 111.111.11.11 TCP_DENIED/407 4766 GET 
> http://www.venezuelatuya.com/tour/minicentro.jpg - NONE/- text/html
> 1341573268.472 11 111.111.11.11 TCP_DENIED/407 4778 GET 
> http://www.venezuelatuya.com/tour/minilosroques.jpg - NONE/- text/html
> 1341573268.472 11 111.111.11.11 TCP_DENIED/407 4774 GET 
> http://www.venezuelatuya.com/tour/minimorrocoy.jpg - NONE/- text/html
> 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4770 GET 
> http://www.venezuelatuya.com/tour/minicaracas.jpg - NONE/- text/html
> 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4762 GET 
> http://www.venezuelatuya.com/tour/miniandes.jpg - NONE/- text/html
> 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4778 GET 
> http://www.venezuelatuya.com/tour/minimargarita.jpg - NONE/- text/html
> 1341573268.549 275 111.111.11.11 TCP_MISS/200 2186 GET 
> http://www.venezuelatuya.com/scripts/mapapaginaprincipal.js teste 
> DIRECT/207.58.139.197 applicat
> ion/javascript
> 1341573268.576 139 111.111.11.11 TCP_MISS/200 444 GET 
> http://www.venezuelatuya.com/principal.css teste DIRECT/207.58.139.197 
> text/css

This appears to be normal.
  * Over the course of 7ms the client delivers 8 requests.
  * squid responds with auth-needed challenge as required by NTLM to
each of these.

This might be connections opened in parallel, or requests pipelined at
once before the first response comes back. 8 is a suspicious number,
that is the default browser config value for maximum number of
connections to open for any one website. I highly suspect this is 8 new
connections being opened and performing NTLM handshake.


50ms later there are more denies. Which looks like the connections
earlier authenticated (partially?) got closed and new ones needed
authenticating.

> 1341573268.602 1 111.111.11.11 TCP_DENIED/407 4467 GET 
> http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
> 1341573268.606 1 111.111.11.11 TCP_DE

Re: [squid-users] Authentication problems with NTLM

[Amos Jeffries]

On 6/07/2012 11:42 p.m., Bruno Santos wrote:

Hi !


I've configure squid 3.1.10-1 (latest available for CentOS 6.2) with NTLM 
authentication, but squid keeps asking for username and password. And sometimes 
more than once...


Users are authenticated in the domain, using IE6/7/9, but squid keeps asking 
for username/password.


Those with other browsers and Linux it's normal, but in windows no. I don't 
know if Firefox in windows is supposed to ask for password or not, but it asks.


For machines logged into the domain being logged into a proxy which uses 
the domain credentials - the browser should never ask. This is a strong 
sign that the proxy is using different credentials than the ones used to 
log into the machine, or is loosing them somehow..





I have everything working with samba and winbind.


Samba recognizes the user and winbind too.


Wbinfo authentication:



wbinfo -a teste%12345
plaintext password authentication succeeded
challenge/response password authentication succeeded


Squid ntlm_auth also is working ok



/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
teste 12345
OK


How much delay is the next thing to look for: I suspect 0.2sec?



I notice something in the logs that are also a lots of TCP_DENIED before 
TCP_MISS (and squid din't ask for password)
An example of access a website:



111.111.11.11 TCP_DENIED/407 4758 GET 
http://www.venezuelatuya.com/tour/minitour.JPG - NONE/- text/html
1341573268.467 8 111.111.11.11 TCP_DENIED/407 4778 GET 
http://www.venezuelatuya.com/tour/minioccidente.jpg - NONE/- text/html
1341573268.469 9 111.111.11.11 TCP_DENIED/407 4766 GET 
http://www.venezuelatuya.com/tour/minicentro.jpg - NONE/- text/html
1341573268.472 11 111.111.11.11 TCP_DENIED/407 4778 GET 
http://www.venezuelatuya.com/tour/minilosroques.jpg - NONE/- text/html
1341573268.472 11 111.111.11.11 TCP_DENIED/407 4774 GET 
http://www.venezuelatuya.com/tour/minimorrocoy.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4770 GET 
http://www.venezuelatuya.com/tour/minicaracas.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4762 GET 
http://www.venezuelatuya.com/tour/miniandes.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4778 GET 
http://www.venezuelatuya.com/tour/minimargarita.jpg - NONE/- text/html
1341573268.549 275 111.111.11.11 TCP_MISS/200 2186 GET 
http://www.venezuelatuya.com/scripts/mapapaginaprincipal.js teste 
DIRECT/207.58.139.197 applicat
ion/javascript
1341573268.576 139 111.111.11.11 TCP_MISS/200 444 GET 
http://www.venezuelatuya.com/principal.css teste DIRECT/207.58.139.197 text/css


This appears to be normal.
 * Over the course of 7ms the client delivers 8 requests.
 * squid responds with auth-needed challenge as required by NTLM to 
each of these.


This might be connections opened in parallel, or requests pipelined at 
once before the first response comes back. 8 is a suspicious number, 
that is the default browser config value for maximum number of 
connections to open for any one website. I highly suspect this is 8 new 
connections being opened and performing NTLM handshake.



50ms later there are more denies. Which looks like the connections 
earlier authenticated (partially?) got closed and new ones needed 
authenticating.



1341573268.602 1 111.111.11.11 TCP_DENIED/407 4467 GET 
http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
1341573268.606 1 111.111.11.11 TCP_DENIED/407 4770 GET 
http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
1341573268.608 1 111.111.11.11 TCP_DENIED/407 4907 GET 
http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
1341573268.617 1 111.111.11.11 TCP_DENIED/407 5186 GET 
http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
1341573268.699 399 111.111.11.11 TCP_MISS/200 3817 GET 
http://www.venezuelatuya.com/scripts/barrabusqueda.js teste 
DIRECT/207.58.139.197 application/ja
vascript


About 200ms after the earlier bunch of DENIED/407 responses an identical 
bunch pass through successfully. Exactly like the auth challenge was 
being responded to with correct credentials.



1341573268.741 272 111.111.11.11 TCP_MISS/200 2801 GET 
http://www.venezuelatuya.com/tour/minioccidente.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.745 137 111.111.11.11 TCP_MISS/200 3520 GET 
http://www.venezuelatuya.com/tour/minioriente.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.753 274 111.111.11.11 TCP_MISS/200 2062 GET 
http://www.venezuelatuya.com/tour/minilosroques.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.755 276 111.111.11.11 TCP_MISS/200 2725 GET 
http://www.venezuelatuya.com/tour/miniandes.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.867 400 111.111.11.11 TCP_MISS/200 4137 GET 
http://www.venezuelatuya.com/tour/minitour.JPG teste DIRECT/207.58.139.197 
image/jpeg
1341573268.869 396 111.111.11.11 TCP_MISS/200 3447 GET 
http://www.venezuelatuya.com/tour/minicentro.jpg teste DIRECT/

[squid-users] Authentication problems with NTLM

[Bruno Santos]

Hi !


I've configure squid 3.1.10-1 (latest available for CentOS 6.2) with NTLM 
authentication, but squid keeps asking for username and password. And sometimes 
more than once...


Users are authenticated in the domain, using IE6/7/9, but squid keeps asking 
for username/password.


Those with other browsers and Linux it's normal, but in windows no. I don't 
know if Firefox in windows is supposed to ask for password or not, but it asks.


I have everything working with samba and winbind.


Samba recognizes the user and winbind too.


Wbinfo authentication:



wbinfo -a teste%12345
plaintext password authentication succeeded
challenge/response password authentication succeeded


Squid ntlm_auth also is working ok



/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
teste 12345
OK


I notice something in the logs that are also a lots of TCP_DENIED before 
TCP_MISS (and squid din't ask for password)
An example of access a website:



111.111.11.11 TCP_DENIED/407 4758 GET 
http://www.venezuelatuya.com/tour/minitour.JPG - NONE/- text/html
1341573268.467 8 111.111.11.11 TCP_DENIED/407 4778 GET 
http://www.venezuelatuya.com/tour/minioccidente.jpg - NONE/- text/html
1341573268.469 9 111.111.11.11 TCP_DENIED/407 4766 GET 
http://www.venezuelatuya.com/tour/minicentro.jpg - NONE/- text/html
1341573268.472 11 111.111.11.11 TCP_DENIED/407 4778 GET 
http://www.venezuelatuya.com/tour/minilosroques.jpg - NONE/- text/html
1341573268.472 11 111.111.11.11 TCP_DENIED/407 4774 GET 
http://www.venezuelatuya.com/tour/minimorrocoy.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4770 GET 
http://www.venezuelatuya.com/tour/minicaracas.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4762 GET 
http://www.venezuelatuya.com/tour/miniandes.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4778 GET 
http://www.venezuelatuya.com/tour/minimargarita.jpg - NONE/- text/html
1341573268.549 275 111.111.11.11 TCP_MISS/200 2186 GET 
http://www.venezuelatuya.com/scripts/mapapaginaprincipal.js teste 
DIRECT/207.58.139.197 applicat
ion/javascript
1341573268.576 139 111.111.11.11 TCP_MISS/200 444 GET 
http://www.venezuelatuya.com/principal.css teste DIRECT/207.58.139.197 text/css
1341573268.602 1 111.111.11.11 TCP_DENIED/407 4467 GET 
http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
1341573268.606 1 111.111.11.11 TCP_DENIED/407 4770 GET 
http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
1341573268.608 1 111.111.11.11 TCP_DENIED/407 4907 GET 
http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
1341573268.617 1 111.111.11.11 TCP_DENIED/407 5186 GET 
http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
1341573268.699 399 111.111.11.11 TCP_MISS/200 3817 GET 
http://www.venezuelatuya.com/scripts/barrabusqueda.js teste 
DIRECT/207.58.139.197 application/ja
vascript
1341573268.741 272 111.111.11.11 TCP_MISS/200 2801 GET 
http://www.venezuelatuya.com/tour/minioccidente.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.745 137 111.111.11.11 TCP_MISS/200 3520 GET 
http://www.venezuelatuya.com/tour/minioriente.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.753 274 111.111.11.11 TCP_MISS/200 2062 GET 
http://www.venezuelatuya.com/tour/minilosroques.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.755 276 111.111.11.11 TCP_MISS/200 2725 GET 
http://www.venezuelatuya.com/tour/miniandes.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.867 400 111.111.11.11 TCP_MISS/200 4137 GET 
http://www.venezuelatuya.com/tour/minitour.JPG teste DIRECT/207.58.139.197 
image/jpeg
1341573268.869 396 111.111.11.11 TCP_MISS/200 3447 GET 
http://www.venezuelatuya.com/tour/minicentro.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.877 400 111.111.11.11 TCP_MISS/200 3310 GET 
http://www.venezuelatuya.com/tour/minimorrocoy.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.880 403 111.111.11.11 TCP_MISS/200 3829 GET 
http://www.venezuelatuya.com/tour/minimargarita.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.882 404 111.111.11.11 TCP_MISS/200 3452 GET 
http://www.venezuelatuya.com/tour/minicaracas.jpg teste DIRECT/207.58.139.197 
image/jpeg



Here is my samba config:
-


[global]

workgroup = 
server string = Squid Server Version %v

netbios name = Dakota

hosts allow = 127. 

log file = /var/log/samba/log.%m
max log size = 50

security = domain
realm = HAL.MIN-SAUDE.PT


password server = dc.domain.com dc1.domain.com
acl compatibility = win2k
unix extensions = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes


-


And here is my squid config:



-

[squid-users] Authentication with active directory (Windows Server 2008).

[João Paulo Ferreira]

Hello,

I would like an opinion of you, I'm implentando squid in the company
where I work and would like to integrate with our active directory
(windows server 2008 R2) in the same way that the ntlm but the same
was giving a little problem because the user accounts were being
blocked.

Sorry I'm a translation using Google Translate.

-- 
Atenciosamente,

João Paulo Ferreira
Computer Science Student

+ 55 (71) 9297 - 1260
+ 55 (71) 8837 - 7080
j...@joaoferreira.eti.br

"Nunca diga para Deus que você tem um grande problema, diga sim, para
o seu problema que você tem um grande Deus."

Re: [squid-users] Authentication bug in 3.1.19 solved in 3.2.0.17

[Amos Jeffries]

On 25/05/2012 8:37 p.m., Alan wrote:

Hello,

I'm implementing a proxy server that authenticates users via radius,
and then based on the source ip, login and the destination, grants
access or not to the requested objects.

The relevant section of squid.conf is:

auth_param basic program /usr/lib/squid/squid_radius_auth -f
/etc/squid/radius.conf -t 5
auth_param basic children 5
auth_param basic realm Web Proxy
auth_param basic credentialsttl 1 hour
external_acl_type my_acl_type %SRC %LOGIN %DST /var/www/htdocs/acl.php
acl my_acl external my_acl_type
http_access allow my_acl
http_access deny all

Both IE and Firefox have the same behavior: they popup the
authentication prompt, then they can make requests for a while, and
randomly popup the authentication prompt again.  I type the same
username and password, and it works fine.
In Konqueror there is no popup, I guess it tries again one more time
with the last username and password before prompting the user.

A network capture reveals that the client is always sending the right
Proxy-Authentication header with it's requests, but squid randomly
replies with a 407 status code, without even asking the radius server
(the authentication result is presumably still cached).

In squid 3.2.0.17 this problem is gone and I don't get the
authentication prompts anymore, but since it is labeled Beta instead
of Stable, I wonder if this can be solved in the 3.1 series.

Has anybody else been affected by this?


Very likely.

The 3.2 code has had a near complete re-write to resolve a large number 
of mysterious little bugs in pointer reference handling. That change is 
BIG, still being debugged itself, and I'm not willing to repeat the 
years voluntary work spent on fixing 3.2. So the auth bug fixes are not 
going to be automatically ported to 3.1 like most others are. Patches 
are welcome though if you wish to spend the time or money to locate and 
fix 3.1.


Amos

[squid-users] Authentication bug in 3.1.19 solved in 3.2.0.17

[Alan]

Hello,

I'm implementing a proxy server that authenticates users via radius,
and then based on the source ip, login and the destination, grants
access or not to the requested objects.

The relevant section of squid.conf is:

auth_param basic program /usr/lib/squid/squid_radius_auth -f
/etc/squid/radius.conf -t 5
auth_param basic children 5
auth_param basic realm Web Proxy
auth_param basic credentialsttl 1 hour
external_acl_type my_acl_type %SRC %LOGIN %DST /var/www/htdocs/acl.php
acl my_acl external my_acl_type
http_access allow my_acl
http_access deny all

Both IE and Firefox have the same behavior: they popup the
authentication prompt, then they can make requests for a while, and
randomly popup the authentication prompt again.  I type the same
username and password, and it works fine.
In Konqueror there is no popup, I guess it tries again one more time
with the last username and password before prompting the user.

A network capture reveals that the client is always sending the right
Proxy-Authentication header with it's requests, but squid randomly
replies with a 407 status code, without even asking the radius server
(the authentication result is presumably still cached).

In squid 3.2.0.17 this problem is gone and I don't get the
authentication prompts anymore, but since it is labeled Beta instead
of Stable, I wonder if this can be solved in the 3.1 series.

Has anybody else been affected by this?

Best regards,

Alan

AW: AW: [squid-users] Authentication problem

[Fuhrmann, Marcel]

Image #1 appears to be a login box of some kind. Where is it coming from; the 
browser software or a web page?
>>> Browser

Image #2 appears to be an HTTP login which the browser is refusing to display 
popup box for. Why is the browser not finding credentials somewhere or showing 
a popup?
>>> The popup shown in picture one doesn't appear. For some reason, some 
>>> credentials are automatically used (maybe SSO) or some configuration block 
>>> this login popup.


-Ursprüngliche Nachricht-
Von: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Gesendet: Mittwoch, 9. Mai 2012 03:53
An: squid-users@squid-cache.org
Betreff: Re: AW: [squid-users] Authentication problem

On 09.05.2012 01:44, Fuhrmann, Marcel wrote:
> Hi Markus,
>
> sorry, but it doesn't work. :-(
>
> - Added this line in squid.conf
> - server squid3 reload
> - deleted IE cache restarted IE and open the website -> same error.
>

Err, yeah. Leaving the headers alone only works if one was already playing with 
erasing them in the first place. If someone else was erasing them in transit 
you need to kick them about the problems.


> Any other ideas?

Finding out what the problem actually is would be a better start.

Image #1 appears to be a login box of some kind. Where is it coming from; the 
browser software or a web page?

Image #2 appears to be an HTTP login which the browser is refusing to display 
popup box for. Why is the browser not finding credentials somewhere or showing 
a popup?

Amos


>
> -Ursprüngliche Nachricht-
> Von: Markus Lauterbach
>
> Hi Marcel,
>
> You have to add a small piece in your config. I think, it should lool 
> somehow like this:
>
> header_access Authorization allow all
>
> And restart your squid.
>
> Markus
>
>> -Ursprüngliche Nachricht-
>> Von: Fuhrmann, Marcel
>>
>> Hello,
>>
>> i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a 
>> website.
>> Normally (without proxy) I am getting this windows to login:
>> http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu
>>
>> With proxy I get this error (german; but understandable):
>> http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um
>>
>> Can somebody give me advice?
>>
>>
>> Thanks a lot!
>>
>> --
>> Marcel

Re: [squid-users] authentication issue

[Harry Mills]

On 10/05/2012 22:31, Donald Sylvester Bacha wrote:




Dear All,

Can you guys please advise on how to resolve authentication issue where pop up 
box keep prompting for authentication. Users are part of active directory and 
squid is set up to use ntlm for authentication. This issue is happening for all 
users. There were not any configuration changes of late. As an administrator, I 
am fairly new to squid. Your help would be extremely appreciated.

Regards,
Donald  


Hi Donald,

I presume it was working and has now stopped without any config changes? 
If so, check your clock on the squid box is within 5 minutes sync of 
your domain controller clocks.


If it is not this, then you will need to provide a little more info such 
as whether you have any other authentication schemes configured in 
squid, and whether winbind is running and working:


To test that winbind is working OK you can use the following commands:

wbinfo -t
(should say succeeded)

wbinfo -u
(should list all your domain users)

etc

Regards

Harry

[squid-users] authentication issue

[Donald Sylvester Bacha]

Dear All,
 
Can you guys please advise on how to resolve authentication issue where pop up 
box keep prompting for authentication. Users are part of active directory and 
squid is set up to use ntlm for authentication. This issue is happening for all 
users. There were not any configuration changes of late. As an administrator, I 
am fairly new to squid. Your help would be extremely appreciated. 
 
