Re: [squid-users] Squid authentication objects by source ip

[Amos Jeffries]

On 12/04/2023 11:14 pm, hans.peter.wurst2000 wrote:

Hello,

i have currently a problem to setup squid authentication with 
kerberos. The problem is not the authentication itself. It works fine, 
but only for one AD-Domain. I have 6 AD Domains that have to 
authenticate trough this squid-proxy. In the documentation 
"https://wiki.squid-cache.org/Features/Authentication; i have seen 
that my problem could be solved by using full plain authentication 
with ldap. And that is the current way i will solve this. But for 
future squid releases would it be possible to change the Proxy 
authentication function to filter authentication methods by source ip.




I am afraid you have misunderstood how HTTP authentication works in Squid.

Squid is just middleware between the client and the authenticator 
system. All it does is tell the client which **types** (aka "scheme") of 
authentication are acceptable, and passes the clients credentials to a 
helper that can handle how that scheme encodes and validates credentials.


Deciding which auth database to check credentials against is the role of 
external helpers




Example:

|auth_param 1 negotiate program /usr/sbin/squid_kerb_auth -k 
/etc/squid/HTTP_Domain1.keytab auth_param 1 negotiate children 10 
auth_param 1 negotiate keep_alive on|
|auth_param 2 negotiate program /usr/sbin/squid_kerb_auth -k 
/etc/squid/HTTP_Domain2.keytab auth_param 2 negotiate children 10 
auth_param 2 negotiate keep_alive on|


To use completely separate keytabs you should write a wrapper script 
that takes the credentials + IP from Squid and selects which 
squid_kerb_auth (or better negotiate_kerberos_auth) helper to pass them to.


squid.conf looks like this:

|auth_param negotiate program /path/to/script auth_param negotiate 
key_extras %>a||auth_param negotiate children 10|



What the script receives is documented here:


It needs to decide which kerberos helper to pass the request to, then 
relay the actual helpers response back to Squid.




Filter by LDAP Groups should also be possible like before.



Check how your LDAP helper is configured. Likely it also needs to also 
distinguish which keytab to use to fine details about the user such as 
group(s).



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid authentication objects by source ip

[hans.peter.wurst2000]

Hello,

i have currently a problem to setup squid authentication with kerberos. The 
problem is not the authentication itself. It works fine, but only for one 
AD-Domain. I have 6 AD Domains that have to authenticate trough this 
squid-proxy. In the documentation 
"https://wiki.squid-cache.org/Features/Authentication; i have seen that my 
problem could be solved by using full plain authentication with ldap. And that 
is the current way i will solve this. But for future squid releases would it be 
possible to change the Proxy authentication function to filter authentication 
methods by source ip.

Example:

auth_param 1 negotiate program /usr/sbin/squid_kerb_auth

-k /etc/squid/HTTP_Domain1.keytab

auth_param 1 negotiate children 10
auth_param 1 negotiate keep_alive on

auth_param 2 negotiate program /usr/sbin/squid_kerb_auth

-k /etc/squid/HTTP_Domain2.keytab

auth_param 2 negotiate children 10
auth_param 2 negotiate keep_alive on

acl dom1-auth src 10.15.0.0/255.255.255.0 proxy_auth 1 REQUIRED

acl dom2-auth src 10.16.0.0/255.255.255.0 proxy_auth 2 REQUIRED

http_access allow dom1-auth

http_access allow dom2-auth

http_access deny all

I have show an example here by separate the authenticators by numbers, but it 
could also be an ascii word.

Filter by LDAP Groups should also be possible like before.

Thank you for your help,
Hans-Peter___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid authentication issues

[L . P . H . van Belle]

I use this : 

You need this in smb.conf 
# Added for freeradius or squid proxy support
# Obligated to set on both AD-DC and Member server.
ntlm auth = mschapv2-and-ntlmv2-only 

And this or something like that, i have more working auth setups for squid, 
But i use this primarly. 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab 
\
-s HTTP/proxy1.internal.domain.tld@REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

Still not working try/change above line to : 
--ntlm /usr/bin/ntlm_auth --allow-mschapv2 --helper-protocol=gss-spnego 
--domain=NTDOM

But should not be needed. 

And dont forget to add the HTTP spn on the member server.
net ads keytab add_update_ads HTTP/proxy1.internal.domain.tld -UAdministrator

Also, A+PTR records are a must for the proxy with kerberos auth, 


And do remove from smb.conf : 
> winbind enum users = yes
> winbind enum groups = yes
Or set these to no. 

I use that on Debian 10 with now squid 4.12. (ssl enabled)
(since debian 8 and squid 3.x ) 
There are more options here, but start with above.

My setup does, in this order. 
Negotiated Kerberos/NTLM auth with LDAP auth as fall back.

Beside these few small point, your setup looks great to me. 


Greetz, 

Louis




Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] 
Namens Marcio Demetrio Bacci
Verzonden: donderdag 30 juli 2020 19:37
Aan: Squid Users
Onderwerp: [squid-users] Squid authentication issues


Hi,

I set up Squid 4.6 on Debian 10 and I'm having problems with browser 
authentication on a Windows station.