Regards,
Donald

Re: AW: [squid-users] Authentication problem

[Amos Jeffries]

On 09.05.2012 01:44, Fuhrmann, Marcel wrote:

Hi Markus,

sorry, but it doesn't work. :-(

- Added this line in squid.conf
- server squid3 reload
- deleted IE cache restarted IE and open the website -> same error.



Err, yeah. Leaving the headers alone only works if one was already 
playing with erasing them in the first place. If someone else was 
erasing them in transit you need to kick them about the problems.




Any other ideas?


Finding out what the problem actually is would be a better start.

Image #1 appears to be a login box of some kind. Where is it coming 
from; the browser software or a web page?


Image #2 appears to be an HTTP login which the browser is refusing to 
display popup box for. Why is the browser not finding credentials 
somewhere or showing a popup?


Amos




-Ursprüngliche Nachricht-
Von: Markus Lauterbach

Hi Marcel,

You have to add a small piece in your config. I think, it should lool
somehow like this:

header_access Authorization allow all

And restart your squid.

Markus


-Ursprüngliche Nachricht-
Von: Fuhrmann, Marcel

Hello,

i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a 
website.

Normally (without proxy) I am getting this windows to login:
http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu

With proxy I get this error (german; but understandable):
http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um

Can somebody give me advice?


Thanks a lot!

--
Marcel

AW: [squid-users] Authentication problem

[Fuhrmann, Marcel]

Hi Markus,

sorry, but it doesn't work. :-(

- Added this line in squid.conf
- server squid3 reload
- deleted IE cache restarted IE and open the website -> same error.

Any other ideas?

--
Marcel




-Ursprüngliche Nachricht-
Von: Markus Lauterbach [mailto:markus.lauterb...@meinestadt.de] 
Gesendet: Dienstag, 8. Mai 2012 15:32
An: squid-users@squid-cache.org
Betreff: RE: [squid-users] Authentication problem

Hi Marcel,

You have to add a small piece in your config. I think, it should lool somehow 
like this:

header_access Authorization allow all

And restart your squid.

Markus

> -Ursprüngliche Nachricht-
> Von: Fuhrmann, Marcel [mailto:marcel.fuhrm...@lux.ag]
> Gesendet: Dienstag, 8. Mai 2012 15:04
> An: squid-users@squid-cache.org
> Betreff: [squid-users] Authentication problem
> 
> Hello,
> 
> i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a website.
> Normally (without proxy) I am getting this windows to login:
> http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu
> 
> With proxy I get this error (german; but understandable):
> http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um
> 
> Can somebody give me advice?
> 
> 
> Thanks a lot!
> 
> --
> Marcel

RE: [squid-users] Authentication problem

[Markus Lauterbach]

Hi Marcel,

You have to add a small piece in your config. I think, it should lool somehow 
like this:

header_access Authorization allow all

And restart your squid.

Markus

> -Ursprüngliche Nachricht-
> Von: Fuhrmann, Marcel [mailto:marcel.fuhrm...@lux.ag]
> Gesendet: Dienstag, 8. Mai 2012 15:04
> An: squid-users@squid-cache.org
> Betreff: [squid-users] Authentication problem
> 
> Hello,
> 
> i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a website.
> Normally (without proxy) I am getting this windows to login:
> http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu
> 
> With proxy I get this error (german; but understandable):
> http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um
> 
> Can somebody give me advice?
> 
> 
> Thanks a lot!
> 
> --
> Marcel

[squid-users] Authentication problem

[Fuhrmann, Marcel]

Hello,

i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a website.
Normally (without proxy) I am getting this windows to login:
http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu

With proxy I get this error (german; but understandable):
http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um

Can somebody give me advice?


Thanks a lot!

--
Marcel

Re: [squid-users] Authentication Logging/Debugging

[Amos Jeffries]

On 17.04.2012 09:03, Chris Waters wrote:
I am working some authentication/performance issues with Squid 3.1.19 
on

Ubuntu with NTLM via winbind and a filtering upstream service (proxy
chaining). Is there a method for turning on more verbose logging that
either shows the object the authentication parts are processing on or
interleaving the access log and debug log so that its apparent which
authentication request belongs to which object?  What I am trying to
determine is if there are authentication issues or if it's the 
upstream

causing the latency.


You can use the auth_user_request/AuthUserRequest hex IDs to determine 
creation (start) and result (finish) lookup timings. Those objects store 
the handshake and validation state info and are thus the best indicator 
available of what is going on.




I am not specifically talking about turning specific logging sections 
on
(like 28,9 29,9 for example), but a better method of matching what's 
being

requested and what's being done to authenticate the request.



NTLM does not authenticate *requests*. Please be clear on that.

It hijacks and violates the HTTP layer headers to authenticate the TCP 
connection layer packets. Then assumes (incorrectly) that all requests 
sent over the TCP connection are from the same end-user. In order to 
cope with that bad assumption Squid is forced to disable all HTTP 
multiplexing abilities on connections sighted using NTLM or Negotiate 
auth (we call this "pining").


 * This pinning is #3 major cause of latency issues with NTLM in proxy 
chaining. Since it locks two socket connections per end-user at each hop 
along the HTTP chain (creating a limit of ~64K users per proxy listening 
IP).


As a side effect; other than the first-request rejections there is 
nothing to correlate access.log records with NTLM authentication. You 
need to create a custom log format with both %>a and %>p to get the 
client IP:port details about the TCP connection and see what requests 
are taking place on it. Then map those requests to a particular state 
order for the credentials contained within, then to the AuthUserRequest 
object managing those credentials. Fun times.




I am also open to suggestion as to better methods to diagnose these 
kinds

of issues as well, so please, if you have an idea, let's here it.


Also look at the size of body/entity/data in requests taking part in 
the NTLM handshake. NTLM requires the HTTP request to be repeated for 
each of the handshake steps. This is not too bad on a high speed link, 
or with small fetch request. But when uploading say a multi-MB (or GB) 
object it can take down a network.


 * bandwidth + CPU + time wasted discarding POST/PUT bodies is #1 major 
cause of latency from NTLM.



Also, look at winbind concurrent lookup load when latency is observed. 
Winbind has an absolute limit somewhere around 256 concurrent 
authentications. Each authentication takes the *full* handshake worth of 
HTTP request round trips to complete. Additional lookups (TCP 
connections) are blocked until winbind can service them.


 * winbind queue limits is #2 major cause of latency with NTLM.



Two additional things to be aware of:
 * NTLM is officially been obsoleted by MS for some years now, to be 
completely End-of-Lifed with WindowsXP and none of their new software 
supports it by default.
 * Negotiate/Kerberos is supported by all the new software and was 
designed to avoid the above latency and bandwidth waste issues.
   When comparing auth speeds between MS software from before and after 
2007, default use of Kerberos is often the reason newer ones work far 
faster and more reliably.



Amos

[squid-users] Authentication Logging/Debugging

[Chris Waters]

I am working some authentication/performance issues with Squid 3.1.19 on
Ubuntu with NTLM via winbind and a filtering upstream service (proxy
chaining). Is there a method for turning on more verbose logging that
either shows the object the authentication parts are processing on or
interleaving the access log and debug log so that its apparent which
authentication request belongs to which object?  What I am trying to
determine is if there are authentication issues or if it's the upstream
causing the latency.

I am not specifically talking about turning specific logging sections on
(like 28,9 29,9 for example), but a better method of matching what's being
requested and what's being done to authenticate the request.

I am also open to suggestion as to better methods to diagnose these kinds
of issues as well, so please, if you have an idea, let's here it.

Thanks,

Chris Waters

Re: [squid-users] Authentication problem

[Mohamed Amine Kadimi]

> The designed purpose of these redirect tricks in commercial proxies (and
> Squid captive portals too) is to get the client to make a request to a
> controlled web service. That server pulls details such as the cient IP
> address and user-agent header (maybe other things) which the proxy can use
> as the things it checks for in external_acl_type script to guess at which
> later requests are coming from this same client and allow them through. If
> you do login at that point (optional!) it is merely to associate the browser
> signature with a username for recording/billing purposes.

Thank you for clearing that up for me.

So when a client requests a web page, I'll check some "session table"
which should return OK to let the user go to the internet or ERR to
redirect him to my portal and recheck for cookie presence.

The problem now is this "session table". Is there any squid session
helper which is able to bound the session info to additional data
beside the user's IP?



--
Mohamed Amine Kadimi

Tél     : +212 (0) 675 72 36 45

Re: [squid-users] Authentication problem

[Amos Jeffries]

On 4/04/2012 3:54 a.m., Mohamed Amine Kadimi wrote:
OK, so here's another pseudo code that comes to my mind, this is 
somehow similar to some commercial products (Ironport, bluecoat):


- The user connects to http://www.somesite.com  via 
the proxy
- The Proxy redirects to 
http://authenticationportal/http://www.somesite.com 
 with 302 return code.
- User is verified/authenticated on the authentication portal. This 
authentication portal sets a cookie and redirects to 
http://www.somesite.com 
- User connects to http://www.somesite.com  via 
proxy. Proxy knows user is authenticated (cookie).


The problem is with the last step since the cookie is bound to 
http://authenticationportal 
 so the user may 
encounter an endless loop.


Exactly. The browser authenticated against your website. It did not 
authenticate against the proxy or against "somesite.com".


The designed purpose of these redirect tricks in commercial proxies (and 
Squid captive portals too) is to get the client to make a request to a 
controlled web service. That server pulls details such as the cient IP 
address and user-agent header (maybe other things) which the proxy can 
use as the things it checks for in external_acl_type script to guess at 
which later requests are coming from this same client and allow them 
through. If you do login at that point (optional!) it is merely to 
associate the browser signature with a username for recording/billing 
purposes.
  Notice how there is nothing required for the browser to do except 
visit. Basically: no authentication.





Do you know the solution for letting this authenticated user go to the 
target after being authenticated


I think you are getting closer to understanding the boundary between 
possible and impossible.


The whole point of traffic interception is that the browser is *not* 
aware of the proxy. You might as well try to drink water out of an empty 
cup,  as to get the browser to do something special for the proxy.



I like your example. "somesite.com" happens to actually be a real 
website owned by an actual dodgy company.  Go on; visit it. See the ads, 
see the script errors, read the no-privacy policy, notice how the 
opt-out from their user tracking systems is not working.


Now consider what would happen if "authenticationportal" was your own 
banks website. What details about your login to the bank would you want 
to send to that dodgy website? the username? the password? the session 
cookies? some other detail used to link you and your accounts?


You are asking us how to make the browser spread exactly those private 
informations to websites which have no business receiving it.


Amos



On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:

Dear Developpers and Community,

I would like to set up the following configuration using squid:

When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the
user
with content.


Please read

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F





However, users IP are being NATed before going to the proxy.
So the
solution would be to use an application-layer verification:
cookies or
http headers

So, I come across the following solutions:

1. Use an ICAP server which checks if a cookie is set,
otherwise set
it for an authenticated user
 the problem is: cookies are bound to domains + each http
request must
be validated

2. Use a php splash page which sets the cookie then redirect
to destination
 same problem as ICAP

3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
  problem: sessions are associated to the IP by squid

I'm using squid 3.1

Thank you for any idea


The whole point of transparent interception is that the browser is
*completely unaware it is talking to a proxy*. It contacted some
web server, and *all* of its communications are with that server.
If you can find a way to trick it into storing security
credentials of any kind set by your proxy it will consider those
credentials safe to use when contacting the same server via other
non-HTTP methods as well, causing great deal of problems. The good
thing to do at that point is to report the zero-day security
vulnerability you just found.


You might be able to use details gleaned from the browsers request
to *guess* what user it is and have a external_acl_type script
inform Squid of the guessed username. Or the authorize (*not*
authenticate) the request to happen

Re: [squid-users] Authentication problem

[Mohamed Amine Kadimi]

OK, so here's another pseudo code that comes to my mind, this is
somehow similar to some commercial products (Ironport, bluecoat):

- The user connects to http://www.somesite.com via the proxy
- The Proxy redirects to
http://authenticationportal/http://www.somesite.com with 302 return
code.
- User is verified/authenticated on the authentication portal. This
authentication portal sets a cookie and redirects to
http://www.somesite.com
- User connects to http://www.somesite.com via proxy. Proxy knows user
is authenticated (cookie).

The problem is with the last step since the cookie is bound to
http://authenticationportal so the user may encounter an endless loop.

Do you know the solution for letting this authenticated user go to the
target after being authenticated

2012/4/3 Amos Jeffries 
>
> On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:
>>
>> Dear Developpers and Community,
>>
>> I would like to set up the following configuration using squid:
>>
>> When a user asks for a web page he is transparently redirected to
>> squid, where an authentication must be done before serving the user
>> with content.
>
>
> Please read
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F
>
>
>
>>
>> However, users IP are being NATed before going to the proxy. So the
>> solution would be to use an application-layer verification: cookies or
>> http headers
>>
>> So, I come across the following solutions:
>>
>> 1. Use an ICAP server which checks if a cookie is set, otherwise set
>> it for an authenticated user
>>  the problem is: cookies are bound to domains + each http request must
>> be validated
>>
>> 2. Use a php splash page which sets the cookie then redirect to destination
>>  same problem as ICAP
>>
>> 3. using squid authentication and checking if Proxy-Authorization
>> header is set before serving the client
>>   problem: sessions are associated to the IP by squid
>>
>> I'm using squid 3.1
>>
>> Thank you for any idea
>
>
> The whole point of transparent interception is that the browser is 
> *completely unaware it is talking to a proxy*. It contacted some web server, 
> and *all* of its communications are with that server. If you can find a way 
> to trick it into storing security credentials of any kind set by your proxy 
> it will consider those credentials safe to use when contacting the same 
> server via other non-HTTP methods as well, causing great deal of problems. 
> The good thing to do at that point is to report the zero-day security 
> vulnerability you just found.
>
>
> You might be able to use details gleaned from the browsers request to *guess* 
> what user it is and have a external_acl_type script inform Squid of the 
> guessed username. Or the authorize (*not* authenticate) the request to happen.
>
> Amos




--
Mohamed Amine Kadimi

Tél     : +212 (0) 675 72 36 45

Re: [squid-users] Authentication problem

[Amos Jeffries]

On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:

Dear Developpers and Community,

I would like to set up the following configuration using squid:

When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the user
with content.


Please read
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F




However, users IP are being NATed before going to the proxy. So the
solution would be to use an application-layer verification: cookies or
http headers

So, I come across the following solutions:

1. Use an ICAP server which checks if a cookie is set, otherwise set
it for an authenticated user
  the problem is: cookies are bound to domains + each http request must
be validated

2. Use a php splash page which sets the cookie then redirect to destination
  same problem as ICAP

3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
   problem: sessions are associated to the IP by squid

I'm using squid 3.1

Thank you for any idea


The whole point of transparent interception is that the browser is 
*completely unaware it is talking to a proxy*. It contacted some web 
server, and *all* of its communications are with that server. If you can 
find a way to trick it into storing security credentials of any kind set 
by your proxy it will consider those credentials safe to use when 
contacting the same server via other non-HTTP methods as well, causing 
great deal of problems. The good thing to do at that point is to report 
the zero-day security vulnerability you just found.



You might be able to use details gleaned from the browsers request to 
*guess* what user it is and have a external_acl_type script inform Squid 
of the guessed username. Or the authorize (*not* authenticate) the 
request to happen.


Amos

[squid-users] Authentication problem

[Mohamed Amine Kadimi]

Dear Developpers and Community,

I would like to set up the following configuration using squid:

When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the user
with content.

However, users IP are being NATed before going to the proxy. So the
solution would be to use an application-layer verification: cookies or
http headers

So, I come across the following solutions:

1. Use an ICAP server which checks if a cookie is set, otherwise set
it for an authenticated user
 the problem is: cookies are bound to domains + each http request must
be validated

2. Use a php splash page which sets the cookie then redirect to destination
 same problem as ICAP

3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
  problem: sessions are associated to the IP by squid

I'm using squid 3.1

Thank you for any idea

Re: [squid-users] Authentication Prompts

[Amos Jeffries]

On 10/09/11 01:52, Jenny Lee wrote:



Date: Fri, 9 Sep 2011 12:50:24 +1200
From: squ...@treenet.co.nz
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication Prompts

On 09/09/11 06:28, Matt Cochran wrote:

I've been trying to model two different kinds of users in ACLs, where the kids 
are authenticated by one account, and the adults another. The kids are allowed 
to go only to a whitelist of websites, but I'd like the adults to be able to 
override this behavior for a while if they enter their credentials. I was also 
trying to wire this into a db-auth environment so I can alter the accounts from 
my desktop.

Following the guide at 
http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F,
 I can keep the kids restricted to a site but the parents get stuck in an 
authentication loop or just denied access. Here's my config - can anyone help 
me figure this out?




Notice that would allow the kids to get a popup and re-try with parents
login to restricted sites without the parent being present.


What you are asking for is this:

# login required to go anywhere at all
http_access deny !db-auth

# kids to their sites
http_access allow !parents kids_sites

# parents anywhere
http_access allow parents

# challenge if not logged in with parents credentials
http_access deny !parents

# everything else is blocked.
http_access deny all



Can't we simplify this to:

http_access deny !db-auth
http_access allow kids_sites
http_access deny all !parents

Jenny   


Yes you could. Thanks.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.15
  Beta testers wanted for 3.2.0.11

RE: [squid-users] Authentication Prompts

[Jenny Lee]

> Date: Fri, 9 Sep 2011 12:50:24 +1200
> From: squ...@treenet.co.nz
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] Authentication Prompts
> 
> On 09/09/11 06:28, Matt Cochran wrote:
> > I've been trying to model two different kinds of users in ACLs, where the 
> > kids are authenticated by one account, and the adults another. The kids are 
> > allowed to go only to a whitelist of websites, but I'd like the adults to 
> > be able to override this behavior for a while if they enter their 
> > credentials. I was also trying to wire this into a db-auth environment so I 
> > can alter the accounts from my desktop.
> >
> > Following the guide at 
> > http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F,
> >  I can keep the kids restricted to a site but the parents get stuck in an 
> > authentication loop or just denied access. Here's my config - can anyone 
> > help me figure this out?
> >
> 
> 
> Notice that would allow the kids to get a popup and re-try with parents 
> login to restricted sites without the parent being present.
> 
> 
> What you are asking for is this:
> 
> # login required to go anywhere at all
> http_access deny !db-auth
> 
> # kids to their sites
> http_access allow !parents kids_sites
> 
> # parents anywhere
> http_access allow parents
> 
> # challenge if not logged in with parents credentials
> http_access deny !parents
> 
> # everything else is blocked.
> http_access deny all
 
 
Can't we simplify this to:
 
http_access deny !db-auth
http_access allow kids_sites
http_access deny all !parents

Jenny 

Re: [squid-users] Authentication Prompts

[Amos Jeffries]

On 09/09/11 06:28, Matt Cochran wrote:

I've been trying to model two different kinds of users in ACLs, where the kids 
are authenticated by one account, and the adults another. The kids are allowed 
to go only to a whitelist of websites, but I'd like the adults to be able to 
override this behavior for a while if they enter their credentials. I was also 
trying to wire this into a db-auth environment so I can alter the accounts from 
my desktop.