I did the tests on the command line and apparently it's OK.

root@proxy:/etc/squid/acls# /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
(16384)
Processing section "[global]"
EMPRESA+mane X
NT_STATUS_OK: The operation completed successfully. (0x0)
OK

Here are my configuration files:

#/ETC/SAMBA/SMB.CONF
[global]
netbios name = PROXY
workgroup = EMPRESA
security = ADS
realm = EMPRESA.COM.BR
encrypt passwords = yes
username map = /etc/samba/user.map

log file = /var/log/samba/%m.log
log level = 3 passdb:5 auth:5

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 1-99
idmap config EMPRESA:unix_nss_info = yes
idmap config EMPRESA:unix_primary_group = yes

winbind refresh tickets = Yes
winbind use default domain = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

template shell = /bin/bash
template homedir = /home/%U

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

#ETC/NSSWITCH.CONF
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, 
try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind 
group:  compat winbind 
shadow: compat
gshadow:files

hosts:  files dns
networks:   files

protocols:  db files
services:   db files
ethers: db files
rpc:db files
netgroup:   nis

#/ETC/KRB5.CONF
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EMPRESA.COM.BR

#/ETC/SQUID/SQUID.CONF

http_port 3128

cache_mem 512 MB
cache_swap_low 80
cache_swap_high 90

maximum_object_size 512 MB
minimum_object_size 0 KB

maximum_obj

[squid-users] Squid authentication issues

[Marcio Demetrio Bacci]

Hi,

I set up Squid 4.6 on Debian 10 and I'm having problems with browser
authentication on a Windows station.

I did the tests on the command line and apparently it's OK.

root@proxy:/etc/squid/acls# /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
EMPRESA+mane X
NT_STATUS_OK: The operation completed successfully. (0x0)
OK

Here are my configuration files:

#/ETC/SAMBA/SMB.CONF
[global]
netbios name = PROXY
workgroup = EMPRESA
security = ADS
realm = EMPRESA.COM.BR
encrypt passwords = yes
username map = /etc/samba/user.map

log file = /var/log/samba/%m.log
log level = 3 passdb:5 auth:5

idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 1-99
idmap config EMPRESA:unix_nss_info = yes
idmap config EMPRESA:unix_primary_group = yes

winbind refresh tickets = Yes
winbind use default domain = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

template shell = /bin/bash
template homedir = /home/%U

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

#ETC/NSSWITCH.CONF
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group:  compat winbind
shadow: compat
gshadow:files

hosts:  files dns
networks:   files

protocols:  db files
services:   db files
ethers: db files
rpc:db files
netgroup:   nis

#/ETC/KRB5.CONF
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = EMPRESA.COM.BR

#/ETC/SQUID/SQUID.CONF

http_port 3128

cache_mem 512 MB
cache_swap_low 80
cache_swap_high 90

maximum_object_size 512 MB
minimum_object_size 0 KB

maximum_object_size_in_memory 4096 KB

cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA

quick_abort_min -1 KB

detect_broken_pconn on

fqdncache_size 1024

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

cache_dir aufs /var/spool/squid 600 16 256

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param ntlm children 20 startup=0 idle=1
auth_param ntlm keep_alive on

visible_hostname "Monitoramento de Acesso à Internet"
### acls
#acl manager proto cache_object
acl localhost src 192.168.1.17/32
acl to_localhost dst 192.168.1.17/32
acl SSL_ports port 22 80 3456 443 563 587 993 2811 3001 3322 7071 8443 9191
1 23000
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 88 # kerberos
acl Safe_ports port 123 # ntp
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 3456 # Siafi
acl Safe_ports port 389 # ldap
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 563 # snews
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3001 # imprenssa nacional
acl Safe_ports port 8080 # http
acl Safe_ports port 8443 # http
acl Safe_ports port 1025-65535 # unregistered ports

acl purge method PURGE
acl CONNECT method CONNECT

#  Windows Update 
acl microsoft url_regex "/etc/squid/acls/ms-update"
acl atualizacoes dstdomain microsoft.com
http_access allow microsoft
http_access allow atualizacoes

http_access allow localhost
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl autenticados proxy_auth REQUIRED
http_access deny !autenticados

acl sites_liberados url_regex -i "/etc/squid/acls/sites-permitidos"
http_access allow sites_liberados

acl extensoes_bloqueadas url_regex -i "/etc/squid/acls/extensoes-proibidas"
http_access deny extensoes_bloqueadas

### Bloqueia sites por URL
acl sites_bloqueados url_regex -i "/etc/squid/acls/sites-proibidos"
http_access deny sites_bloqueados

### Rede LAN #
acl rede_usuarios src 192.168.0.0/24

### Nega acesso de quem nao esta na rede local
http_access allow rede_usuarios
acl extensoes_bloqueadas url_regex -i "/etc/squid/acls/extensoes-proibidas"
acl sites_liberados 

Re: [squid-users] Squid authentication problem (Amos Jeffries)

[Sonya Roy]

Thanks for all the help. I just checked the /etc/squid/passwords file,
turns out I mistakenly used htpasswd -c when saving the last username,
password and all the previous ones got overwritten.

After fixing that, the config file I wrote earlier worked fine.

With regards,
Sonya Roy

On Tue, Jun 20, 2017 at 4:18 PM, Amos Jeffries  wrote:

>
> On 20/06/17 10:50, Sonya Roy wrote:
>
>> Hi,
>>
>> Thanks for the links. So I tried what you suggested and for testing, I
>> was using this simple config:-
>>
>> http_port 8080
>> auth_param basic program /usr/lib/squid/basic_ncsa_auth
>> /etc/squid/passwords
>> auth_param basic realm proxy
>> external_acl_type checkclient children-max=20 %MYADDR %LOGIN
>> /usr/local/squidauth.py
>> acl authenticated external checkclient
>> http_access allow authenticated
>> cache deny all
>> forwarded_for delete
>> request_header_access Via deny all
>>
>> I made sure that the squidauth.py file was executable and when
>> debugging, I found that the helper processes were running. But nothing
>> was getting passed to the helper processes. In the python code, I was
>> running a loop which reads lines from the stdin and parses them and
>> writes output to the stdout. I checked and it wasn't getting anything
>> from stdin. (I added a line which reads the input line from stdin and
>> sends it to another server through a http request to make sure if it was
>> getting anything from stdin at all)
>>
>> But, when I tried to use the proxy(and of course I was using a username
>> and password that was stored in /etc/squid/passwords), I kept getting
>> the error that authentication required, i.e. the server was sending back
>> the header Proxy-Authenticate: Basic realm="proxy". I am not sure what I
>> am doing wrong here.
>>
>
> Sounds to me like the auth_param helper is not accepting the credentials
> you are testing with. The %LOGIN parameter needs auth to be completed
> successfully before the ACL helper is called with the resulting username.
>
> Note that the NCSA helper uses a database file (/etc/squid/passwords) of
> hashes encoded by the Apache htpasswd tool. It is not a plain-text nor Unix
> passwd file, that difference catches some people out.
>
>
> To simplify what is going on I would use the following config sequence:
>
>  acl login proxy_auth REQUIRED
>  http_access deny !login
>
>  acl userip_check external checkclient
>  http_access allow userip_check
>
>  http_access deny all
>
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid authentication problem (Amos Jeffries)

[Amos Jeffries]

On 20/06/17 10:50, Sonya Roy wrote:

Hi,

Thanks for the links. So I tried what you suggested and for testing, I
was using this simple config:-

http_port 8080
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
external_acl_type checkclient children-max=20 %MYADDR %LOGIN
/usr/local/squidauth.py
acl authenticated external checkclient
http_access allow authenticated
cache deny all
forwarded_for delete
request_header_access Via deny all

I made sure that the squidauth.py file was executable and when
debugging, I found that the helper processes were running. But nothing
was getting passed to the helper processes. In the python code, I was
running a loop which reads lines from the stdin and parses them and
writes output to the stdout. I checked and it wasn't getting anything
from stdin. (I added a line which reads the input line from stdin and
sends it to another server through a http request to make sure if it was
getting anything from stdin at all)

But, when I tried to use the proxy(and of course I was using a username
and password that was stored in /etc/squid/passwords), I kept getting
the error that authentication required, i.e. the server was sending back
the header Proxy-Authenticate: Basic realm="proxy". I am not sure what I
am doing wrong here.


Sounds to me like the auth_param helper is not accepting the credentials 
you are testing with. The %LOGIN parameter needs auth to be completed 
successfully before the ACL helper is called with the resulting username.


Note that the NCSA helper uses a database file (/etc/squid/passwords) of 
hashes encoded by the Apache htpasswd tool. It is not a plain-text nor 
Unix passwd file, that difference catches some people out.



To simplify what is going on I would use the following config sequence:

 acl login proxy_auth REQUIRED
 http_access deny !login

 acl userip_check external checkclient
 http_access allow userip_check

 http_access deny all


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid authentication problem (Amos Jeffries)

[Amos Jeffries]

On 20/06/17 09:15, Amos Jeffries wrote:

On 20/06/17 03:20, Sonya Roy wrote:

Since you are saying the IP that can be passed to the helpers is
configurable, how would I pass the local IP of the server that the
client connected to?

I checked out the helpers you mentioned, there they check which IP the
connection is coming from. Not the local IP of the server that the
client is connected to and they are using %SRC for that.


The external ACL helpers don't know one IP from any other. They simply
check what is given to them against some form of username+ip mapping.



[ with the correct links ]


In Squid-3.5 that would be %MYADDR
.

In Squid-4+ it would be %>la




Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid authentication problem (Amos Jeffries)

[Amos Jeffries]

On 20/06/17 03:20, Sonya Roy wrote:

Since you are saying the IP that can be passed to the helpers is
configurable, how would I pass the local IP of the server that the
client connected to?

I checked out the helpers you mentioned, there they check which IP the
connection is coming from. Not the local IP of the server that the
client is connected to and they are using %SRC for that.


The external ACL helpers don't know one IP from any other. They simply 
check what is given to them against some form of username+ip mapping.



In Squid-3.5 that would be %MYADDR 
.


In Squid-4+ it would be %>la 



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid authentication problem (Amos Jeffries)

[Sonya Roy]

Since you are saying the IP that can be passed to the helpers is
configurable, how would I pass the local IP of the server that the client
connected to?

I checked out the helpers you mentioned, there they check which IP the
connection is coming from. Not the local IP of the server that the client
is connected to and they are using %SRC for that.

With regards,
Sonya Roy.