Following the guide at 
http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F,
 I can keep the kids restricted to a site but the parents get stuck in an 
authentication loop or just denied access. Here's my config - can anyone help 
me figure this out?




Notice that would allow the kids to get a popup and re-try with parents 
login to restricted sites without the parent being present.



What you are asking for is this:

 # login required to go anywhere at all
 http_access deny !db-auth

 # kids to their sites
 http_access allow !parents kids_sites

 # parents anywhere
 http_access allow parents

 # challenge if not logged in with parents credentials
 http_access deny !parents

 # everything else is blocked.
 http_access deny all

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.15
  Beta testers wanted for 3.2.0.11

[squid-users] Authentication Prompts

[Matt Cochran]

I've been trying to model two different kinds of users in ACLs, where the kids 
are authenticated by one account, and the adults another. The kids are allowed 
to go only to a whitelist of websites, but I'd like the adults to be able to 
override this behavior for a while if they enter their credentials. I was also 
trying to wire this into a db-auth environment so I can alter the accounts from 
my desktop.

Following the guide 
at http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F,
 I can keep the kids restricted to a site but the parents get stuck in an 
authentication loop or just denied access. Here's my config - can anyone help 
me figure this out? 

auth_param basic program /usr/lib64/squid/squid_db_auth --user squid --password 
squidward --plaintext --persist
auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 20 minute
auth_param basic casesensitive off


acl kids_sites dstdomain "/etc/squid/kids_sites.txt"
acl parents proxy_auth sigmondMom
acl db-auth proxy_auth REQUIRED
http_access allow db-auth kids_sites
http_access deny !parents all
http_access allow db-auth

# And finally deny all other access to this proxy
http_access deny all

RE: [squid-users] Authentication infinite loop

[David Parks]

I just verified that 3.2.0.10 exhibits this digest authentication problem, and 
I've updated the bug report you (Amos) referenced accordingly.

I also verified that 3.1.14 does *NOT* have this problem (and noted it in the 
same bug report).

Thanks for the response, that's good enough for me for now.

Dave

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, July 26, 2011 3:41 PM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] Authentication infinite loop

 On Tue, 26 Jul 2011 15:05:22 -0700, David Parks wrote:
> After some more testing I'm finding more cause for concern here. I'm 
> using
> 3.2.0.9 in this test.

 Please use 3.2.0.10. .9 has some big issues.

>
> Digest authentication is configured. I am now just using a simple 
> auth
> helper script which sits in a loop and outputs "ERR" (as per the 
> docs, this
> output indicates "user not found", though in another test I found 
> that
> outputting an incorrect password hash has the same effect).
> Nothing interesting shows up in cache.log during any of this.
>
> Here is the behavior I see:
>
> - Run squid
> - Open the browser w/ squid instance configured as proxy
> - Browser indicates that it's trying to make a connection to the 
> default
> home page (google in this case), waiting
> - Squid auth helper receives nothing (I've got it copying output to a 
> debug
> file for viewing)
>
> - Timeout in around 75 seconds
>
> - Logs show user "-" received TCP_DENIED status (I believe this means 
> a 407
> went back to the browser, but I wasn't monitoring for this 
> specifically)

 Don't assume. Unless the log shows 407 as the status (ie 
 TCP_DENIED/407) there are other things from explicit ACLs, too-big 
 headers and bodies, mangled credentials, or unparsable header values 
 which can cause DENIED.

> - Still auth helper log shows that it received nothing
> - Browser requests user/pass popup
>
> - Entering user/pass sends the entry to the auth helper which replies 
> with
> "ERR"
> - Browser pops up the authentication dialogue again
> - Entering the same user/pass again causes the logs to spam user 
> "username"
> with status TCP_DENIED as quickly as possible (notice that the log 
> now shows
> the username, not "-")
>
>
> Example auth helper script used:
> #!/bin/bash
> while read LINE; do
> echo "$LINE" >>/tmp/output
> echo "ERR"
> done
>

 Sounds like http://bugs.squid-cache.org/show_bug.cgi?id=3186

 There is a workaround posted, but it is not a nice one.

 We need to ensure that unchecked is ONLY set if the browser actually 
 sent whole new details. If the TTL has expired a background check needs 
 to be kicked without altering the existing ok/err state of the 
 credentials. There is a "grace" period where the old value may be used 
 while an background revalidate with the helper is done.

 Amos

>
> -Original Message-
> From: David Parks
>
> In doing some dev work I see a situation where squid gets into an 
> infinite
> loop with the browser. The situation:
>
> 1) Browser attempts digest authentication against squid (running with 
> a
> custom auth helper)
> 2) auth helper fails user authentication
> 3) I believe squid caches the authentication failure
> 4) Browser requests a page using the above authentication
> 5) Squid replies with 407 - authentication required
> 6) INFINITE LOOP: (Browser retries request : squid replies with 407)
>
> The above loop running locally can rack up a meg of data transfer in 
> just
> seconds.
>
> I remember dealing with this issue some time back in some other work 
> and
> just don't recall what I did about it.
>
> I'm running a custom auth helper, log daemon, and url rewrite helper.
>
> -
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1390 / Virus Database: 1518/3788 - Release Date: 
> 07/25/11

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1390 / Virus Database: 1518/3789 - Release Date: 07/26/11

RE: [squid-users] Authentication infinite loop

[Amos Jeffries]

On Tue, 26 Jul 2011 15:05:22 -0700, David Parks wrote:
After some more testing I'm finding more cause for concern here. I'm 
using

3.2.0.9 in this test.


Please use 3.2.0.10. .9 has some big issues.



Digest authentication is configured. I am now just using a simple 
auth
helper script which sits in a loop and outputs "ERR" (as per the 
docs, this
output indicates "user not found", though in another test I found 
that

outputting an incorrect password hash has the same effect).
Nothing interesting shows up in cache.log during any of this.

Here is the behavior I see:

- Run squid
- Open the browser w/ squid instance configured as proxy
- Browser indicates that it's trying to make a connection to the 
default

home page (google in this case), waiting
- Squid auth helper receives nothing (I've got it copying output to a 
debug

file for viewing)

- Timeout in around 75 seconds

- Logs show user "-" received TCP_DENIED status (I believe this means 
a 407
went back to the browser, but I wasn't monitoring for this 
specifically)


Don't assume. Unless the log shows 407 as the status (ie 
TCP_DENIED/407) there are other things from explicit ACLs, too-big 
headers and bodies, mangled credentials, or unparsable header values 
which can cause DENIED.



- Still auth helper log shows that it received nothing
- Browser requests user/pass popup

- Entering user/pass sends the entry to the auth helper which replies 
with

"ERR"
- Browser pops up the authentication dialogue again
- Entering the same user/pass again causes the logs to spam user 
"username"
with status TCP_DENIED as quickly as possible (notice that the log 
now shows

the username, not "-")


Example auth helper script used:
#!/bin/bash
while read LINE; do
echo "$LINE" >>/tmp/output
echo "ERR"
done



Sounds like http://bugs.squid-cache.org/show_bug.cgi?id=3186

There is a workaround posted, but it is not a nice one.

We need to ensure that unchecked is ONLY set if the browser actually 
sent whole new details. If the TTL has expired a background check needs 
to be kicked without altering the existing ok/err state of the 
credentials. There is a "grace" period where the old value may be used 
while an background revalidate with the helper is done.


Amos



-Original Message-
From: David Parks

In doing some dev work I see a situation where squid gets into an 
infinite

loop with the browser. The situation:

1) Browser attempts digest authentication against squid (running with 
a

custom auth helper)
2) auth helper fails user authentication
3) I believe squid caches the authentication failure
4) Browser requests a page using the above authentication
5) Squid replies with 407 - authentication required
6) INFINITE LOOP: (Browser retries request : squid replies with 407)

The above loop running locally can rack up a meg of data transfer in 
just

seconds.

I remember dealing with this issue some time back in some other work 
and

just don't recall what I did about it.

I'm running a custom auth helper, log daemon, and url rewrite helper.

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1390 / Virus Database: 1518/3788 - Release Date: 
07/25/11

RE: [squid-users] Authentication infinite loop

[David Parks]

After some more testing I'm finding more cause for concern here. I'm using
3.2.0.9 in this test.

Digest authentication is configured. I am now just using a simple auth
helper script which sits in a loop and outputs "ERR" (as per the docs, this
output indicates "user not found", though in another test I found that
outputting an incorrect password hash has the same effect).
Nothing interesting shows up in cache.log during any of this.

Here is the behavior I see:

- Run squid
- Open the browser w/ squid instance configured as proxy
- Browser indicates that it's trying to make a connection to the default
home page (google in this case), waiting
- Squid auth helper receives nothing (I've got it copying output to a debug
file for viewing)

- Timeout in around 75 seconds

- Logs show user "-" received TCP_DENIED status (I believe this means a 407
went back to the browser, but I wasn't monitoring for this specifically)
- Still auth helper log shows that it received nothing
- Browser requests user/pass popup

- Entering user/pass sends the entry to the auth helper which replies with
"ERR"
- Browser pops up the authentication dialogue again
- Entering the same user/pass again causes the logs to spam user "username"
with status TCP_DENIED as quickly as possible (notice that the log now shows
the username, not "-")


Example auth helper script used:
#!/bin/bash
while read LINE; do
echo "$LINE" >>/tmp/output
echo "ERR"
done


-Original Message-
From: David Parks [mailto:davidpark...@yahoo.com] 
Sent: Monday, July 25, 2011 7:11 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Authentication infinite loop

In doing some dev work I see a situation where squid gets into an infinite
loop with the browser. The situation:

1) Browser attempts digest authentication against squid (running with a
custom auth helper)
2) auth helper fails user authentication
3) I believe squid caches the authentication failure
4) Browser requests a page using the above authentication
5) Squid replies with 407 - authentication required
6) INFINITE LOOP: (Browser retries request : squid replies with 407)

The above loop running locally can rack up a meg of data transfer in just
seconds.

I remember dealing with this issue some time back in some other work and
just don't recall what I did about it.

I'm running a custom auth helper, log daemon, and url rewrite helper.

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1390 / Virus Database: 1518/3788 - Release Date: 07/25/11

[squid-users] Authentication infinite loop

[David Parks]

In doing some dev work I see a situation where squid gets into an infinite
loop with the browser. The situation:

1) Browser attempts digest authentication against squid (running with a
custom auth helper)
2) auth helper fails user authentication
3) I believe squid caches the authentication failure
4) Browser requests a page using the above authentication
5) Squid replies with 407 - authentication required
6) INFINITE LOOP: (Browser retries request : squid replies with 407)

The above loop running locally can rack up a meg of data transfer in just
seconds.

I remember dealing with this issue some time back in some other work and
just don't recall what I did about it.

I'm running a custom auth helper, log daemon, and url rewrite helper.

Re: [squid-users] Authentication/Authorization Challenge

[Amos Jeffries]

On Wed, 06 Jul 2011 15:42:18 +0200, Robert Velter wrote:

Hi Amos,

thanks for your clarification and the link. So i try now the 
following:


1) Add a working basic auth to auth_param (probably ldap_auth).
2) Modify the access list from
  http_access allow ldapgroup-access
  http_access deny all
   to
  http_access deny !ldapgroup-access
  http_access allow all



Its not clear from your original post if you need the group checking on 
Basic auth'ed users. You might want something like this to require *a* 
login, but not block basic auth user with the group-check:



  acl authed proxy_auth REQUIRED
  acl authBasic req_header Proxy-Authenticate ^Basic

  # if NOT logged in as basic do the group check. re-auth if that 
fails.

  http_access deny !authBasic !ldapgroup-access

  # only gets here if (a) auth via Basic, or (b) auth via 
NTLM/Negotiate with group checked OK.

  http_access allow authed

  # for config clarity. Should not actually be reachable.
  http_access deny all


Amos

Re: [squid-users] Authentication/Authorization Challenge

[Robert Velter]

Hi Amos,

thanks for your clarification and the link. So i try now the following:

1) Add a working basic auth to auth_param (probably ldap_auth).
2) Modify the access list from
  http_access allow ldapgroup-access
  http_access deny all
   to
  http_access deny !ldapgroup-access
  http_access allow all

This should trigger then the mentioned authentication loop mentioned in
the FAQ and hope that at least the used browsers work sane...

I dont care about update agents (adobe, java, ...), they should be
disabled in this environment anyway.

Robert

Am Donnerstag, den 07.07.2011, 00:39 +1200 schrieb Amos Jeffries:
> 
> That will probably die horribly. NTLM & Negotiate both hijack HTTP to 
> try and authenticate the TCP-level. Once credentials are accepted a 
> change in auth requires the TCP link itself to be terminated.
> 
> You can cause a re-auth challenge, but Squid will still offer the same 
> set of Negotaiate,NTLM,Basic as available. The sane browsers should move 
> on to the next available choice they have not tried (most agents are not 
> that sane though).
> 
> Details of how to re-auth are in the FAQ:
>  
> http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F
> 
> Amos

-- 
Robert Velter 

Re: [squid-users] Authentication/Authorization Challenge

[Amos Jeffries]

On 06/07/11 23:19, Robert Velter wrote:

Hi all,

i have a (nice?) squid authentication/authorization challenge.

I already have a working authentication configuration using negiotiate
with squid_kerb_auth and ntlm using ntlm_auth. Authorization is done
using an external_acl_type with squid_ldap_group.

Now i want that users can authenticate/authorize using basic auth when
the squid_ldap_group check fails. Resulting in the following logic:

grant access if ((logged in windowsuser is in group internet) or
  (given credentials authenticate for group internet))

As far as i understand i cant solve this with auth_param modifications
because the external_acl ldap_group already gets a validated username
from kerberos/ntlm (all clients are microsoft windows). I think i need
an additional external_acl helper with integrated basic auth. Right?

Is there any external_acl helper out there with the needed
functionality?

Regards, Robert



That will probably die horribly. NTLM & Negotiate both hijack HTTP to 
try and authenticate the TCP-level. Once credentials are accepted a 
change in auth requires the TCP link itself to be terminated.


You can cause a re-auth challenge, but Squid will still offer the same 
set of Negotaiate,NTLM,Basic as available. The sane browsers should move 
on to the next available choice they have not tried (most agents are not 
that sane though).


Details of how to re-auth are in the FAQ:

http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.14
  Beta testers wanted for 3.2.0.9

[squid-users] Authentication/Authorization Challenge

[Robert Velter]

Hi all,

i have a (nice?) squid authentication/authorization challenge.

I already have a working authentication configuration using negiotiate
with squid_kerb_auth and ntlm using ntlm_auth. Authorization is done
using an external_acl_type with squid_ldap_group.

Now i want that users can authenticate/authorize using basic auth when
the squid_ldap_group check fails. Resulting in the following logic:

grant access if ((logged in windowsuser is in group internet) or
 (given credentials authenticate for group internet))

As far as i understand i cant solve this with auth_param modifications
because the external_acl ldap_group already gets a validated username
from kerberos/ntlm (all clients are microsoft windows). I think i need
an additional external_acl helper with integrated basic auth. Right?

Is there any external_acl helper out there with the needed
functionality?

Regards, Robert

-- 
Robert Velter 

RE: [squid-users] Authentication to Sharepoint not happening

[Saurabh Agarwal]

I used "pipeline_prefetch off" setting in squid.conf and it works.

Regards,
Saurabh

-Original Message-
From: Senthilkumar [mailto:senthilkumaar2...@gmail.com] 
Sent: Wednesday, February 02, 2011 12:48 PM
To: Saurabh Agarwal
Subject: Re: [squid-users] Authentication to Sharepoint not happening

Hi Saurabh Agarwal,

We have also have the same issue. Could you please share us the steps to 
be followed to make it to work.

Thanks
Senthil

Saurabh Agarwal wrote:
> It works now! I followed the code and then turned "off pipeline_prefetch". In 
> code there was this check which was setting no_connection_auth flag to 1.
>
> if (Config.onoff.pipeline_prefetch)
> request->flags.no_connection_auth = 1;
>
> I don't understand it completely but I can move forward. Thank You Amos!
>
> Regards,
> Saurabh
> 
> -Original Message-
> From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
> Sent: Tuesday, February 01, 2011 6:30 PM
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] Authentication to Sharepoint not happening
>
> On 02/02/11 00:43, Saurabh Agarwal wrote:
>   
>> Looks like we are making progress. Yeah there is a condition in the code 
>> client_side.c that relates to when "WWW-Authenticate" header is being 
>> deleted. Condition checks for no_connection_auth flag in the request.
>>
>> This is the code. It checks if there is no_connection_auth in incoming 
>> request then that header is being deleted. I think it relates to pinning 
>> connections as you said earlier.
>>
>>  if (request->flags.no_connection_auth) {
>>  httpHeaderDelAt(hdr, pos);
>>  connection_auth_blocked = 1;
>>  continue;
>>  }
>>
>> But in Squid-2.7.Stable7 there is support only for specifying 
>> no-connection-auth in http_port directive. In Squid 3.1 we can turn it 
>> on|off using connection-auth=[on|off].
>>
>> How to not set the no_connection_auth flag in Squid-2.7.Stable.7?
>> 
>
> It is supposed to be on by default in both versions and the 
> configuration option there to turn it off and turn on stripping of the 
> header.
>
> Amos
>   

Re: [squid-users] Authentication to Sharepoint not happening

[Senthilkumar]

Hi Amos,

We are also having trouble in accessing share point site which uses NTLM 
authentication.
We have configured squid with NTLM scheme. Whether the below fix 
(pipeline_prefetch on ) works for the squid which is configured with 
NTLM proxy authentication.



Thanks
Senthil

Amos Jeffries wrote:

On Tue, 1 Feb 2011 20:25:42 +0530, Saurabh Agarwal
 wrote:
  

It works now! I followed the code and then turned "off


pipeline_prefetch".
  

In code there was this check which was setting no_connection_auth flag


to
  

1.

if (Config.onoff.pipeline_prefetch)
request->flags.no_connection_auth = 1;

I don't understand it completely but I can move forward. Thank You Amos!



Aha, Thank you!  This has led me to find a bug.

Squid-3 checks and overrides pipelining when auth_param are set to prevent
request race conditions. But I see that if the pipline is manually
configured after the auth_param it will be turned back on. Fixing now.

Amos


  

RE: [squid-users] Authentication to Sharepoint not happening

[Amos Jeffries]

On Tue, 1 Feb 2011 20:25:42 +0530, Saurabh Agarwal
 wrote:
> It works now! I followed the code and then turned "off
pipeline_prefetch".
> In code there was this check which was setting no_connection_auth flag
to
> 1.
> 
> if (Config.onoff.pipeline_prefetch)
> request->flags.no_connection_auth = 1;
> 
> I don't understand it completely but I can move forward. Thank You Amos!

Aha, Thank you!  This has led me to find a bug.

Squid-3 checks and overrides pipelining when auth_param are set to prevent
request race conditions. But I see that if the pipline is manually
configured after the auth_param it will be turned back on. Fixing now.

Amos

RE: [squid-users] Authentication to Sharepoint not happening

[Saurabh Agarwal]

It works now! I followed the code and then turned "off pipeline_prefetch". In 
code there was this check which was setting no_connection_auth flag to 1.

if (Config.onoff.pipeline_prefetch)
request->flags.no_connection_auth = 1;

I don't understand it completely but I can move forward. Thank You Amos!

Regards,
Saurabh

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, February 01, 2011 6:30 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication to Sharepoint not happening

On 02/02/11 00:43, Saurabh Agarwal wrote:
> Looks like we are making progress. Yeah there is a condition in the code 
> client_side.c that relates to when "WWW-Authenticate" header is being 
> deleted. Condition checks for no_connection_auth flag in the request.
>
> This is the code. It checks if there is no_connection_auth in incoming 
> request then that header is being deleted. I think it relates to pinning 
> connections as you said earlier.
>
>   if (request->flags.no_connection_auth) {
>  httpHeaderDelAt(hdr, pos);
>  connection_auth_blocked = 1;
>  continue;
>  }
>
> But in Squid-2.7.Stable7 there is support only for specifying 
> no-connection-auth in http_port directive. In Squid 3.1 we can turn it on|off 
> using connection-auth=[on|off].
>
> How to not set the no_connection_auth flag in Squid-2.7.Stable.7?

It is supposed to be on by default in both versions and the 
configuration option there to turn it off and turn on stripping of the 
header.

Amos
-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

Re: [squid-users] Authentication to Sharepoint not happening

[Amos Jeffries]

On 02/02/11 00:43, Saurabh Agarwal wrote:

Looks like we are making progress. Yeah there is a condition in the code client_side.c 
that relates to when "WWW-Authenticate" header is being deleted. Condition 
checks for no_connection_auth flag in the request.

This is the code. It checks if there is no_connection_auth in incoming request 
then that header is being deleted. I think it relates to pinning connections as 
you said earlier.

if (request->flags.no_connection_auth) {
 httpHeaderDelAt(hdr, pos);
 connection_auth_blocked = 1;
 continue;
 }

But in Squid-2.7.Stable7 there is support only for specifying 
no-connection-auth in http_port directive. In Squid 3.1 we can turn it on|off 
using connection-auth=[on|off].

How to not set the no_connection_auth flag in Squid-2.7.Stable.7?


It is supposed to be on by default in both versions and the 
configuration option there to turn it off and turn on stripping of the 
header.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.10
  Beta testers wanted for 3.2.0.4

RE: [squid-users] Authentication to Sharepoint not happening

[Saurabh Agarwal]

Looks like we are making progress. Yeah there is a condition in the code 
client_side.c that relates to when "WWW-Authenticate" header is being deleted. 
Condition checks for no_connection_auth flag in the request.

This is the code. It checks if there is no_connection_auth in incoming request 
then that header is being deleted. I think it relates to pinning connections as 
you said earlier.

if (request->flags.no_connection_auth) {
httpHeaderDelAt(hdr, pos);
connection_auth_blocked = 1;
continue;
}

But in Squid-2.7.Stable7 there is support only for specifying 
no-connection-auth in http_port directive. In Squid 3.1 we can turn it on|off 
using connection-auth=[on|off].

How to not set the no_connection_auth flag in Squid-2.7.Stable.7?

Regards,
Saurabh

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, February 01, 2011 4:39 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication to Sharepoint not happening

On 01/02/11 23:57, Saurabh Agarwal wrote:
> Thanks Amos. Yeah they were cut and paste errors. Other than that I have 
> tried using http11 with http_port and ignore_expect and it still doesn't work.
>
> I think this is by design in Squid. Following code in "client_side.c" 
> suggests that it will always filter the "WWW-Authenticate" header from HTTP 
> Headers by treating it as unproxyable auth type.
>
> /* Filter unproxyable authentication types */
>  if (http->log_type != LOG_TCP_DENIED&&
>  (httpHeaderHas(hdr, HDR_WWW_AUTHENTICATE))) {
>  HttpHeaderPos pos = HttpHeaderInitPos;
>  
>  
>  ...code here removes the "WWW-Authenticate" from HTTP Header.

There should be some conditions skipping removal on "must_keepalive" or 
"proxy_keepalive" flags in there.

I would expect pinning to be in effect at this point. If not that is a 
problem someone might find worth fixing one day. For Negotiate auth type 
at minimum.

>
> Also the following link 
> "http://www.visolve.com/squid/Squid_tutorial.php#Authentication_";  suggests 
> that Proxy Auth can't work in transparent mode.
>
> Can you please comment on this?

Yes "Proxy-Authenticate:" will not work in transparent mode. There is no 
reason why "WWW-Authenticate:" with the origin cannot.


Amos
-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

Re: [squid-users] Authentication to Sharepoint not happening

[Amos Jeffries]

On 01/02/11 23:57, Saurabh Agarwal wrote:

Thanks Amos. Yeah they were cut and paste errors. Other than that I have tried 
using http11 with http_port and ignore_expect and it still doesn't work.

I think this is by design in Squid. Following code in "client_side.c" suggests that it 
will always filter the "WWW-Authenticate" header from HTTP Headers by treating it as 
unproxyable auth type.

/* Filter unproxyable authentication types */
 if (http->log_type != LOG_TCP_DENIED&&
 (httpHeaderHas(hdr, HDR_WWW_AUTHENTICATE))) {
 HttpHeaderPos pos = HttpHeaderInitPos;
 
 
 ...code here removes the "WWW-Authenticate" from HTTP Header.


There should be some conditions skipping removal on "must_keepalive" or 
"proxy_keepalive" flags in there.


I would expect pinning to be in effect at this point. If not that is a 
problem someone might find worth fixing one day. For Negotiate auth type 
at minimum.




Also the following link 
"http://www.visolve.com/squid/Squid_tutorial.php#Authentication_";  suggests 
that Proxy Auth can't work in transparent mode.

Can you please comment on this?


Yes "Proxy-Authenticate:" will not work in transparent mode. There is no 
reason why "WWW-Authenticate:" with the origin cannot.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.10
  Beta testers wanted for 3.2.0.4

RE: [squid-users] Authentication to Sharepoint not happening

[Saurabh Agarwal]

Thanks Amos. Yeah they were cut and paste errors. Other than that I have tried 
using http11 with http_port and ignore_expect and it still doesn't work.

I think this is by design in Squid. Following code in "client_side.c" suggests 
that it will always filter the "WWW-Authenticate" header from HTTP Headers by 
treating it as unproxyable auth type.

   /* Filter unproxyable authentication types */
if (http->log_type != LOG_TCP_DENIED &&
(httpHeaderHas(hdr, HDR_WWW_AUTHENTICATE))) {
HttpHeaderPos pos = HttpHeaderInitPos;


...code here removes the "WWW-Authenticate" from HTTP Header.

Also the following link 
"http://www.visolve.com/squid/Squid_tutorial.php#Authentication_";  suggests 
that Proxy Auth can't work in transparent mode.

Can you please comment on this?

Regards,
Saurabh

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, February 01, 2011 3:34 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication to Sharepoint not happening

On 01/02/11 21:29, Saurabh Agarwal wrote:
> Hi Amos
>
> I am using squid.2.7.STABLE7. Following is my configuration. I want to allow 
> everything.
>
> http_port 192.168.11.35:3128 transparent
> acl from_localhost src 192.168.11.35

> http_port 10.102.79.82:3128 transparent
> acl from_localhost src 10.102.79.82
> http_port 10.102.79.82:3128 transparent
> acl from_localhost src 10.102.79.82

cut-n-paste error? http_port and ACL is defined twice.

> visible_hostname hostname
> acl foreign_networksAux1 dst
> acl foreign_networksapA dst 0.0.0.0/0

above ACL collapses to "acl foreign_networksapA dst all"

> tcp_outgoing_address 192.168.11.35 foreign_networksAux1
> tcp_outgoing_address 10.102.79.82 foreign_networksapA

May as well drop "foreign_networksapA" off that tcp_outgoing. It has no 
meaning.

> access_log none
> cache_log /dev/null

cache_log is not optional for very good reasons. If you are that worried 
about stuff being logged set "debug_options ALL,0" to receive only the 
critical failure events.


> debug_options ALL,1
>

> debug_options ALL,1
>
> acl manager proto cache_object
> acl all src 0.0.0.0/0.0.0.0
> acl all_dst dst 0.0.0.0/0.0.0.0

Easier to read and forward-portable:
   acl all src all
   acl all_dst dst all

Note that "dst all" means that all domains with DNS resolvable 
destinations. "src all" means coming from a machine via IP protocol.

> http_access allow manager from_localhost
> http_access deny manager
> http_access allow all all_dst

Translation:
   allow a request if it arrives from a machine with an IP address and 
is destined to a machine which has an IP address.

Nice...  Open proxy with no logging and transparent hijacking on a 
standard port 3128 :).
Good thing your public IP is a little bit obscured.


This looks like a slightly confused configuration based on a loose 
explanation of the tcp_outgoing_address "dst" hack.

The real hack is to place this above any "http_access allow" lines:
   http_access deny all_dst !all

meaning: perform DNS lookup on the destination (thus caching the result 
for tcp_outgoing_address to use) then skip to the next http_access line 
due to an impossible test.

After doing that hack you *still* have to setup permissions as to who is 
allowed to access the proxy.


>
> hierarchy_stoplist cgi-bin ?
> acl store_rewrite_list urlpath_regex 
> \/(get_video\?|videodownload\?|videoplayback.*id)
> acl store_rewrite_list1 dstdomain .youtube.com .video.google.com 
> \/(get_video\?|videodownload\?|videoplayback.*id)

cut-n-paste error? " \/(get_video\?|vi..." is not a valid domain name.

>
> client_persistent_connections on
> server_persistent_connections on

Good.


>
> # Shorten timeouts
> negative_ttl 5 minutes

Bad. This means: DoS all clients of a URL whenever a 4xx or 5xx happens 
on it.

This may be related to the 401 followup not working well.

Recommended value:
   negative_ttl 0 seconds


> connect_timeout 1 minute
> peer_connect_timeout 30 seconds
> read_timeout 15 minutes
> request_timeout 5 minutes
> half_closed_clients off
> pconn_timeout 1 minute

NTLM and Negotiate require two pconn pinned together to operate. This 
timeout will directly affect how often those paired TCP links are 
discarded and require new auth handshakes.


So in summary, other than negative_ttl and a small pconn_timeout 
possibly affecting things this config looks like it should pass the auth 
headers just fine.


One other possibility you could try since this is 2.7 is the HTTP/1.1 
options.
   http_port ... http11

and these two:
http://www.squid-cache.org/Versions/v2/2.7/cfgman/server_http11.html
http://www.squid-cache.org/Versions/v2/2.7/cfgman/ignore_expect_10

Re: [squid-users] Authentication to Sharepoint not happening

[Amos Jeffries]

On 01/02/11 21:29, Saurabh Agarwal wrote:

Hi Amos

I am using squid.2.7.STABLE7. Following is my configuration. I want to allow 
everything.

http_port 192.168.11.35:3128 transparent
acl from_localhost src 192.168.11.35



http_port 10.102.79.82:3128 transparent
acl from_localhost src 10.102.79.82
http_port 10.102.79.82:3128 transparent
acl from_localhost src 10.102.79.82


cut-n-paste error? http_port and ACL is defined twice.


visible_hostname hostname
acl foreign_networksAux1 dst
acl foreign_networksapA dst 0.0.0.0/0


above ACL collapses to "acl foreign_networksapA dst all"


tcp_outgoing_address 192.168.11.35 foreign_networksAux1
tcp_outgoing_address 10.102.79.82 foreign_networksapA


May as well drop "foreign_networksapA" off that tcp_outgoing. It has no 
meaning.



access_log none
cache_log /dev/null


cache_log is not optional for very good reasons. If you are that worried 
about stuff being logged set "debug_options ALL,0" to receive only the 
critical failure events.




debug_options ALL,1




debug_options ALL,1

acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl all_dst dst 0.0.0.0/0.0.0.0


Easier to read and forward-portable:
  acl all src all
  acl all_dst dst all

Note that "dst all" means that all domains with DNS resolvable 
destinations. "src all" means coming from a machine via IP protocol.



http_access allow manager from_localhost
http_access deny manager
http_access allow all all_dst


Translation:
  allow a request if it arrives from a machine with an IP address and 
is destined to a machine which has an IP address.


Nice...  Open proxy with no logging and transparent hijacking on a 
standard port 3128 :).

Good thing your public IP is a little bit obscured.


This looks like a slightly confused configuration based on a loose 
explanation of the tcp_outgoing_address "dst" hack.


The real hack is to place this above any "http_access allow" lines:
  http_access deny all_dst !all

meaning: perform DNS lookup on the destination (thus caching the result 
for tcp_outgoing_address to use) then skip to the next http_access line 
due to an impossible test.


After doing that hack you *still* have to setup permissions as to who is 
allowed to access the proxy.





hierarchy_stoplist cgi-bin ?
acl store_rewrite_list urlpath_regex 
\/(get_video\?|videodownload\?|videoplayback.*id)
acl store_rewrite_list1 dstdomain .youtube.com .video.google.com 
\/(get_video\?|videodownload\?|videoplayback.*id)


cut-n-paste error? " \/(get_video\?|vi..." is not a valid domain name.



client_persistent_connections on
server_persistent_connections on


Good.




# Shorten timeouts
negative_ttl 5 minutes


Bad. This means: DoS all clients of a URL whenever a 4xx or 5xx happens 
on it.


This may be related to the 401 followup not working well.

Recommended value:
  negative_ttl 0 seconds



connect_timeout 1 minute
peer_connect_timeout 30 seconds
read_timeout 15 minutes
request_timeout 5 minutes
half_closed_clients off
pconn_timeout 1 minute


NTLM and Negotiate require two pconn pinned together to operate. This 
timeout will directly affect how often those paired TCP links are 
discarded and require new auth handshakes.



So in summary, other than negative_ttl and a small pconn_timeout 
possibly affecting things this config looks like it should pass the auth 
headers just fine.



One other possibility you could try since this is 2.7 is the HTTP/1.1 
options.

  http_port ... http11

and these two:
http://www.squid-cache.org/Versions/v2/2.7/cfgman/server_http11.html
http://www.squid-cache.org/Versions/v2/2.7/cfgman/ignore_expect_100.html

The server_http11 is safest with no known problem side effects. The 
http_port change may require ignore_expect_100 to fix broken clients. 
Though such broken client apps are slowly disappearing now.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.10
  Beta testers wanted for 3.2.0.4

RE: [squid-users] Authentication to Sharepoint not happening

[Saurabh Agarwal]

Hi Amos

I am using squid.2.7.STABLE7. Following is my configuration. I want to allow 
everything.

http_port 192.168.11.35:3128 transparent
acl from_localhost src 192.168.11.35
http_port 10.102.79.82:3128 transparent
acl from_localhost src 10.102.79.82
http_port 10.102.79.82:3128 transparent
acl from_localhost src 10.102.79.82
visible_hostname hostname
acl foreign_networksAux1 dst
acl foreign_networksapA dst 0.0.0.0/0
tcp_outgoing_address 192.168.11.35 foreign_networksAux1
tcp_outgoing_address 10.102.79.82 foreign_networksapA
access_log none
cache_log /dev/null

cache_mem 8 MB
cache_dir aufs /squid/var/cache/small 1500 9 256 max-size=1
cache_dir aufs /squid/var/cache/medium 4500 6 256 max-size=100
cache_dir aufs /squid/var/cache/large 4000 3 256
maximum_object_size 1000 MB
log_mime_hdrs off
max_open_disk_fds 400
maximum_object_size_in_memory 16 KB
debug_options ALL,1

cache_store_log none
pid_filename /squid/logs/squid.pid
debug_options ALL,1

acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl all_dst dst 0.0.0.0/0.0.0.0
http_access allow manager from_localhost
http_access deny manager
http_access allow all all_dst
icp_access deny all

icp_port 0
htcp_port 0

#this is the directory where core-dump from squid will be kept
coredump_dir /squid/var

log_fqdn off
fqdncache_size 8192
ipcache_size 8192

minimum_object_size 512 bytes
quick_abort_min -1 KB

hierarchy_stoplist cgi-bin ?
acl store_rewrite_list urlpath_regex 
\/(get_video\?|videodownload\?|videoplayback.*id)
acl store_rewrite_list1 dstdomain .youtube.com .video.google.com 
\/(get_video\?|videodownload\?|videoplayback.*id)
storeurl_access allow store_rewrite_list store_rewrite_list1
storeurl_rewrite_program /orbital/current/squid/storeurl.pl
storeurl_rewrite_children 1
storeurl_rewrite_concurrency 10

redirector_bypass on

#this refresh_pattern is for caching youtube videos
refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 % 
5259487 ignore-private ignore-no-cache override-expire

refresh_pattern ^ftp:   1   50% 10080
refresh_pattern ^gopher:1   0%  1440
refresh_pattern -i \.(gif|jpg|jpeg|tif|png|ico|bmp)$  0 50% 6000 ignore-no-cache
refresh_pattern -i \.(wma|wmv|avi|mpeg|ram|mp3|mpg|flv)$ 60 200% 10080 
ignore-no-cache override-expire ignore-private
refresh_pattern -i \.(3gp|mp4|rm|ram|mov|m4v|qt)$ 60 200% 10080 ignore-no-cache 
override-expire ignore-private
refresh_pattern -i \.(cab|exe|gzip|gz|zip|rpm|bin|dat|psf|bz2)$ 0 20% 14400
refresh_pattern -i \.(swf|css|js)$ 0 50% 1
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll)  1 20% 1440
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 1 20% 1440
refresh_pattern -i \.(htm|html|asp|jsp|shtml|dhtml|php)$ 0 0% 0

refresh_pattern -i (/cgi-bin/|\?)  0 0% 0
refresh_pattern .  0 20% 4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

#extension_methods dddxxx

cache_effective_user squid
cache_effective_group squid

client_persistent_connections on
server_persistent_connections on

logfile_rotate 0
ie_refresh on
request_entities on
pipeline_prefetch on
strip_query_terms off
minimum_direct_hops 0
minimum_direct_rtt 0
log_icp_queries off

# Shorten timeouts
negative_ttl 5 minutes
connect_timeout 1 minute
peer_connect_timeout 30 seconds
read_timeout 15 minutes
request_timeout 5 minutes
half_closed_clients off
pconn_timeout 1 minute

Regards,
Saurabh

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, February 01, 2011 12:12 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication to Sharepoint not happening

On 01/02/11 19:27, Saurabh Agarwal wrote:
> Hi All
>
> I am running Squid as a transparent proxy and can't authenticate to 
> sharepoint server. If I bypass squid then everything works fine.
>
> I have not compiled Squid with any of the authentication related configurables
>
> --enable-auth="basic,digest,ntlm,negotiate" 
> --enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL"
>  --enable-negotiate-auth-helpers="squid_kerb_auth" --enable-cache-digests 
> --enable-ntlm-auth-helpers="SMB,fakeauth" 
> --enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group".
>
> I see that sharepoint sends squid the following http headers in HTTP 401 
> response
>
> WWW-Authenticate: Negotiate\r\n
> WWW-Authenticate: NTLM\r\n
>
> But squid is not forwarding these headers to the client? If I bypass squid 
> then everything works fine.
>
> Can someone please help here?