On Mon, Jun 19, 2017 at 6:43 PM, Amos Jeffries  wrote:

> On 20/06/17 00:09, Sonya Roy wrote:
>
>> Hi,
>>
>> From what I saw with using IP as part of then authentication, it checks
>> which IP the user is connecting to the server from. What I want to check
>> is which public IP of the server the user is connecting to.
>>
>
> The IP is whichever one you pass to the various helpers. That is
> configurable.
>
>
>> If someone connects to the server's IP address x.x.x.x, I want the
>> outgoing traffic to go through the same IP address x.x.x.x. That's why I
>> put an acl rule for each public IP of the server and specified the
>> tcp_outgoing_address for each of them.
>>
>> So, for example, if the server has say 50 public IP address, I want to
>> create an user who will be able to connect to 25 of them and another to
>> another 25.
>>
>
> That is _what_ you are wanting.
>
> My question was _why_ you wanted to do that?
>
>
>> I hope this clarifies my original question.
>>
>
> Your original question was whether there was any workaround for
> authentication requiring credentials. I believe my previous post answered
> that already.
>
>
> Cheers
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid authentication problem (Amos Jeffries)

[Amos Jeffries]

On 20/06/17 00:09, Sonya Roy wrote:

Hi,

From what I saw with using IP as part of then authentication, it checks
which IP the user is connecting to the server from. What I want to check
is which public IP of the server the user is connecting to.


The IP is whichever one you pass to the various helpers. That is 
configurable.




If someone connects to the server's IP address x.x.x.x, I want the
outgoing traffic to go through the same IP address x.x.x.x. That's why I
put an acl rule for each public IP of the server and specified the
tcp_outgoing_address for each of them.

So, for example, if the server has say 50 public IP address, I want to
create an user who will be able to connect to 25 of them and another to
another 25.


That is _what_ you are wanting.

My question was _why_ you wanted to do that?



I hope this clarifies my original question.


Your original question was whether there was any workaround for 
authentication requiring credentials. I believe my previous post 
answered that already.



Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid authentication problem (Amos Jeffries)

[Sonya Roy]

Hi,

>From what I saw with using IP as part of then authentication, it checks
which IP the user is connecting to the server from. What I want to check is
which public IP of the server the user is connecting to.

If someone connects to the server's IP address x.x.x.x, I want the outgoing
traffic to go through the same IP address x.x.x.x. That's why I put an acl
rule for each public IP of the server and specified the
tcp_outgoing_address for each of them.

So, for example, if the server has say 50 public IP address, I want to
create an user who will be able to connect to 25 of them and another to
another 25.

I hope this clarifies my original question.

With regards,
Sonya Roy.

On Mon, Jun 19, 2017 at 5:30 PM, <squid-users-requ...@lists.squid-cache.org>
wrote:

> Send squid-users mailing list submissions to
> squid-users@lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
> squid-users-requ...@lists.squid-cache.org
>
> You can reach the person managing the list at
> squid-users-ow...@lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>1. Re: Squid authentication problem (Amos Jeffries)
>2. Re: squid 4.0.20 does not recognize ssl-bump option.
>   (Alex Rousskov)
>3. Re: squid 4.0.20 does not recognize ssl-bump option.
>   (Amos Jeffries)
>
>
> --
>
> Message: 1
> Date: Mon, 19 Jun 2017 00:56:31 +1200
> From: Amos Jeffries <squ...@treenet.co.nz>
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid authentication problem
> Message-ID: <343154ec-dbd6-aa55-f867-216d3c261...@treenet.co.nz>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
>
> On 18/06/17 17:50, Sonya Roy wrote:
> > Hi,
> >
> > I am running squid on a server with multiple public IPs and I want
> > some users to be able to access the proxy through some of the IPs and
> > other users through other IPs.
> >
> > At the moment I have acl rules of the form:-
> > acl abcd myip x.x.x.x
> >
>
> What you need is an ACL that compares the username to the IP.
>
> <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_
> file_userip_acl.html>
> <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_
> edirectory_userip_acl.html>
> <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_
> sql_session_acl.html>
>
> or the new 'extras' feature for authenticators in Squid-3.5 that lets
> them use the IP as part of the auth approval. Though with this the thing
> to be aware of is that the IP becomes like a scope for the user login -
> the wrong IP being used to login from results in re-auth challenge just
> as would be seen if the password was wrong. So use carefully.
>   <http://www.squid-cache.org/Doc/config/auth_param/>
>   <http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.2>
>
> > and for these acl rules I have these tcp_outgoing_address:-
> > tcp_outgoing_address x.x.x.x abcd
> >
>
> Why limit the outgoing? in HTTP that is independent to the incoming
> connection and restricting it will lower performance.
>
> > And earlier I had proxy_auth acl rules separately, but that allowed
> > any authenticated users to be able to access the proxy through any of
> > those IPs. Since I wanted some users to be able to use the server
> > through some IPs and others through different IPs, I tried this in
> > those acl rules:-
> >
> > acl abcd myip x.x.x.x proxy_auth user1
>
> FTR: that will match the IP address x.x.x.x and the IP address(es) of
> the servers with hostnames "proxy_auth" and "user1" in your local DNS.
>
> Also, the myip ACL is deprecated because it matched different things
> based on the traffic type. myportname or localip ACLs are better if you
> need to do this at all. Your "squid -k parse" config checks should warn
> you about that.
>
> Amos
>
>
> --
>
> Message: 2
> Date: Sun, 18 Jun 2017 16:53:15 -0600
> From: Alex Rousskov <rouss...@measurement-factory.com>
> To: meym <m...@nym.mixmin.net>, Squid Users
> <squid-users@lists.squid-cache.org>
> Subject: Re: [squid-users] squid 4.0.20 does not recognize ssl-bump
> option.
> Message-ID:
> <9e834f7b-b20b-2cb5-e439-3fa0eaf12...@measurement-factory.com>
> Content-Type: te

Re: [squid-users] Squid authentication problem

[Amos Jeffries]

On 18/06/17 17:50, Sonya Roy wrote:

Hi,

I am running squid on a server with multiple public IPs and I want 
some users to be able to access the proxy through some of the IPs and 
other users through other IPs.