Negotiate and NTLM both require HTTP/1.1 persistent connections and also 
some major hacks called connection pinning. Not all Squid support these 
equally.

What version of Squid are you using? and with what configuration?

Amos
-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

Re: [squid-users] Authentication to Sharepoint not happening

[Amos Jeffries]

On 01/02/11 19:27, Saurabh Agarwal wrote:

Hi All

I am running Squid as a transparent proxy and can't authenticate to sharepoint 
server. If I bypass squid then everything works fine.

I have not compiled Squid with any of the authentication related configurables

--enable-auth="basic,digest,ntlm,negotiate" 
--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL" 
--enable-negotiate-auth-helpers="squid_kerb_auth" --enable-cache-digests 
--enable-ntlm-auth-helpers="SMB,fakeauth" 
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group".

I see that sharepoint sends squid the following http headers in HTTP 401 
response

WWW-Authenticate: Negotiate\r\n
WWW-Authenticate: NTLM\r\n

But squid is not forwarding these headers to the client? If I bypass squid then 
everything works fine.

Can someone please help here?


Negotiate and NTLM both require HTTP/1.1 persistent connections and also 
some major hacks called connection pinning. Not all Squid support these 
equally.


What version of Squid are you using? and with what configuration?

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.10
  Beta testers wanted for 3.2.0.4

[squid-users] Authentication to Sharepoint not happening

[Saurabh Agarwal]

Hi All

I am running Squid as a transparent proxy and can't authenticate to sharepoint 
server. If I bypass squid then everything works fine.

I have not compiled Squid with any of the authentication related configurables

--enable-auth="basic,digest,ntlm,negotiate" 
--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL"
 --enable-negotiate-auth-helpers="squid_kerb_auth" --enable-cache-digests 
--enable-ntlm-auth-helpers="SMB,fakeauth" 
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group".

I see that sharepoint sends squid the following http headers in HTTP 401 
response

WWW-Authenticate: Negotiate\r\n 
WWW-Authenticate: NTLM\r\n

But squid is not forwarding these headers to the client? If I bypass squid then 
everything works fine.

Can someone please help here?

Regards,
Saurabh

Re: [squid-users] authentication problems

[Amos Jeffries]

On 05/12/10 09:45, ant2ne wrote:


I want to use squid and dansguardign to filter by groups. It is working, sort
of.

Problem 1, after launching the web browser it takes a very long time (a
minute or 2) before the authentication dialog pops up. This needs to be
instant. What am I doing wrong? Once it does finally pop up, I can
authenticate and dansguardian does assign the proper filtering groups.


The config below does not contain any reason for this slowness. Unless 
you have an abnormally large NCSA users file to be checked the problem 
is outside of Squid.




Problem 2, I would like anyone who fails to authenticate to be assigned a
user creditials; default-user. How would I do this?


No reasonably secure browser sends credentials by default. Anyone who 
fails to authenticate is requested to send credentials.




Problem 3, Can I edit the text of the authentication dialog box?



Only the realm string. There are security attacks which can be done by 
sending dialog box text and modern browsers are closing even that 
limited ability down.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

[squid-users] authentication problems

[ant2ne]

I want to use squid and dansguardign to filter by groups. It is working, sort
of.

Problem 1, after launching the web browser it takes a very long time (a
minute or 2) before the authentication dialog pops up. This needs to be
instant. What am I doing wrong? Once it does finally pop up, I can
authenticate and dansguardian does assign the proper filtering groups.

Problem 2, I would like anyone who fails to authenticate to be assigned a
user creditials; default-user. How would I do this?

Problem 3, Can I edit the text of the authentication dialog box?


Below this point is my squid.conf file...
http_port 3128
# acl QUERY urlpath_regex cgi-bin \? #Removed by Amos, suggested to speed up
web sites using media
#cache_mem 512 MB# May need to set lower if I run low on RAM
#maximum_object_size_in_memory 4096 KB #Increased by Amos, suggested to
speed up web sites using media
#maximum_object_size 1 GB
#cache_dir aufs /cache 50 256 256
redirect_rewrites_host_header off
cache_replacement_policy lru

#auth_param basic program /usr/lib/squid/getpwnam_auth /etc/passwd
# above may require this at the end -> /etc/passwd
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm blocker
auth_param basic credentialsttl 12 hours
auth_param basic casesensitive off
#auth_param basic max_challenge_lifetime 2 minutes
# above line fails

acl ncsa_users proxy_auth REQUIRED
acl all src all
acl localnet src 192.168.0.0/255.255.0.0
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/8
acl Safe_ports port 80 81 443 210 119 70 21 1025-65535
acl SSL_Ports port 443
acl AUTH_users proxy_auth ant2ne xbox mandi


#acl internalSite1 dstdomain eaplus.altonschools.org
#acl internalSite2 dstdomain reports.altonschools.org
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
http_access allow ncsa_users
http_access allow AUTH_users
#http_access allow reports_Printing
#http_access allow internalSite1
#http_access allow internalSite2
http_access allow localnet
http_access allow localhost
http_access deny all

icp_port 0
refresh_pattern \.jpg$ 3600 50% 60
refresh_pattern \.gif$ 3600 50% 60
refresh_pattern \.css$ 3600 50% 60
refresh_pattern \.js$ 3600 50% 60
refresh_pattern \.html$ 300 50% 10
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#access_log /var/log/squid/access.log squid
visible_hostname BLOCKER


-- 
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/authentication-problems-tp3072735p3072735.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] authentication switching

[Amos Jeffries]

On 18/11/10 22:49, Mikio Kishi wrote:

Hi, Amos


Squid can offer both types. Configure two sets of auth_param in the
order you would prefer them to be used.


I know that.


auth_param ntlm program .
auth_param basic program .


The above parameters return the follwoing http reply.


HTTP/1.0 407 Proxy Authentication Required
.
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="XXX"



It looks ok. But, InternetExplorer8 has never been trying Basic
authentication...
How can I let IE try Basic auth after NTLM auth failed ?


At the moment you can't, sorry.  We don't have any patches of the 
feature needed to workaround the bugs in IE8 for this.


If you (or anyone) feels up to coding that feature I can spec out the 
requirements and audit the code produced, but don't have time myself yet 
to dedicate to it.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

Re: [squid-users] authentication switching

[Mikio Kishi]

Hi, Amos

> Squid can offer both types. Configure two sets of auth_param in the
> order you would prefer them to be used.

I know that.

> auth_param ntlm program .
> auth_param basic program .

The above parameters return the follwoing http reply.

> HTTP/1.0 407 Proxy Authentication Required
> .
> Proxy-Authenticate: NTLM
> Proxy-Authenticate: Basic realm="XXX"
> 

It looks ok. But, InternetExplorer8 has never been trying Basic
authentication...
How can I let IE try Basic auth after NTLM auth failed ?

Squid version: 3.1.9

Sincerely,

--
Mikio Kishi

On Thu, Nov 18, 2010 at 6:01 PM, Amos Jeffries  wrote:
> On 18/11/10 18:48, Mikio Kishi wrote:
>>
>> Hi, all
>>
>> Now, I'm using NTLM authentication (auth_param ntlm ..).
>> However, we can not browse some sites (windows update or adobe's one)
>> bacause activex control is not supported NTLM authentication.
>>
>> So, I'd like to browse via "Basic auth" when "NTLM auth" is failed.
>> Is it possible to configure such an authentication switching ?
>>
>
> Squid can offer both types. Configure two sets of auth_param in the order
> you would prefer them to be used.
>
> It is completely up to the agent to pick the one it wants reply with. Some
> agents use the order offered as a hint. Others pick the strongest encryption
> they support.
>
> This is as good as it gets at present. In all Squid 2.6+.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.9
>  Beta testers wanted for 3.2.0.3
>

Re: [squid-users] authentication switching

[Amos Jeffries]

On 18/11/10 18:48, Mikio Kishi wrote:

Hi, all

Now, I'm using NTLM authentication (auth_param ntlm ..).
However, we can not browse some sites (windows update or adobe's one)
bacause activex control is not supported NTLM authentication.

So, I'd like to browse via "Basic auth" when "NTLM auth" is failed.
Is it possible to configure such an authentication switching ?



Squid can offer both types. Configure two sets of auth_param in the 
order you would prefer them to be used.


It is completely up to the agent to pick the one it wants reply with. 
Some agents use the order offered as a hint. Others pick the strongest 
encryption they support.


This is as good as it gets at present. In all Squid 2.6+.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

[squid-users] authentication switching

[Mikio Kishi]

Hi, all

Now, I'm using NTLM authentication (auth_param ntlm ..).
However, we can not browse some sites (windows update or adobe's one)
bacause activex control is not supported NTLM authentication.

So, I'd like to browse via "Basic auth" when "NTLM auth" is failed.
Is it possible to configure such an authentication switching ?

Sincerely,

--
Mikio Kishi

RE: [squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

[Paul Freeman]

Sorry to reply to my own email but I realised I have not properly described
the encryption type problem I had with https which may mean my theory about
it being similar to the Kerberos problem is incorrect.

The certificate encryption problem I had on Ubuntu 10.04 LTS was due to the
Windows Root CA issuing the web server certificate with the sha256RSA
signature algorithm.  Apparently OpenSSL on ubuntu cannot manage this.

Sorry for any confusion.

Regards

Paul

> -Original Message-
> From: Paul Freeman [mailto:paul.free...@eml.com.au]
> Sent: Wednesday, 27 October 2010 8:13 AM
> To: Nick Cairncross; Squid Users
> Subject: RE: [squid-users] Authentication using squid_kerb_auth with
> Internet Explorer 8 on Windows Server 2008 R2
> 
> Hi Nick
> Thanks for looking at this.  I appreciate your help.
> 
> My answers to your questions are in line below
> 
> > -Original Message-
> > From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk]
> > Sent: Tuesday, 26 October 2010 8:36 PM
> > To: Paul Freeman; Squid Users
> > Subject: Re: [squid-users] Authentication using squid_kerb_auth with
> > Internet Explorer 8 on Windows Server 2008 R2
> >
> >
> > On 26/10/2010 03:56, "Paul Freeman"  wrote:
> >
> >
> > >Hi.
> > >I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and
> have
> > >enabled
> > >Kerberos/NTLM authentication using the squid_kerb_auth helper.  This
> > >setup is
> > >working well and successfully authenticates Windows domain users
> when
> > they
> > >are logged in using their domain credentials on Windows XP
> > workstations
> > >using
> > >Internet Explorer (v6,7 and 8) and Firefox.
> > >
> > >Squid is configured with two helpers, the first, squid_kerb_auth and
> > the
> > >second, the Samba ntlm helper.
> > >
> > >However, today I came across a problem when using Internet Explorer
> 8
> > on a
> > >server running Windows Server 2008 R2.  The IE8 enhanced security
> mode
> > is
> > >disabled and the logged in user is a standard domain user.  The
> > Windows
> > >server is joined to the domain and is not a domain controller.  The
> > >Windows
> > >server is up to date with Microsoft patches and updates.
> > >
> > >Authentication is failing for some reason.  Instead of
> authenticating
> > >silently, the user is prompted for a username and password 6 times
> > before
> > >receiving the Cache Access Denied message.
> > >
> > >If I disable the squid_kerb_auth helper in squid.conf and restart
> > squid,
> > >leaving only the Samba NTLM helper, authentication works
> successfully.
> > >
> > >In cache.log I find:
> > >squid_kerb_auth: DEBUG: Got 'YR YII...
> > >squid_kerb_auth: DEBUG: Decode 'YII...
> > >squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified
> > GSS
> > >failure.  Minor code may provide more information.
> > >squid_kerb_auth: INFO: User not authenticated
> > >authenticateNegotiateHandleReply: Error validating user via
> Negotiate.
> > >Error
> > >returned 'BH gss_accept_sec_contect() failed:  Unspecified GSS
> failure.
> > >Minor code may provide more information. '
> > >
> > >Has anyone else found this with IE8 on Windows Server 2008 R2?  Is
> it
> > due
> > >to
> > >the 64-bit version of IE8 or some unusual interaction between the
> IE8
> > >version
> > >shipped with Windows Server 2008 R2 and the squid_kerb_auth module?
> > >
> > >I have a Wireshark capture of the traffic between the browser
> session
> > on
> > >Windows Server 2008 R2 and the proxy server during authentication
> and
> > >would
> > >like to assist with investigating the problem further if someone can
> > >provide
> > >some advice as to where to look.
> > >
> > >Regards
> > >
> > >Paul
> >
> >
> > Hi Paul,
> > Just my thoughts (which are minor in relation to the power of other
> > listers..!): Are you specifically running the 64-bit version of IE?
> How
> > does your DNS look? A/PTR records all in order? What does kerbtray
> show?
> > What encoding for kerberos are you using? What does klist -ekt
> 
> > show? Correct FQDN in your browser?
> > Cheers
> > Nick
> >
> I presumed IE8 was the 64-bit version but on further checking I have
> found it
> is the 32-bit version.  The 64-bit version i

RE: [squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

[Paul Freeman]

Hi Nick
Thanks for looking at this.  I appreciate your help.

My answers to your questions are in line below

> -Original Message-
> From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk]
> Sent: Tuesday, 26 October 2010 8:36 PM
> To: Paul Freeman; Squid Users
> Subject: Re: [squid-users] Authentication using squid_kerb_auth with
> Internet Explorer 8 on Windows Server 2008 R2
> 
> 
> On 26/10/2010 03:56, "Paul Freeman"  wrote:
> 
> 
> >Hi.
> >I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have
> >enabled
> >Kerberos/NTLM authentication using the squid_kerb_auth helper.  This
> >setup is
> >working well and successfully authenticates Windows domain users when
> they
> >are logged in using their domain credentials on Windows XP
> workstations
> >using
> >Internet Explorer (v6,7 and 8) and Firefox.
> >
> >Squid is configured with two helpers, the first, squid_kerb_auth and
> the
> >second, the Samba ntlm helper.
> >
> >However, today I came across a problem when using Internet Explorer 8
> on a
> >server running Windows Server 2008 R2.  The IE8 enhanced security mode
> is
> >disabled and the logged in user is a standard domain user.  The
> Windows
> >server is joined to the domain and is not a domain controller.  The
> >Windows
> >server is up to date with Microsoft patches and updates.
> >
> >Authentication is failing for some reason.  Instead of authenticating
> >silently, the user is prompted for a username and password 6 times
> before
> >receiving the Cache Access Denied message.
> >
> >If I disable the squid_kerb_auth helper in squid.conf and restart
> squid,
> >leaving only the Samba NTLM helper, authentication works successfully.
> >
> >In cache.log I find:
> >squid_kerb_auth: DEBUG: Got 'YR YII...
> >squid_kerb_auth: DEBUG: Decode 'YII...
> >squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified
> GSS
> >failure.  Minor code may provide more information.
> >squid_kerb_auth: INFO: User not authenticated
> >authenticateNegotiateHandleReply: Error validating user via Negotiate.
> >Error
> >returned 'BH gss_accept_sec_contect() failed:  Unspecified GSS failure.
> >Minor code may provide more information. '
> >
> >Has anyone else found this with IE8 on Windows Server 2008 R2?  Is it
> due
> >to
> >the 64-bit version of IE8 or some unusual interaction between the IE8
> >version
> >shipped with Windows Server 2008 R2 and the squid_kerb_auth module?
> >
> >I have a Wireshark capture of the traffic between the browser session
> on
> >Windows Server 2008 R2 and the proxy server during authentication and
> >would
> >like to assist with investigating the problem further if someone can
> >provide
> >some advice as to where to look.
> >
> >Regards
> >
> >Paul
> 
> 
> Hi Paul,
> Just my thoughts (which are minor in relation to the power of other
> listers..!): Are you specifically running the 64-bit version of IE? How
> does your DNS look? A/PTR records all in order? What does kerbtray show?
> What encoding for kerberos are you using? What does klist -ekt 
> show? Correct FQDN in your browser?
> Cheers
> Nick
> 
I presumed IE8 was the 64-bit version but on further checking I have found it
is the 32-bit version.  The 64-bit version is also installed and I have tried
that with the same result.

As far as I know (I set DNS up :-) ), DNS is configured correctly with
forward and reverse records.

I checked the Kerberos tickets on a Windows XP workstation that authenticates
correctly to squid using IE8 (32-bit) and the Windows 2008 R2 server using
IE8 (32-bit and 64-bit) and found tickets for the proxy server as follows:

Win XP Workstation:
Server: HTTP/my-proxy-server.my.dom...@my.domain
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 10/27/2010 17:37:35
Renew Time: 11/3/2010 7:37:35

Win 2008 R2 server:
Client" my.login @ MY.DOMAIN
Server: HTTP/my-proxy-server.my.domain @ MY.DOMAIN
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a0 -> forwardable renewable pre_authent
Start Time: 10/27/2010 7:30:13 (local)
End Time: 10/27/2010 17:17:38 (local)
Renew Time: 11/3/2010 7:17:38 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96

The key difference is the ticket encryption type: RC4-HMAC for Win XP vs
AES-256-HMAC-SHA1 for Win 2008 R2.