At the moment I have acl rules of the form:-
acl abcd myip x.x.x.x



What you need is an ACL that compares the username to the IP.





or the new 'extras' feature for authenticators in Squid-3.5 that lets 
them use the IP as part of the auth approval. Though with this the thing 
to be aware of is that the IP becomes like a scope for the user login - 
the wrong IP being used to login from results in re-auth challenge just 
as would be seen if the password was wrong. So use carefully.

 
 


and for these acl rules I have these tcp_outgoing_address:-
tcp_outgoing_address x.x.x.x abcd



Why limit the outgoing? in HTTP that is independent to the incoming 
connection and restricting it will lower performance.


And earlier I had proxy_auth acl rules separately, but that allowed 
any authenticated users to be able to access the proxy through any of 
those IPs. Since I wanted some users to be able to use the server 
through some IPs and others through different IPs, I tried this in 
those acl rules:-


acl abcd myip x.x.x.x proxy_auth user1


FTR: that will match the IP address x.x.x.x and the IP address(es) of 
the servers with hostnames "proxy_auth" and "user1" in your local DNS.


Also, the myip ACL is deprecated because it matched different things 
based on the traffic type. myportname or localip ACLs are better if you 
need to do this at all. Your "squid -k parse" config checks should warn 
you about that.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid authentication problem

[Sonya Roy]

Hi,

I am running squid on a server with multiple public IPs and I want some
users to be able to access the proxy through some of the IPs and other
users through other IPs.

At the moment I have acl rules of the form:-
acl abcd myip x.x.x.x

and for these acl rules I have these tcp_outgoing_address:-
tcp_outgoing_address x.x.x.x abcd

And earlier I had proxy_auth acl rules separately, but that allowed any
authenticated users to be able to access the proxy through any of those
IPs. Since I wanted some users to be able to use the server through some
IPs and others through different IPs, I tried this in those acl rules:-

acl abcd myip x.x.x.x proxy_auth user1

and so on. But this doesn't seem to work and I realized that the proxy_auth
acl rules need to be separate than these. Is there any workaround for this?

With regards,
Sonya Roy
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication if URL is on a Blacklist from SquidGuard

[Amos Jeffries]

On 5/04/2017 7:48 p.m., CrossfireAUT wrote:
> /If you have such a thing as AD and the ability to push Group Policy to
> the users there is no need to avoid authentication./
> 
> I have a running AD on Ubuntu 16.04 with samba4.
> 
> 
> /Perhapse the client is actually asking to get away from lots of annoying
> popups the browsers are forcing on them? if that is happening it is a
> strong sign that the authentication system needs fixing. When it works
> there should be zero popups./
> 
> The client gets asked for his username/password everytime he closes & opens
> the browser, while surfing, there are no PopUps so the client can surf
> undisturbed.
> At first, my client wanted to authenticate everytime someone opens & closes
> the browser, now he wants to authenticate ONLY if someone calls up "a bad
> Website".
> 
> 
> 
> /Er, credentials are valid for 2 hours, but the "users" are jumping
> around between IPs every second?
> NP: the authenticate_ip_* stuff is irrelevant unless a maxuserip type
> ACL is being used.
> /
> 
> Thanks, the thing with "authenticate_ip_ttl 1 second" was my fallacy.
> 
> 
> 
> /Funky.
> Have you check that is not simple the browser "Password Manager"
> feature requesting access to their machine or AD "Domain login" details?/
> 
> Browsers with "Password-Manager"-Features can save the password, but only
> fill in the saved username and password.
> So you would have to press Enter in order to continue. If you don't use this
> Feature, you will get asked everytime you close & open the browser and have
> to enter it yourself.
> 
> 
> /
> To use SG as requested you need to make an external_acl_type helper that
> receives the same things SG needs and passes them on to it, mapping the
> result back to an OK/ERR result for Squid ACL use.
>  [ IIRC Eliezer has posted a helper that does that to the list . ]
> 
> Then you can do something like:
>   external_acl_type sgMapper ...
>   acl testWithSg external sgMapper
> 
>   http_access allow testWithSG
>   http_access deny !auth
>   ...
> 
> Note that this does not involve the url_rewrite_* API. You can drop that
> entirely. Unless you want some traffic to still be redirected/rewritten
> by SG. In which case you need url_rewrite_access to define which traffic
> SG applies to./
> 
> I have to excuse myself, I'm still a beginner in the world of Squid.
> Thanks for understanding.
> You are right, I don't need to redirect to Blockpages anymore.
> If the user authenticates because he called up a bad url, he should be
> allowed to pass.
> 
> I don't understand that solution, why do I need to make that
> external_acl_type helper?

You need external_acl_type is because of that requirement that SG be
used. It is too late to authenticate by the time url_rewrite_helper API
gets consulted. So a complex ACL is needed that does a lookup with SG.
 The external_acl_type helper interface exists for that type of purpose.

You need the special mapping helper only because SG is very outdated
software and no longer maintained. It does not understand the generic
helper syntax Squid uses these days, and only responds with the old
redirect_helper syntax.

The wrapper helper is needed to map that old SG syntax to new OK/ERR
responses that the ACL interface expects.

My answer went that way because you said using SG was a client
requirement. I assumed you could not change that.

FWIW: Any helper which responds using the generic helper syntax
(produces OK/ERR codes) can be used directly in an external_acl_type
directive without the special wrapper SG needs. ufdbGuard is one I
expect could be used like that as a replacement for SG.


> Isn't it the same as my external_acl_type?
> 
> /external_acl_type webusers %LOGIN /usr/lib/squid/ext_ldap_group_acl -b
> "dc=,dc=local" -D testuser@.local -W /etc/squid/squid.secrets -f
> "(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=,dc=local))" -h
> 172.30.0.36

This external_acl_type is a lookup to check the already logged-in users
group membership.

It does not check what SG thinks about the URL (good or bad), or
anything else. Just the group check.


You can have multiple external_acl_type lines. Having one for SG does
not affect the above group one in any way. They are named in that first
parameter so your "acl ... external" lines can reference which helper is
to be sent the lookup by that ACL.


> 
> acl ldapgroup_webusers external webusers webusers
> 
> http_access allow ldapgroup_webusers
> /
> 
> My helper are working well:
> @-testproxy01:~# /usr/lib/squid/basic_ldap_auth -R -b
> "dc=,dc=local" -D testuser@.local -W /etc/squid/squid.secrets -f
> sAMAccountName=%s -h 172.30.0.36
> testuser 
> OK
> 
> @-testproxy01:~# /usr/lib/squid/ext_ldap_group_acl -b
> "dc=,dc=local" -D testuser@.local -W /etc/squid/squid.secrets -f
> "(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=,dc=local))" -h
> 172.30.0.36
> testuser webusers
> OK
> 
> How can I match the requested URL against the 

Re: [squid-users] Squid Authentication if URL is on a Blacklist from SquidGuard

[CrossfireAUT]

/If you have such a thing as AD and the ability to push Group Policy to
the users there is no need to avoid authentication./

I have a running AD on Ubuntu 16.04 with samba4.


/Perhapse the client is actually asking to get away from lots of annoying
popups the browsers are forcing on them? if that is happening it is a
strong sign that the authentication system needs fixing. When it works
there should be zero popups./

The client gets asked for his username/password everytime he closes & opens
the browser, while surfing, there are no PopUps so the client can surf
undisturbed.
At first, my client wanted to authenticate everytime someone opens & closes
the browser, now he wants to authenticate ONLY if someone calls up "a bad
Website".



/Er, credentials are valid for 2 hours, but the "users" are jumping
around between IPs every second?
NP: the authenticate_ip_* stuff is irrelevant unless a maxuserip type
ACL is being used.
/

Thanks, the thing with "authenticate_ip_ttl 1 second" was my fallacy.



/Funky.
Have you check that is not simple the browser "Password Manager"
feature requesting access to their machine or AD "Domain login" details?/

Browsers with "Password-Manager"-Features can save the password, but only
fill in the saved username and password.
So you would have to press Enter in order to continue. If you don't use this
Feature, you will get asked everytime you close & open the browser and have
to enter it yourself.


/
To use SG as requested you need to make an external_acl_type helper that
receives the same things SG needs and passes them on to it, mapping the
result back to an OK/ERR result for Squid ACL use.
 [ IIRC Eliezer has posted a helper that does that to the list . ]

Then you can do something like:
  external_acl_type sgMapper ...
  acl testWithSg external sgMapper

  http_access allow testWithSG
  http_access deny !auth
  ...

Note that this does not involve the url_rewrite_* API. You can drop that
entirely. Unless you want some traffic to still be redirected/rewritten
by SG. In which case you need url_rewrite_access to define which traffic
SG applies to./

I have to excuse myself, I'm still a beginner in the world of Squid.
Thanks for understanding.
You are right, I don't need to redirect to Blockpages anymore.
If the user authenticates because he called up a bad url, he should be
allowed to pass.

I don't understand that solution, why do I need to make that
external_acl_type helper?
Isn't it the same as my external_acl_type?

/external_acl_type webusers %LOGIN /usr/lib/squid/ext_ldap_group_acl -b
"dc=,dc=local" -D testuser@.local -W /etc/squid/squid.secrets -f
"(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=,dc=local))" -h
172.30.0.36

acl ldapgroup_webusers external webusers webusers

http_access allow ldapgroup_webusers
/

My helper are working well:
@-testproxy01:~# /usr/lib/squid/basic_ldap_auth -R -b
"dc=,dc=local" -D testuser@.local -W /etc/squid/squid.secrets -f
sAMAccountName=%s -h 172.30.0.36
testuser 
OK

@-testproxy01:~# /usr/lib/squid/ext_ldap_group_acl -b
"dc=,dc=local" -D testuser@.local -W /etc/squid/squid.secrets -f
"(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=,dc=local))" -h
172.30.0.36
testuser webusers
OK

How can I match the requested URL against the Blacklists without SquidGuard?
I still need to match it against the Blacklist, and then it has to get
decided if he needs to authenticate or not.

Thanks for answering!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Authentication-if-URL-is-on-a-Blacklist-from-SquidGuard-tp4681950p4681995.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication if URL is on a Blacklist from SquidGuard

[Amos Jeffries]

On 31/03/2017 9:22 p.m., CrossfireAUT wrote:
> Hello Squid-Community!
> 
> I need your help with a rather non-standard config.
> My aim is as following:
> -> Users that use my proxy (will deploy it via group policy in AD) should be
> able to use my proxy without authentication

If you have such a thing as AD and the ability to push Group Policy to
the users there is no need to avoid authentication.