On the proxy server, klist -ekt ticket_file shows:
KVNOTimestamp   Principal
2   09/24/10 12:54:16   HTTP/my-proxy-server.my.dom...@my.domain

Re: [squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

[Nick Cairncross]

On 26/10/2010 03:56, "Paul Freeman"  wrote:


>Hi.
>I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have
>enabled
>Kerberos/NTLM authentication using the squid_kerb_auth helper.  This
>setup is
>working well and successfully authenticates Windows domain users when they
>are logged in using their domain credentials on Windows XP workstations
>using
>Internet Explorer (v6,7 and 8) and Firefox.
>
>Squid is configured with two helpers, the first, squid_kerb_auth and the
>second, the Samba ntlm helper.
>
>However, today I came across a problem when using Internet Explorer 8 on a
>server running Windows Server 2008 R2.  The IE8 enhanced security mode is
>disabled and the logged in user is a standard domain user.  The Windows
>server is joined to the domain and is not a domain controller.  The
>Windows
>server is up to date with Microsoft patches and updates.
>
>Authentication is failing for some reason.  Instead of authenticating
>silently, the user is prompted for a username and password 6 times before
>receiving the Cache Access Denied message.
>
>If I disable the squid_kerb_auth helper in squid.conf and restart squid,
>leaving only the Samba NTLM helper, authentication works successfully.
>
>In cache.log I find:
>squid_kerb_auth: DEBUG: Got 'YR YII...
>squid_kerb_auth: DEBUG: Decode 'YII...
>squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS
>failure.  Minor code may provide more information.
>squid_kerb_auth: INFO: User not authenticated
>authenticateNegotiateHandleReply: Error validating user via Negotiate.
>Error
>returned 'BH gss_accept_sec_contect() failed:  Unspecified GSS failure.
>Minor code may provide more information. '
>
>Has anyone else found this with IE8 on Windows Server 2008 R2?  Is it due
>to
>the 64-bit version of IE8 or some unusual interaction between the IE8
>version
>shipped with Windows Server 2008 R2 and the squid_kerb_auth module?
>
>I have a Wireshark capture of the traffic between the browser session on
>Windows Server 2008 R2 and the proxy server during authentication and
>would
>like to assist with investigating the problem further if someone can
>provide
>some advice as to where to look.
>
>Regards
>
>Paul


Hi Paul, 
Just my thoughts (which are minor in relation to the power of other
listers..!): Are you specifically running the 64-bit version of IE? How
does your DNS look? A/PTR records all in order? What does kerbtray show?
What encoding for kerberos are you using? What does klist -ekt 
show? Correct FQDN in your browser?
Cheers
Nick




The information contained in this e-mail is of a confidential nature and is 
intended only for the addressee.  If you are not the intended addressee, any 
disclosure, copying or distribution by you is prohibited and may be unlawful.  
Disclosure to any party other than the addressee, whether inadvertent or 
otherwise, is not intended to waive privilege or confidentiality.  Internet 
communications are not secure and therefore Conde Nast does not accept legal 
responsibility for the contents of this message.  Any views or opinions 
expressed are those of the author.

The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, 
London W1S 1JU

[squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

[Paul Freeman]

Hi.
I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have enabled
Kerberos/NTLM authentication using the squid_kerb_auth helper.  This setup is
working well and successfully authenticates Windows domain users when they
are logged in using their domain credentials on Windows XP workstations using
Internet Explorer (v6,7 and 8) and Firefox.

Squid is configured with two helpers, the first, squid_kerb_auth and the
second, the Samba ntlm helper.

However, today I came across a problem when using Internet Explorer 8 on a
server running Windows Server 2008 R2.  The IE8 enhanced security mode is
disabled and the logged in user is a standard domain user.  The Windows
server is joined to the domain and is not a domain controller.  The Windows
server is up to date with Microsoft patches and updates.

Authentication is failing for some reason.  Instead of authenticating
silently, the user is prompted for a username and password 6 times before
receiving the Cache Access Denied message.

If I disable the squid_kerb_auth helper in squid.conf and restart squid,
leaving only the Samba NTLM helper, authentication works successfully.

In cache.log I find:
squid_kerb_auth: DEBUG: Got 'YR YII...
squid_kerb_auth: DEBUG: Decode 'YII...
squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS
failure.  Minor code may provide more information.
squid_kerb_auth: INFO: User not authenticated
authenticateNegotiateHandleReply: Error validating user via Negotiate.  Error
returned 'BH gss_accept_sec_contect() failed:  Unspecified GSS failure.
Minor code may provide more information. '

Has anyone else found this with IE8 on Windows Server 2008 R2?  Is it due to
the 64-bit version of IE8 or some unusual interaction between the IE8 version
shipped with Windows Server 2008 R2 and the squid_kerb_auth module?

I have a Wireshark capture of the traffic between the browser session on
Windows Server 2008 R2 and the proxy server during authentication and would
like to assist with investigating the problem further if someone can provide
some advice as to where to look.

Regards

Paul 

Re: [squid-users] Authentication Reverse Proxy

[Amos Jeffries]

GIGO . wrote:

Hi,

What is the behaviour/mechanism of authentication if using squid
proxy for both as forward proxy and reverse proxy.

I have successfully setup it for a forward proxy using the Helper
files by Markus and the following tutorial; 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos



Now comming in my mind two scenarios. One is that squid is being used
for authentication and the second one is that web server is providing
the authenticaiton/authorization and squid is just forwarding the
requests to the web server? Please guide/suggest/comment about it.



Requests arriving in the reverse-proxy port uses WWW-Auth identical to a 
origin web server. Ignoring any Proxy-Auth headers.


Requests arriving in the forward-proxy port use Proxy-Auth like a proper 
proxy. Passing WWW-Auth headers through untouched.


These are separate mechanisms and can exist side by side in HTTP headers 
for separate use by middle proxies and origin server.




However what my pan is that I want that web server(outlookwebacess)
should be the one taking care of auhentication part and squid should
simply have given the role of forwarder. However i am not sure which
approach to adopt and what are any special configurations that are
required? what are the implications of each approach?



The cache_peer login=PASS logics are smart enough to pass 
WWW-Auth/Proxy-Auth on in the right way relative to the originserver 
setting.


Note: That OWA is quite sensitive to the traffic sent to it. Deviating 
from the recommended config example leads most times to trouble:

http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.3

[squid-users] Authentication Reverse Proxy

[GIGO .]

Hi,
 
What is the behaviour/mechanism of authentication if using squid proxy for both 
as forward proxy and reverse proxy.
 
I have successfully setup it for a forward proxy using the Helper files by 
Markus and the following tutorial;
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
 
 
Now comming in my mind two scenarios. One is that squid is being used for 
authentication and the second one is that web server is providing the 
authenticaiton/authorization and squid is just forwarding the requests to the 
web server? Please guide/suggest/comment about it.
 
 
However what my pan is that I want that web server(outlookwebacess) should be 
the one taking care of auhentication part and squid should simply have given 
the role of forwarder. However i am not sure which approach to adopt and what 
are any special configurations that are required? what are the implications of 
each approach?
 
 
 
regards,
 
Bilal 
_
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969

[squid-users] Authentication in squid windows

[ondemandemails]

dear frnds,

i m looking forward to deploy squid on windows server 2003 for my wireless 
users. can some 1 help me in this case as i dnt want to make a domain because 
this will render the users unable to work on laptops out of the premises. other 
option is to make a username & password file which can be more effective in my 
case.
also i want to apply the acl of max download per day of 200 MB.

help needed.

bye

Re: [squid-users] Authentication logging

[John Horne]

On Thu, 2010-04-08 at 21:43 +0100, John Horne wrote:
> Hello,
> 
> Using squid 2.7 stable 9, I have set the debug_options to 29,2 which
> logs authenticated users, e.g:
> 
>user 'xxx' has been seen at a new IP address (11.22.33.44)
> 
> However, is there a way I can log unsuccessful authentication attempts?
> I have increased the debug level to 6, but it still doesn't log
> authentication failures. Is this possible in the squid 3.x series?
> 
Ha! I have just seen that someone else asked the same question a couple
of days ago! I see that failures are logged as a 407 response (which I
can see in our log files).

Apologies for the list noise.



John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001

[squid-users] Authentication logging

[John Horne]

Hello,

Using squid 2.7 stable 9, I have set the debug_options to 29,2 which
logs authenticated users, e.g:

   user 'xxx' has been seen at a new IP address (11.22.33.44)

However, is there a way I can log unsuccessful authentication attempts?
I have increased the debug level to 6, but it still doesn't log
authentication failures. Is this possible in the squid 3.x series?



Thanks,

John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001

Re: [squid-users] Authentication helpers not shut down

[Henrik Nordström]

tis 2010-04-06 klockan 13:49 -0700 skrev David Parks:
> I noticed that running "squid -k reconfigure" starts a new authentication 
> helper, but does not shut down the old one.

It does.

> Is this normal behavior? Do I just need to monitor for the closing of the 
> input stream and shut down on that cue?

Correct. All Squid helpers need to monitor their input and shut down on
eof.

> p.s. if there are any good guides on the various types of helpers, and the 
> protocol used with them I haven't come across it yet and would love a link.

The helpers and their protocols are documented in the squid.conf notes.

- url rewriters, url_rewrite_program
- basic auth helpers, auth_param basic program
- digest auth helpers, auth_param digest program
- negotiate auth helpers, auth_param negotiate program
- external acl helpers, external_acl_type

Other helpers not so well documented outside source:

- log daemon helper, logfile_daemon, access_log)
- dns helper, ache_dns_program ((deprecated in favor for internal dns
client)


Regards
Henrik

[squid-users] Authentication helpers not shut down

[David Parks]

I noticed that running "squid -k reconfigure" starts a new authentication 
helper, but does not shut down the old one.
Is this normal behavior? Do I just need to monitor for the closing of the input 
stream and shut down on that cue?

Just wanna make sure I'm on track. 

Dave

p.s. if there are any good guides on the various types of helpers, and the 
protocol used with them I haven't come across it yet and would love a link.

Re: [squid-users] Authentication caching

[Henrik Nordström]

lör 2010-03-27 klockan 18:42 +0100 skrev Khaled Blah:
> Hi all,
> 
> I'm developing an authentication helper (Negotiate/NTLM) for squid and
> I am trying to understand more how squid handles this process
> internally. Most of all I'd like to know how and how long squid caches
> authentication results. I have looked at the debug logs and they show
> that squid seems to do "less caching" for Negotiate/NTLM than it does
> for Basic/Digest authentication.

Due to the nature of NTLM & Negotate authentication it's the helper
performing the Negotiate/NTLM handshake, and because of this there is no
cache in Squid for these schemes as there is nothing to use as cache
key.

basic & digest auth is handled internally by Squid, and enables Squid to
cache the credentials validity.

In theory we could implement NTLM in similar manner, but it would then
not be possible to integrate with Windows domain controllers / active
directory.

Don't know enough of Kerberos to tell what possibilities there may be to
cache in Negotiate auth.

> I am wondering whether I can do
> something about this so that a once verified user will only get his
> credentials re-verified after a certain time and not all during. I am
> grateful to any insight the list can give me. Thanks in advance!

In 2.7 there is a generic auth cache based on source IP, useful when the
clients are single-user workstations.

Regards
Henrik

[squid-users] Authentication caching

[Khaled Blah]

Hi all,

I'm developing an authentication helper (Negotiate/NTLM) for squid and
I am trying to understand more how squid handles this process
internally. Most of all I'd like to know how and how long squid caches
authentication results. I have looked at the debug logs and they show
that squid seems to do "less caching" for Negotiate/NTLM than it does
for Basic/Digest authentication. I am wondering whether I can do
something about this so that a once verified user will only get his
credentials re-verified after a certain time and not all during. I am
grateful to any insight the list can give me. Thanks in advance!

Khaled

[squid-users] Authentication caching

[Khaled Blah]

Hi all,

I'm developing an authentication helper (Negotiate/NTLM) for squid and
I am trying to understand more how squid handles this process
internally. Most of all I'd like to know how and how long squid caches
authentication results. I have looked at the debug logs and they show
that squid seems to do "less caching" for Negotiate/NTLM than it does
for Basic/Digest authentication. I am wondering whether I can do
something about this so that a once verified user will only get his
credentials re-verified after a certain time and not all during. I am
grateful to any insight the list can give me. Thanks in advance!

Khaled

Re: [squid-users] authentication pass through upstream server

[Amos Jeffries]

Mark Engels wrote:

Mark Engels wrote:

Hello all,

Im hopeing this is the place to come when seeking some assistance with a squid 
proxy configuration issue thats giving myself a little grief, and i certainly 
hope nothing like this has been asked before.

The general idea of what im trying to accomplish is to have a end user enter 
their username and password credentials as they normaly would do, (there is 
quota enforcement and site blocking higher up that i have limited control over) 
and have it so that when a user say goes to www.educationalmaterial.com the 
local squid proxy users a pre defined username and password to access the 
material thus not charging the user quota download costs for accessing the 
material.

The proxy server was supplied to us from head office with pre configured rules 
to work as a local cache. I hope to leave all the existing rules in place. also 
all our internet service must filter through this 1 provided proxy, we cannot 
source external internet or alternet proxies..

A portion of the configuration file is as below.

#

cache_peer proxy.site.com parent 8080 3130 no-query default login=PASS
auth_param digest children 5
auth_param digest realm Squid proxy-caching web server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl block url_regex -i "d:/squid/var/logs/block.conf"
acl unblock url_regex -i "d:/squid/var/logs/unblock.conf"
acl nocache url_regex -i "d:/squid/var/logs/nocache.conf"
no_cache deny nocache
http_access deny block !unblock
http_access allow all
http_access deny all
http_reply_access allow all


#
i thought it would be a simple thing to make the required changes and started 
to aproach with adding the following
#

cache_peer proxy.site.com parent 8080 3130 no-query login="free user":pa$$word 
name=free
cache_peer_access free allow free_sites
cache_peer_access free deny all
acl free_sites url_regex -i "d:/squid/var/logs/freesites.conf"

#

unfortunately this seemed to break the local cache and im not too sure where 
ive gone wrong. any help in this or even an alternate solution would be greatly 
apreciated.



You have the right idea. Thats how its done.
But whitespace is not permitted in the parameter.

What you have there is no password with username  "free .



note: changed proxy name and user credentials for privacy reasons, and running 
squid 2.5 on local and upstream server.



Please see my sig... :)

Your HQ provider may need to be made aware that there is no longer any
official support for 2.5. The oldest fully supported version is now 2.7.

Amos


Thankyou for your help amos :)

unfortunately i doubt HQ will even consider changing this system under the 
current management as it effects tens of thousands of users... education ;-)

perhaps you might be able to help again, all of our users must have a space in 
their account name. it is mandatory in account creation. would there be a way 
arround this? (perhaps %20 like in html?) i hope the solution isnt in the 3.0 
version of squid or that a work arround for 2.5 might be available?


Um. I don't have a copy of 2.5 code to check, but 2.6 will accept %20 
with no " quotes. So your chances of that are good.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
  Current Beta Squid 3.1.0.16

RE: [squid-users] authentication pass through upstream server

[Mark Engels]

Mark Engels wrote:
> Hello all,
>
> Im hopeing this is the place to come when seeking some assistance with a 
> squid proxy configuration issue thats giving myself a little grief, and i 
> certainly hope nothing like this has been asked before.
>
> The general idea of what im trying to accomplish is to have a end user enter 
> their username and password credentials as they normaly would do, (there is 
> quota enforcement and site blocking higher up that i have limited control 
> over) and have it so that when a user say goes to www.educationalmaterial.com 
> the local squid proxy users a pre defined username and password to access the 
> material thus not charging the user quota download costs for accessing the 
> material.
>
> The proxy server was supplied to us from head office with pre configured 
> rules to work as a local cache. I hope to leave all the existing rules in 
> place. also all our internet service must filter through this 1 provided 
> proxy, we cannot source external internet or alternet proxies..
>
> A portion of the configuration file is as below.
>
> #
>
> cache_peer proxy.site.com parent 8080 3130 no-query default login=PASS
> auth_param digest children 5
> auth_param digest realm Squid proxy-caching web server
> auth_param digest nonce_garbage_interval 5 minutes
> auth_param digest nonce_max_duration 30 minutes
> auth_param digest nonce_max_count 50
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210  # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280  # http-mgmt
> acl Safe_ports port 488  # gss-http
> acl Safe_ports port 591  # filemaker
> acl Safe_ports port 777  # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl block url_regex -i "d:/squid/var/logs/block.conf"
> acl unblock url_regex -i "d:/squid/var/logs/unblock.conf"
> acl nocache url_regex -i "d:/squid/var/logs/nocache.conf"
> no_cache deny nocache
> http_access deny block !unblock
> http_access allow all
> http_access deny all
> http_reply_access allow all
>
>
> #
> i thought it would be a simple thing to make the required changes and started 
> to aproach with adding the following
> #
>
> cache_peer proxy.site.com parent 8080 3130 no-query login="free 
> user":pa$$word name=free
> cache_peer_access free allow free_sites
> cache_peer_access free deny all
> acl free_sites url_regex -i "d:/squid/var/logs/freesites.conf"
>
> #
>
> unfortunately this seemed to break the local cache and im not too sure where 
> ive gone wrong. any help in this or even an alternate solution would be 
> greatly apreciated.
>

You have the right idea. Thats how its done.
But whitespace is not permitted in the parameter.

What you have there is no password with username  "free .


> note: changed proxy name and user credentials for privacy reasons, and 
> running squid 2.5 on local and upstream server.
>

Please see my sig... :)

Your HQ provider may need to be made aware that there is no longer any
official support for 2.5. The oldest fully supported version is now 2.7.

Amos
--
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
   Current Beta Squid 3.1.0.16


Thankyou for your help amos :)

unfortunately i doubt HQ will even consider changing this system under the 
current management as it effects tens of thousands of users... education ;-)

perhaps you might be able to help again, all of our users must have a space in 
their account name. it is mandatory in account creation. would there be a way 
arround this? (perhaps %20 like in html?) i hope the solution isnt in the 3.0 
version of squid or that a work arround for 2.5 might be available?

Re: [squid-users] authentication pass through upstream server

[Amos Jeffries]

Mark Engels wrote:

Hello all,

Im hopeing this is the place to come when seeking some assistance with a squid 
proxy configuration issue thats giving myself a little grief, and i certainly 
hope nothing like this has been asked before.

The general idea of what im trying to accomplish is to have a end user enter 
their username and password credentials as they normaly would do, (there is 
quota enforcement and site blocking higher up that i have limited control over) 
and have it so that when a user say goes to www.educationalmaterial.com the 
local squid proxy users a pre defined username and password to access the 
material thus not charging the user quota download costs for accessing the 
material.

The proxy server was supplied to us from head office with pre configured rules 
to work as a local cache. I hope to leave all the existing rules in place. also 
all our internet service must filter through this 1 provided proxy, we cannot 
source external internet or alternet proxies..

A portion of the configuration file is as below.

#

cache_peer proxy.site.com parent 8080 3130 no-query default login=PASS
auth_param digest children 5
auth_param digest realm Squid proxy-caching web server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl block url_regex -i "d:/squid/var/logs/block.conf"
acl unblock url_regex -i "d:/squid/var/logs/unblock.conf"
acl nocache url_regex -i "d:/squid/var/logs/nocache.conf"
no_cache deny nocache
http_access deny block !unblock
http_access allow all
http_access deny all
http_reply_access allow all


#
i thought it would be a simple thing to make the required changes and started 
to aproach with adding the following
#

cache_peer proxy.site.com parent 8080 3130 no-query login="free user":pa$$word 
name=free
cache_peer_access free allow free_sites
cache_peer_access free deny all
acl free_sites url_regex -i "d:/squid/var/logs/freesites.conf"

#

unfortunately this seemed to break the local cache and im not too sure where 
ive gone wrong. any help in this or even an alternate solution would be greatly 
apreciated.



You have the right idea. Thats how its done.
But whitespace is not permitted in the parameter.

What you have there is no password with username  "free .



note: changed proxy name and user credentials for privacy reasons, and running 
squid 2.5 on local and upstream server.



Please see my sig... :)

Your HQ provider may need to be made aware that there is no longer any 
official support for 2.5. The oldest fully supported version is now 2.7.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
  Current Beta Squid 3.1.0.16

[squid-users] authentication pass through upstream server

[Mark Engels]

Hello all,

Im hopeing this is the place to come when seeking some assistance with a squid 
proxy configuration issue thats giving myself a little grief, and i certainly 
hope nothing like this has been asked before.

The general idea of what im trying to accomplish is to have a end user enter 
their username and password credentials as they normaly would do, (there is 
quota enforcement and site blocking higher up that i have limited control over) 
and have it so that when a user say goes to www.educationalmaterial.com the 
local squid proxy users a pre defined username and password to access the 
material thus not charging the user quota download costs for accessing the 
material.

The proxy server was supplied to us from head office with pre configured rules 
to work as a local cache. I hope to leave all the existing rules in place. also 
all our internet service must filter through this 1 provided proxy, we cannot 
source external internet or alternet proxies..

A portion of the configuration file is as below.

#

cache_peer proxy.site.com parent 8080 3130 no-query default login=PASS
auth_param digest children 5
auth_param digest realm Squid proxy-caching web server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl block url_regex -i "d:/squid/var/logs/block.conf"
acl unblock url_regex -i "d:/squid/var/logs/unblock.conf"
acl nocache url_regex -i "d:/squid/var/logs/nocache.conf"
no_cache deny nocache
http_access deny block !unblock
http_access allow all
http_access deny all
http_reply_access allow all


#
i thought it would be a simple thing to make the required changes and started 
to aproach with adding the following
#

cache_peer proxy.site.com parent 8080 3130 no-query login="free user":pa$$word 
name=free
cache_peer_access free allow free_sites
cache_peer_access free deny all
acl free_sites url_regex -i "d:/squid/var/logs/freesites.conf"

#

unfortunately this seemed to break the local cache and im not too sure where 
ive gone wrong. any help in this or even an alternate solution would be greatly 
apreciated.

note: changed proxy name and user credentials for privacy reasons, and running 
squid 2.5 on local and upstream server.



Mark Engels
ICT Support

Mark Oliphant College
e: mark.eng...@moc.sa.edu.au 

Re: [squid-users] Authentication Browser Dialog

[Chris Robertson]

Christian Weiligmann wrote:

Am Dienstag, den 09.02.2010, 17:10 +1300 schrieb Amos Jeffries:
  

Christian Weiligmann wrote:


Hello,

i use the squidproxy over 10 years, an i am very happy to have this
programm for internet access, the user may look different about
this.
But, I have a demand concerning the authentication dialogs

I want to authenticate the internet access for my users by mysql
backend, but not with a browser dialog, else with a webpage. 


Similar to the question "Re: [squid-users] Proxy subscription on-line"
where is the error page, i can modify? 


Thanks a lot for viewing and please give me a answer...

  
So ... what error page? in response to what action? in which squid 
version? under what circumstances? with what information?


Amos



Hello,

I'am using the Squid 2.6.18-1ubuntu3 with non-transparent on Ubuntu LTS
8.04.04. .
I want to use for my authentication process a website and i don't want
to use the authenticate dialog in the browser. Is this possible? 


My "Similar to the quest" is written because i have understood as
the same question from me sorry.

Thank you for answer!


Using external_acl_type 
(http://www.squid-cache.org/Doc/config/external_acl_type/) and deny_info 
(http://www.squid-cache.org/Doc/config/deny_info/) you can redirect 
those clients that are not authenticated to the page that performs the 
authentication.  Your external_acl_type can return a username which will 
be used in the logs.


Perhaps my response to a similar query at 
http://www.squid-cache.org/mail-archive/squid-users/201001/0331.html 
will give you a good starting point.


Chris

Re: [squid-users] Authentication Browser Dialog

[Christian Weiligmann]

Am Dienstag, den 09.02.2010, 17:10 +1300 schrieb Amos Jeffries:
> Christian Weiligmann wrote:
> > Hello,
> > 
> > i use the squidproxy over 10 years, an i am very happy to have this
> > programm for internet access, the user may look different about
> > this.
> > But, I have a demand concerning the authentication dialogs
> > 
> > I want to authenticate the internet access for my users by mysql
> > backend, but not with a browser dialog, else with a webpage. 
> > 
> > Similar to the question "Re: [squid-users] Proxy subscription on-line"
> > where is the error page, i can modify? 
> > 
> > Thanks a lot for viewing and please give me a answer...
> > 
> 
> So ... what error page? in response to what action? in which squid 
> version? under what circumstances? with what information?
> 
> Amos

Hello,

I'am using the Squid 2.6.18-1ubuntu3 with non-transparent on Ubuntu LTS
8.04.04. .
I want to use for my authentication process a website and i don't want
to use the authenticate dialog in the browser. Is this possible? 

My "Similar to the quest" is written because i have understood as
the same question from me sorry.

Thank you for answer!

Re: [squid-users] Authentication Browser Dialog

[Amos Jeffries]

Christian Weiligmann wrote:

Hello,

i use the squidproxy over 10 years, an i am very happy to have this
programm for internet access, the user may look different about
this.
But, I have a demand concerning the authentication dialogs

I want to authenticate the internet access for my users by mysql
backend, but not with a browser dialog, else with a webpage. 


Similar to the question "Re: [squid-users] Proxy subscription on-line"
where is the error page, i can modify? 


Thanks a lot for viewing and please give me a answer...



So ... what error page? in response to what action? in which squid 
version? under what circumstances? with what information?


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
  Current Beta Squid 3.1.0.16

[squid-users] Authentication Browser Dialog

[Christian Weiligmann]

Hello,

i use the squidproxy over 10 years, an i am very happy to have this
programm for internet access, the user may look different about
this.
But, I have a demand concerning the authentication dialogs

I want to authenticate the internet access for my users by mysql
backend, but not with a browser dialog, else with a webpage. 

Similar to the question "Re: [squid-users] Proxy subscription on-line"
where is the error page, i can modify? 

Thanks a lot for viewing and please give me a answer...

Re: [squid-users] Authentication Question

[Amos Jeffries]

michael_gra...@cadc.uscourts.gov wrote:

I setup two reverse proxy sites with LDAP authentication. Authentication
works fine when I access
either site. The problem I'm having is after I authenticate to either site,
I try and access a url on the other site and I'm prompted to authenticate
again. How can I tell squid to check the authenticated user and stop
prompting me
for another login?


I guess that depends on your auth_param settings or LDAP configuration, 
which you omitted.

It's not part of the domain routing config you show below.



Below is my squid.conf setup of both sites. Thanks

acl ldap-auth proxy auth REQUIRED
http_access allow ldap-auth

http_port x.x.x.x:80 accel defaultsite=intranet.cadc.circdc.dcn
cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet1
round-robin
cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet2
round-robin
acl sites_intranet dstdomain intranet.cadc.circdc.dcn
http_access allow sites=intranet
cache_peer_access intranet1 allow sites_intranet
cache_peer_access intranet2 allow sites_intranet

http_port x.x.x.x:80 accel defaultsite=www.cadc.circdc.dcn
cach_peer x.x.x.x parent 80 0 no-query originserver name=iis
acl sites=iis dstdomain www.cadc.circdc.dcn
http_access allow sites=iis
cache_peer_access iis allow sites=iis

http_access deny all



Just a note, personally I'd add the ldap-auth ACL to the end of each of 
the "http_access allow sitesX" lines instead of globally at the top.
That would prevent wasting auth resources on people requesting 
unacceptable domains.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
  Current Beta Squid 3.1.0.15

Re: [squid-users] Authentication on server side instead of client? is that possible?

[Kinkie]

On Wed, Jan 6, 2010 at 5:22 PM, Roland Roland  wrote:
> Hello,
>
> hope this is possible to implement..
>
> i've read squid.conf.default over and over again with no luck or simply no
>  understanding of what i'm looking for..
>
> is there a way that squid can authenticate with a certain website instead of
> having every client on the network doing so ?
>
> in other words, i have a site that 20 users use daily though having a shared
> password is not favorable..
> so is there a way to do so on the server  and then all clients gets served
> an allready authenticated session to that site?
> is that feasible?

yes. See http://www.squid-cache.org/Doc/config/cache_peer/ (in
particular the login= option to cache_peer)

-- 
/kinkie

[squid-users] Authentication on server side instead of client? is that possible?

[Roland Roland]

Hello,

hope this is possible to implement..

i've read squid.conf.default over and over again with no luck or simply 
no  understanding of what i'm looking for..


is there a way that squid can authenticate with a certain website 
instead of having every client on the network doing so ?


in other words, i have a site that 20 users use daily though having a 
shared password is not favorable..
so is there a way to do so on the server  and then all clients gets 
served an allready authenticated session to that site?

is that feasible?

[squid-users] Authentication Question

[Michael_Grasso]

I setup two reverse proxy sites with LDAP authentication. Authentication
works fine when I access
either site. The problem I'm having is after I authenticate to either site,
I try and access a url on the other site and I'm prompted to authenticate
again. How can I tell squid to check the authenticated user and stop
prompting me
for another login?

Below is my squid.conf setup of both sites. Thanks

acl ldap-auth proxy auth REQUIRED
http_access allow ldap-auth

http_port x.x.x.x:80 accel defaultsite=intranet.cadc.circdc.dcn
cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet1
round-robin
cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet2
round-robin
acl sites_intranet dstdomain intranet.cadc.circdc.dcn
http_access allow sites=intranet
cache_peer_access intranet1 allow sites_intranet
cache_peer_access intranet2 allow sites_intranet

http_port x.x.x.x:80 accel defaultsite=www.cadc.circdc.dcn
cach_peer x.x.x.x parent 80 0 no-query originserver name=iis
acl sites=iis dstdomain www.cadc.circdc.dcn
http_access allow sites=iis
cache_peer_access iis allow sites=iis

http_access deny all


Mike Grasso
DC Circuit Court of Appeals

Re: [squid-users] Authentication fall through

[Henrik Nordstrom]

fre 2009-10-23 klockan 14:27 +0100 skrev Matt Richards:

> Is it possible to try this authentication and if it fails then don't
> popup a login box but either try another type of authentication or continue.

No, but if you can identify these machines by IP then excluding them
from authentication entirely is an option.

Regards
Henrik

[squid-users] Authentication fall through

[Matt Richards]

Hello,

I have currently got squid setup so it authenticates (against ntlm)
users and uses squidGuard to do the blocking.

At the moment if a machine is not part of the domain I get a popup box
asking for authentication.

Is it possible to try this authentication and if it fails then don't
popup a login box but either try another type of authentication or continue.

I have tried allowing everything as well as having the authentication
lines but then squid just doesn't seem to pass the username on.

What I would like ideally is have squid try the authentication and if it
succeeds then supply the login of the user to the url_rewrite_program.
If it fails then continue as normal without a login. In this case
squidGuard will redirect everything to a login page which will add
values to a database.
When they submit the login information another request will be made and
this time squid will check the database and allow the user through
depending on the IP address of the remote machine.

So squid will try NTLM again, fail this, check the database, as the user
authenticated before see their IP in the database, get the login from
the database and use this as the authenticated user login from there on.
The user can then continue to browse as normal.
Basically like web based authentication with NTLM (AD SSO) support.

Is this possible?

I realise that it might be the browser that is asking for authentication
if it cant supply the authentication information to squid.

If this is the case if there a helper application that attempts to
connect to the IP of the requesting machine to verify authentication?
Like novell and bordermanager does?

Thanks for your time,

Matt.




signature.asc
Description: OpenPGP digital signature

RE: [squid-users] Authentication through Squid3

[Henrik Nordstrom]

fre 2009-09-04 klockan 11:37 +0200 skrev Pierre Thomas:

> 2009/09/04 11:31:36| Processing Configuration File: /etc/squid/squid.conf 
> (depth 0)
> 2009/09/04 11:31:36| Can't use proxy auth because no authentication schemes 
> are fully configured.
> FATAL: ERROR: Invalid ACL: acl SSO proxy_auth REQUIRED

Are you sure there is no "acl SSO proxy_auth REQUIRED" before your
auth_param rules? Maybe you have it duplicated up there..

Regards
Henrik

RE: [squid-users] Authentication through Squid3

[Pierre Thomas]

Hi Amos,

I tried your auth method :


auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 10 
auth_param ntlm realm Authentification Squid

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic 
auth_param basic credentialsttl 1 hours auth_param basic children 5 auth_param 
basic realm Authentification Squid

But I still have the same error message while starting Squid : 

2009/09/04 11:31:36| Processing Configuration File: /etc/squid/squid.conf 
(depth 0)
2009/09/04 11:31:36| Can't use proxy auth because no authentication schemes are 
fully configured.
FATAL: ERROR: Invalid ACL: acl SSO proxy_auth REQUIRED

Squid Cache (Version 3.0.STABLE16): Terminated abnormally.
CPU Usage: 0.023 seconds = 0.005 user + 0.018 sys Maximum Resident Size: 0 KB 
Page faults with physical i/o: 0 -


-Message d'origine-
De : Amos Jeffries [mailto:squ...@treenet.co.nz] 
Envoyé : vendredi 4 septembre 2009 10:18
À : Pierre Thomas
Cc : squid-users@squid-cache.org
Objet : Re: [squid-users] Authentication through Squid3

Pierre Thomas wrote:
> Hi,
> 
> I set up a Squid3 Proxy on my Centos 5.3 box, and it works properly since I 
> try to setup authentication on my Active Directory.
> 
> Here is an extract of my squid.conf, inspired of my old squid 2.7 
> configuration :
> __
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param ntlm children 10
> auth_param ntlm realm Authentification Squid
> 
> auth_param basic program /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp

I would expect that to use a different parameter. Basic being a 
different methods of auth.
   --helper-protocol=squid-2.5-basic   is probably what you wanted there.


> auth_param basic credentialsttl 1 hours
> auth_param basic children 5
> auth_param basic realm Authentification Squid
> 
> acl SSO proxy_auth REQUIRED
> http_access allow SSO
> ___
> 
> When I try to start the proxy service, I obtain this error message :
> 
> 
> [r...@localhost mnt]# service squid start
> 2009/09/04 09:17:51| Processing Configuration File: /etc/squid/squid.conf 
> (depth 0)
> 2009/09/04 09:17:51| Can't use proxy auth because no authentication schemes 
> are fully configured.
> FATAL: ERROR: Invalid ACL: acl SSO proxy_auth REQUIRED
> 
> Squid Cache (Version 3.0.STABLE16): Terminated abnormally.
> CPU Usage: 0.011 seconds = 0.003 user + 0.008 sys
> Maximum Resident Size: 0 KB
> Page faults with physical i/o: 0
> 
> Any idea to help ?
> 
> Regards
> 

Strange.
Is thats the entire exact squid.conf?

And what does "squid -v" produce?

Amos
-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
   Current Beta Squid 3.1.0.13

Re: [squid-users] Authentication through Squid3

[Amos Jeffries]

Pierre Thomas wrote:

Hi,

I set up a Squid3 Proxy on my Centos 5.3 box, and it works properly since I try 
to setup authentication on my Active Directory.

Here is an extract of my squid.conf, inspired of my old squid 2.7 configuration 
:
__
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm children 10
auth_param ntlm realm Authentification Squid

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp


I would expect that to use a different parameter. Basic being a 
different methods of auth.

  --helper-protocol=squid-2.5-basic   is probably what you wanted there.



auth_param basic credentialsttl 1 hours
auth_param basic children 5
auth_param basic realm Authentification Squid

acl SSO proxy_auth REQUIRED
http_access allow SSO
___

When I try to start the proxy service, I obtain this error message :


[r...@localhost mnt]# service squid start
2009/09/04 09:17:51| Processing Configuration File: /etc/squid/squid.conf 
(depth 0)
2009/09/04 09:17:51| Can't use proxy auth because no authentication schemes are 
fully configured.
FATAL: ERROR: Invalid ACL: acl SSO proxy_auth REQUIRED

Squid Cache (Version 3.0.STABLE16): Terminated abnormally.
CPU Usage: 0.011 seconds = 0.003 user + 0.008 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0

Any idea to help ?

Regards



Strange.
Is thats the entire exact squid.conf?

And what does "squid -v" produce?

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

[squid-users] Authentication through Squid3

[Pierre Thomas]

Hi,

I set up a Squid3 Proxy on my Centos 5.3 box, and it works properly since I try 
to setup authentication on my Active Directory.

Here is an extract of my squid.conf, inspired of my old squid 2.7 configuration 
:
__
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm children 10
auth_param ntlm realm Authentification Squid

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic credentialsttl 1 hours
auth_param basic children 5
auth_param basic realm Authentification Squid

acl SSO proxy_auth REQUIRED
http_access allow SSO
___

When I try to start the proxy service, I obtain this error message :


[r...@localhost mnt]# service squid start
2009/09/04 09:17:51| Processing Configuration File: /etc/squid/squid.conf 
(depth 0)
2009/09/04 09:17:51| Can't use proxy auth because no authentication schemes are 
fully configured.
FATAL: ERROR: Invalid ACL: acl SSO proxy_auth REQUIRED

Squid Cache (Version 3.0.STABLE16): Terminated abnormally.
CPU Usage: 0.011 seconds = 0.003 user + 0.008 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0

Any idea to help ?