Perhapse the client is actually asking to get away from lots of annoying
popups the browsers are forcing on them? if that is happening it is a
strong sign that the authentication system needs fixing. When it works
there should be zero popups.


> -> if a user invokes SquidGuard (he wants to call up a URL on my
> blacklists), he should get prompted for his username and password
> -> only users of the AD-group webusers should be able to continue and go to
> this site on the blacklist
> I know, it isn't the best way to use SquidGuard, but a customer wants it
> that way.

Ewww. Okay. See below


> 
> My current config is as following:
> auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b
> "dc=,dc=local" -D testuser@.local -W /etc/squid/squid.secrets -f
> sAMAccountName=%s -h 172.30.0.36
> auth_param basic children 10
> auth_param basic realm 
> auth_param basic credentialsttl 2 hours
> 
> external_acl_type webusers %LOGIN /usr/lib/squid/ext_ldap_group_acl -b
> "dc=,dc=local" -D testuser@.local -W /etc/squid/squid.secrets -f
> "(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=,dc=local))" -h
> 172.30.0.36
> 
> authenticate_ip_ttl 1 second
> 

Er, credentials are valid for 2 hours, but the "users" are jumping
around between IPs every second?

NP: the authenticate_ip_* stuff is irrelevant unless a maxuserip type
ACL is being used.

> 
> acl auth proxy_auth REQUIRED
> acl no_webusers dstdomain ..at
> acl ldapgroup_webusers external webusers webusers
> 
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> 
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> 
> http_access deny !auth
> http_access allow no_webusers
> 
> http_access allow ldapgroup_webuser
> 
> http_access deny all
> 
> http_port 3128
> 
> 
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> url_rewrite_children 4
> 
> 
> 
> 
> So my users get prompted for their username/passwords everytime they restart
> their browser.

Funky.
 Have you check that is not simple the browser "Password Manager"
feature requesting access to their machine or AD "Domain login" details?

I have seen a few computer-illiterate people confuse their browser
"master password" as some form of password associated with their default
homepage website. This can be particularly bad when that is set the
homepage to some popular social media site or search engine.


> If they call up a domain on my blacklists, they get ACCESS DENIED.
> 
> Does anyone know how you can achieve this?
> Until know, I tried really hard, thought it would be a good idea to ask the
> user-list!

So ignoring SG for now the problem is a matter of access control. That
means the right way to do it is with ACLs in http_access.


To use SG as requested you need to make an external_acl_type helper that
receives the same things SG needs and passes them on to it, mapping the
result back to an OK/ERR result for Squid ACL use.
 [ IIRC Eliezer has posted a helper that does that to the list . ]

Then you can do something like:
  external_acl_type sgMapper ...
  acl testWithSg external sgMapper

  http_access allow testWithSG
  http_access deny !auth
  ...

Note that this does not involve the url_rewrite_* API. You can drop that
entirely. Unless you want some traffic to still be redirected/rewritten
by SG. In which case you need url_rewrite_access to define which traffic
SG applies to.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Authentication if URL is on a Blacklist from SquidGuard

[CrossfireAUT]

Hello Squid-Community!

I need your help with a rather non-standard config.
My aim is as following:
-> Users that use my proxy (will deploy it via group policy in AD) should be
able to use my proxy without authentication
-> if a user invokes SquidGuard (he wants to call up a URL on my
blacklists), he should get prompted for his username and password
-> only users of the AD-group webusers should be able to continue and go to
this site on the blacklist
I know, it isn't the best way to use SquidGuard, but a customer wants it
that way.

My current config is as following:
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b
"dc=,dc=local" -D testuser@.local -W /etc/squid/squid.secrets -f
sAMAccountName=%s -h 172.30.0.36
auth_param basic children 10
auth_param basic realm 
auth_param basic credentialsttl 2 hours

external_acl_type webusers %LOGIN /usr/lib/squid/ext_ldap_group_acl -b
"dc=,dc=local" -D testuser@.local -W /etc/squid/squid.secrets -f
"(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=,dc=local))" -h
172.30.0.36

authenticate_ip_ttl 1 second




acl auth proxy_auth REQUIRED
acl no_webusers dstdomain ..at
acl ldapgroup_webusers external webusers webusers

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access deny !auth
http_access allow no_webusers

http_access allow ldapgroup_webuser

http_access deny all

http_port 3128


url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 4




So my users get prompted for their username/passwords everytime they restart
their browser.
If they call up a domain on my blacklists, they get ACCESS DENIED.

Does anyone know how you can achieve this?
Until know, I tried really hard, thought it would be a good idea to ask the
user-list!

Regards,
Kevin



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Authentication-if-URL-is-on-a-Blacklist-from-SquidGuard-tp4681950.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication with HTTP REST API

[Amos Jeffries]

On 20/03/2017 7:49 p.m., Serhat Koroglu wrote:
> Sorry for late reply.
> 
> I have find a suitable solution for validation through a http web
> service. Here tells developing custom helper even using php:
> http://freesoftwaremagazine.com/articles/authentication_with_squid/
> That's nice.
> 
> 
> Then I know there is  authentication with oauth2 for squid-server.
> But you may be know, in oauth2 authentication, you must authorize the
> app using user's credentials e.g. facebook username and password.
> When this oauth2 method is used, your app must redirect to the oauth2
> service to authorize your app.
> 
> 
> You may had used many web sites like that with facebook login. So my
> question is how may squid server do this redirect  and authorization
> process using a third party oauth2 service? Squid asks username and
> password with web browser popup. Is there any example to this?