Regards

Re: [squid-users] Authentication with Squid 3.0 forwarding the authentication to external web content filter - Edirectory

[Amos Jeffries]

On Tue, 21 Jul 2009 14:41:38 -0400, "Schuetz, Charles"
 wrote:
> We are currently using Squid 3.0 Stable 13.  We are currently sending
> every= =3D one through the proxy/cache.  We are implementing a user based
> web cont= ent =3D filtering solution (not a linux based solution) that
> authenticates = users ag=3D ainst edirectory.  The current solution sends
> all users who use=  the proxy s=3D erver as a guest account as the Squid
> box does not hit agai= nst edirectory. =3D  My question is this,  if I
set
> up the squid caching se= rver to use the exte=3D rnal authentication
> (LDAP), will it pass the edirec= tory credentials onto th=3D e web filter
> or will it not pass them at all.  = So if a client computer logs=3D  into
> novell with the username jsmith will = it pass jsmith the to the web
fi=3D
> lter or will it not pass any username?

Try the Squid eDirectory auth helper.

It depends on how the other system is plugged into Squid as to how and what
gets passed along.

If the filtering solution is an HTTP peer hop the cache_peer option
"login=PASS" (with exact text 'PASS' meaning pass-thru) will cause Squid to
relay the credentials it gets given to the peer. AFAIK this only works for
basic auth credentials in 3.0.

If the filtering solution is ICAP capable, then everything received from
the client goes through to the ICAP server AFAIK.

If the filtering solution is a redirector the login is not passed, only the
username if known.

If the filtering solution is an external ACl the username/pass combo
(%LOGIN) or the full raw auth headers ( %{Proxy-Authentication} and
%{WWW-Authentication}) can be passed.

Amos

> 
> Thank you,
> 
> The information contained in this email may be confidential and/or
> privileged. It has been sent for the sole use of the intended
recipient(s).
> If the reader of this message is not an intended recipient, you are
hereby
> notified that any unauthorized review, use, disclosure, dissemination,
> distribution, or copying of this communication, or any of its contents,
is
> strictly prohibited. If you have received this communication in error,
> please contact the sender by reply email and destroy all copies of the
> original message.

[squid-users] Authentication with Squid 3.0 forwarding the authentication to external web content filter - Edirectory

[Schuetz, Charles]

We are currently using Squid 3.0 Stable 13.  We are currently sending every= 
=3D one through the proxy/cache.  We are implementing a user based web cont= 
ent =3D filtering solution (not a linux based solution) that authenticates = 
users ag=3D ainst edirectory.  The current solution sends all users who use=  
the proxy s=3D erver as a guest account as the Squid box does not hit agai= nst 
edirectory. =3D  My question is this,  if I set up the squid caching se= rver 
to use the exte=3D rnal authentication (LDAP), will it pass the edirec= tory 
credentials onto th=3D e web filter or will it not pass them at all.  = So if a 
client computer logs=3D  into novell with the username jsmith will = it pass 
jsmith the to the web fi=3D lter or will it not pass any username?


Thank you,

The information contained in this email may be confidential and/or privileged. 
It has been sent for the sole use of the intended recipient(s). If the reader 
of this message is not an intended recipient, you are hereby notified that any 
unauthorized review, use, disclosure, dissemination, distribution, or copying 
of this communication, or any of its contents, is strictly prohibited. If you 
have received this communication in error, please contact the sender by reply 
email and destroy all copies of the original message.

Re: [squid-users] Authentication problem. Squid3+ntlm_auth+Firefox.

[Amos Jeffries]

xor wrote:

Hello,
I have installed squid3 with authorisation in the windows2003 domain, with 
libraries kerberos5 and samba + winbind. OS Debian Lenny 5.0.1.
Packages squid3, samba, krb and winbind are taken from official repositories 
(http://ftp.ru.debian.org/debian/).

The proxy clients working under WinXP with browser IE6 or IE7 pass 
authorisation normally, without superfluous requests of a login/password.

But those who uses Mozilla Firefox browser, at visiting of the sites especially containing 
JavaScript scenaries, often receive request of a login, password and domain for authorisation in 
proxy. If this request to reject (with pressed "cancel"), the client receives standard 
page of cache access denied. But if after that to press to "refresh", the page is loaded 
without login/password request, and all works normally before occurrence of the next of 
authorisation request.
This effect observed on the firefox browsers only.
Incr. or decr. of auth_param ntlm children parameters don't helped.


Please define what you mean by "containing JavaScript scenaries"? how is 
this relevant to the HTTP requests?


Check that firefox has not saved previous passwords for the user or 
another. This can cause issues as the known passwords are used first 
every time.


With "debug_options ALL,1 29,6 28,6" cache.log gets a trace of the auth 
and ACL actions. Check that to see what is going on.
 You can expect to see some holdup while auth details are requested 
from the browser whether or not the popup appears. You can see for those 
checks whether is right to be needed or not though.



Some unrelated notes inline to the config...



Configs:

###squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on
authenticate_cache_garbage_interval 1 minute
authenticate_ttl 2 minutes
authenticate_ip_ttl 2 minutes
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 81 8080 8081 # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 5222
acl Safe_ports port 443 # https
acl PURGE method PURGE
acl CONNECT method CONNECT
acl bad_pat_servers_ip src "/etc/squid3/acl/bad_pat_servers_ip"


I find it rather confusing that you call this a "servers_ip" and indeed 
a pattern list yet use src which tests _client_ IP.


The name of the ACL sounds like you mean it to be a destination check of 
some sort.



acl microsoft_activation dstdomain "/etc/squid3/acl/microsoft_activation"
acl ip_symantec_ftp src 192.168.2.11
acl ftp_symantec dstdomain ftp.symantec.com liveupdate.symantec.com 
liveupdate.symantecliveupdate.com
acl good_sites dstdomain "/etc/squid3/acl/good_sites"
acl bad_pattern url_regex "/etc/squid3/acl/bad_pattern"
acl bad_sites dstdomain "/etc/squid3/acl/bad_sites"
acl odvk url_regex "/etc/squid3/acl/odvk"
acl odnokl_sites dstdomain "/etc/squid3/acl/odnokl_sites"
acl odnokl_users proxy_auth "/etc/squid3/acl/odnokl_users"
acl ip_users src "/etc/squid3/acl/ip_users"
acl AuthUsers proxy_auth "/etc/squid3/acl/users"
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow microsoft_activation
http_access deny bad_pat_servers_ip
http_access allow ip_symantec_ftp ftp_symantec
http_access allow good_sites ip_users
http_access allow good_sites AuthUsers
http_access allow odnokl_sites odnokl_users
http_access deny bad_pattern
http_access deny bad_sites
http_access deny odvk
http_access allow ip_users
http_access allow AuthUsers
http_access allow localhost
http_access deny all
htcp_access deny all
http_port 192.168.60.60:3128
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_dir ufs /var/spool/squid3 1024 16 256
access_log /var/log/squid3/access.log squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern (cgi-bin|\?)0   0%  0
refresh_pattern .   0   20% 4320



icp_access deny all
icp_port 3130


Combined with the "icp_access deny all" I find this really weird.

The default action in Squid-3 is not to listen for ICP at all and to 
deny all as well. I think you want to remove the icp_* configuration 
entirely.


Same for the htcp_access line further up.


forwarded_for off
coredump_dir /var/spool/squid3

###smb.conf
[global]
   workgroup = PATERSON
   realm = PATERSON.RU
   password server = SRV-MSK11 SRV-MSK12
   server string = %h server
   wins support = yes
   wins server = 192.168.2.11
   dns proxy = no
   interfaces = 192.168.60.60 eth0
   log file = /var/log/samba/log.%m
   log level = 3
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey 

[squid-users] Authentication problem. Squid3+ntlm_auth+Firefox.

[xor]

Hello,
I have installed squid3 with authorisation in the windows2003 domain, with 
libraries kerberos5 and samba + winbind. OS Debian Lenny 5.0.1.
Packages squid3, samba, krb and winbind are taken from official repositories 
(http://ftp.ru.debian.org/debian/).

The proxy clients working under WinXP with browser IE6 or IE7 pass 
authorisation normally, without superfluous requests of a login/password.

But those who uses Mozilla Firefox browser, at visiting of the sites especially 
containing JavaScript scenaries, often receive request of a login, password and 
domain for authorisation in proxy. If this request to reject (with pressed 
"cancel"), the client receives standard page of cache access denied. But if 
after that to press to "refresh", the page is loaded without login/password 
request, and all works normally before occurrence of the next of authorisation 
request.
This effect observed on the firefox browsers only.
Incr. or decr. of auth_param ntlm children parameters don't helped.

Configs:

###squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on
authenticate_cache_garbage_interval 1 minute
authenticate_ttl 2 minutes
authenticate_ip_ttl 2 minutes
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 81 8080 8081 # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 5222
acl Safe_ports port 443 # https
acl PURGE method PURGE
acl CONNECT method CONNECT
acl bad_pat_servers_ip src "/etc/squid3/acl/bad_pat_servers_ip"
acl microsoft_activation dstdomain "/etc/squid3/acl/microsoft_activation"
acl ip_symantec_ftp src 192.168.2.11
acl ftp_symantec dstdomain ftp.symantec.com liveupdate.symantec.com 
liveupdate.symantecliveupdate.com
acl good_sites dstdomain "/etc/squid3/acl/good_sites"
acl bad_pattern url_regex "/etc/squid3/acl/bad_pattern"
acl bad_sites dstdomain "/etc/squid3/acl/bad_sites"
acl odvk url_regex "/etc/squid3/acl/odvk"
acl odnokl_sites dstdomain "/etc/squid3/acl/odnokl_sites"
acl odnokl_users proxy_auth "/etc/squid3/acl/odnokl_users"
acl ip_users src "/etc/squid3/acl/ip_users"
acl AuthUsers proxy_auth "/etc/squid3/acl/users"
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow microsoft_activation
http_access deny bad_pat_servers_ip
http_access allow ip_symantec_ftp ftp_symantec
http_access allow good_sites ip_users
http_access allow good_sites AuthUsers
http_access allow odnokl_sites odnokl_users
http_access deny bad_pattern
http_access deny bad_sites
http_access deny odvk
http_access allow ip_users
http_access allow AuthUsers
http_access allow localhost
http_access deny all
icp_access deny all
htcp_access deny all
http_port 192.168.60.60:3128
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_dir ufs /var/spool/squid3 1024 16 256
access_log /var/log/squid3/access.log squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern (cgi-bin|\?)0   0%  0
refresh_pattern .   0   20% 4320
icp_port 3130
forwarded_for off
coredump_dir /var/spool/squid3

###smb.conf
[global]
   workgroup = PATERSON
   realm = PATERSON.RU
   password server = SRV-MSK11 SRV-MSK12
   server string = %h server
   wins support = yes
   wins server = 192.168.2.11
   dns proxy = no
   interfaces = 192.168.60.60 eth0
   log file = /var/log/samba/log.%m
   log level = 3
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   invalid users = root
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* 
%n\n *password\supdated\ssuccessfully* .
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   case sensitive = No
   idmap uid = 1-2
   idmap gid = 1-2
   winbind enum groups = yes
   winbind enum users = yes
   winbind separator = +
   winbind use default domain = No
[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S
[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

Best regards, Ehenov Roman.

_ 
Авторский фотоальбом Андрея Оборина и Михаила Семенова
   http://www.oborin.ru/book/Ho

Re: [squid-users] authentication mechanism selected based on ip-address

[Amos Jeffries]

> Amos Jeffries wrote:
>> Joseph Spadavecchia wrote:
>>> Hi all,
>>>
>>> We have a requirement to use different authentication mechanisms
>>> based on the subnet/ip-address of the client.
>>>
>>> For example, a client from one subnet would authenticate against ntlm
>>> while a client from another subnet would authenticate against an LDAP
>>> server.
>>>
>>> AFAIK, this is normally done by running multiple instances of squid;
>>> but we have the requirement to do it with a single instance.  One way
>>> of achieving this would be to modify squid to pass the client's
>>> ip-address along with the authentication information.  However, I'd
>>> like to do it cleanly without modifying squid.
>>>
>>> Can anyone offer suggestions for doing this cleanly, without
>>> modifications to squid.
>>>
>>> Thanks in advance.
>>> Joseph
>>
>> External ACL taking client IP and Proxy-authentication header contents.
>> Then doing whatever you like and returning "OK user=XX\n" or "ERR\n"
>>
>> Amos
> Thanks Amos--- your suggestion seems to work.
>
> I created a custom authenticator that always returns "OK" and linked it
> to the external acl.
>
>  squid.conf 
>
> auth_param basic program /usr/local/bin/my-auth.pl
>
> external_acl_type myAclType %SRC %LOGIN %{Proxy-Authorization}
> /usr/local/bin/my-acl.pl
>
> acl MyAcl external myAclType
>
> http_access allow MyAcl
>
> * Note myAclType's dependence on %LOGIN is required for triggering
> authentication and, thus, setting %{Proxy-Authorization}.
>
>
>  my-auth.pl 
>
> #!/usr/bin/perl -Wl
>
> $|=1;
>
> while (<>) {
> print "OK";
> }
>
>
>  my-acl.pl 
>
> #!/usr/bin/perl -Wl
>
> use URI::Escape;
> use MIME::Base64;
>
> $|=1;
>
> while (<>) {
> ($ip,$user,$auth) = split();
> $auth = uri_unescape($auth);
> ($type,$authData) = split(/ /, $auth);
> $authString = decode_base64($authData);
> ($username,$password) = split(/:/, $authString);
>
> print my_awsome_auth($ip, $username, $password);
> }
>
> Thanks.
> Joseph
>

Excellent thank you for this wonderful write-up.
I've added it to the wiki
http://wiki.squid-cache.org/ConfigExamples/Authenticate/MultipleSources

Amos

Re: [squid-users] authentication mechanism selected based on ip-address

[Joseph Spadavecchia]

Amos Jeffries wrote:

Joseph Spadavecchia wrote:

Hi all,

We have a requirement to use different authentication mechanisms 
based on the subnet/ip-address of the client.


For example, a client from one subnet would authenticate against ntlm 
while a client from another subnet would authenticate against an LDAP 
server.


AFAIK, this is normally done by running multiple instances of squid; 
but we have the requirement to do it with a single instance.  One way 
of achieving this would be to modify squid to pass the client's 
ip-address along with the authentication information.  However, I'd 
like to do it cleanly without modifying squid.


Can anyone offer suggestions for doing this cleanly, without 
modifications to squid.


Thanks in advance.
Joseph


External ACL taking client IP and Proxy-authentication header contents.
Then doing whatever you like and returning "OK user=XX\n" or "ERR\n"

Amos

Thanks Amos--- your suggestion seems to work.

I created a custom authenticator that always returns "OK" and linked it 
to the external acl.


 squid.conf 

auth_param basic program /usr/local/bin/my-auth.pl

external_acl_type myAclType %SRC %LOGIN %{Proxy-Authorization} 
/usr/local/bin/my-acl.pl


acl MyAcl external myAclType

http_access allow MyAcl

* Note myAclType's dependence on %LOGIN is required for triggering 
authentication and, thus, setting %{Proxy-Authorization}.



 my-auth.pl 

#!/usr/bin/perl -Wl

$|=1;

while (<>) {
   print "OK";
}


 my-acl.pl 

#!/usr/bin/perl -Wl

use URI::Escape;
use MIME::Base64;

$|=1;

while (<>) {
   ($ip,$user,$auth) = split();
   $auth = uri_unescape($auth);
   ($type,$authData) = split(/ /, $auth);
   $authString = decode_base64($authData);
   ($username,$password) = split(/:/, $authString);
  
   print my_awsome_auth($ip, $username, $password);

}

Thanks.
Joseph

--
Joseph Spadavecchia



t. +44 (0)1506 426 976
f. +44 (0)1506 691 408
e. mailto:jspadavecc...@bloxx.com
w. http://www.bloxx.com/

Awards:
http://www.bloxx.com/corporate/newsreleases_more.php?id=39  |  http://www.bloxx.com/corporate/newsreleases_more.php?id=36 
http://www.bloxx.com/corporate/newsreleases_more.php?id=31  |  http://www.bloxx.com/corporate/newsreleases_more.php?id=33

--
Bloxx Ltd.: Registered in the UK No. SC202264. Geddes House, Kirkton North, Livingston EH54 6GU, UK. 
International Offices: Bloxx Inc. t. +1 781 229 0980 | Bloxx Europe t. +31 (0) 70 320 5009 |  Bloxx Australia t. +61 1800 225 699

Re: [squid-users] authentication mechanism selected based on ip-address

[Amos Jeffries]

Joseph Spadavecchia wrote:

Hi all,

We have a requirement to use different authentication mechanisms based 
on the subnet/ip-address of the client.


For example, a client from one subnet would authenticate against ntlm 
while a client from another subnet would authenticate against an LDAP 
server.


AFAIK, this is normally done by running multiple instances of squid; but 
we have the requirement to do it with a single instance.  One way of 
achieving this would be to modify squid to pass the client's ip-address 
along with the authentication information.  However, I'd like to do it 
cleanly without modifying squid.


Can anyone offer suggestions for doing this cleanly, without 
modifications to squid.


Thanks in advance.
Joseph


External ACL taking client IP and Proxy-authentication header contents.
Then doing whatever you like and returning "OK user=XX\n" or "ERR\n"

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.5

[squid-users] authentication mechanism selected based on ip-address

[Joseph Spadavecchia]

Hi all,

We have a requirement to use different authentication mechanisms based 
on the subnet/ip-address of the client.


For example, a client from one subnet would authenticate against ntlm 
while a client from another subnet would authenticate against an LDAP 
server.


AFAIK, this is normally done by running multiple instances of squid; but 
we have the requirement to do it with a single instance.  One way of 
achieving this would be to modify squid to pass the client's ip-address 
along with the authentication information.  However, I'd like to do it 
cleanly without modifying squid.


Can anyone offer suggestions for doing this cleanly, without 
modifications to squid.


Thanks in advance.
Joseph

Re: [squid-users] Authentication Over-ride

[Amos Jeffries]

> I am working on an application for my senior project at school. I am
> wondering if anyone might possibly know a way to pass a username and
> password to the pop-up authentication box in squid when auth_param is
> set. Something I can use with my PHP to keep the interface slick and
> be able to my PHP login to do many other things.
>
> This is what I have been trying but doesn't seem to work
>
>  header("Location: http://$user:$passw...@www.google.com";);
>
> Were $user and $password are already variables I have defined in my
> createuser/login application
>
> Any help or ideas would be greatly appreciated.
>

Squid does not do popup boxes. Web browsers do popup boxes.

Look at URL syntax for sending username/password and HTTP syntax for
sending Authentication: headers.

Amos