No this is abolutely *not* how Squid asks for authentication.

Squid "asks" telling the client that authentication credentials are
needed and listing the schemes that it will accept credentials for.
*Some* clients (eg Browsers) decide all on their own to use a popup to
annoy the user if they cannot supply any of those credential types
automatically. How they try to get them (or not) is way outside and
irrelevant to Squid.

For OAuth2 Squid just needs to support the Bearer authentication scheme,
and a helper to verify the credentials token which the client/browser
sends back.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication with HTTP REST API

[Amos Jeffries]

On 20/03/2017 9:27 p.m., Eliezer  Croitoru wrote:
> Hey Serhat,
> 
> The right way to support OAUTH2 or any similar idea would be using an ICAP
> service or ECAP module(to my knowledge).

Sigh. Another perfect example of how giving us incorrect information
results in bad answers.

OAuth2 is an actual standard authentication scheme with defined HTTP
features, not "a custom XML Web Service or HTTP REST API" which Serhat
was asking for earlier.

The proper way to implement OAuth2 is with the Bearer authentication
scheme. I did that implementation years ago right after Oauth2 Bearer
was standardized, but it did not get merged because nobody was using it
with proxies at the time and the final polish was going to be hard.

The patch (for an early 3.5) can be found at
 and
 the
documentation for using it in a patched squid. If you want to sponsor
the work Serhat I would be happy to update it to current releases.

HTH
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication with HTTP REST API

[Eliezer Croitoru]

Hey Serhat,

The right way to support OAUTH2 or any similar idea would be using an ICAP
service or ECAP module(to my knowledge).
There might be a way to do it using an external_acl helper but I do not know
how and if it would be possible.

To my understanding OAUTH2 will use some redirection when a cookie is not
present and if present and valid then it will let you pass.
Also it will has a special token "portal" api which the OAUTH2 will redirect
towards in or order to get the cookie from the origin service.
In the backend when the request from the client to the api with the key will
be done the client token will be revalidated in the background
against the facebook or google or another OAUTH2 provider using the
developer API key.

Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: Serhat Koroglu [mailto:serhatkoro...@outlook.com] 
Sent: Monday, March 20, 2017 8:49 AM
To: Eliezer Croitoru <elie...@ngtech.co.il>;
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid Authentication with HTTP REST API

Sorry for late reply.
I have find a suitable solution for validation through a http web service.
Here tells developing custom helper even using
php: http://freesoftwaremagazine.com/articles/authentication_with_squid/ Tha
t's nice. 

Then I know there is  authentication with oauth2 for squid-server. But you
may be know, in oauth2 authentication, you must authorize the app using
user's credentials e.g. facebook username and password. When this oauth2
method is used, your app must redirect to the oauth2 service to authorize
your app. 

You may had used many web sites like that with facebook login. So my
question is how may squid server do this redirect  and authorization process
using a third party oauth2 service? Squid asks username and password with
web browser popup. Is there any example to this? 

Regards,
Serhat.

From: Eliezer Croitoru <mailto:elie...@ngtech.co.il>
Sent: Wednesday, March 15, 2017 12:01:15 PM
To: 'Serhat Koroglu'
Cc: mailto:squid-users@lists.squid-cache.org
Subject: RE: [squid-users] Squid Authentication with HTTP REST API 
 
Hey Serhat,(first name right?)

From what I understand you have a specific case.
Today the squid project doesn't have an example on how to implement such a
solution.
I am willing to write an example for such a use case.
If you are willing to give me some of the details privately I would be able
to put up together an ICAP server as an example.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: mailto:elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Amos Jeffries
Sent: Wednesday, March 15, 2017 4:04 AM
To: mailto:squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid Authentication with HTTP REST API

On 14/03/2017 8:15 p.m., Serhat Koroglu wrote:
> Hello,
> 
> Is there any possibilty implementing an authentication through a custom
XML Web Service or HTTP REST API? What should I check?
> 

Squid supports the HTTP authentication framework (RFC 7235
<https://tools.ietf.org/html/rfc7235>). Squid is intentionally designed
not to touch the message payloads.

If the API uses custom headers then you can possibly do it with an
external_acl_type helper that takes those headers and returns
credentials to Squid.

But, if the API uses message payloads you will likely need something
like an ICAP service or eCAP module to do the payload processing.


Amos

___
squid-users mailing list
mailto:squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication with HTTP REST API

[Serhat Koroglu]

Sorry for late reply.

I have find a suitable solution for validation through a http web service. Here 
tells developing custom helper even using php: 
http://freesoftwaremagazine.com/articles/authentication_with_squid/ That's nice.


Then I know there is  authentication with oauth2 for squid-server. But you may 
be know, in oauth2 authentication, you must authorize the app using user's 
credentials e.g. facebook username and password. When this oauth2 method is 
used, your app must redirect to the oauth2 service to authorize your app.


You may had used many web sites like that with facebook login. So my question 
is how may squid server do this redirect  and authorization process using a 
third party oauth2 service? Squid asks username and password with web browser 
popup. Is there any example to this?


Regards,

Serhat.


From: Eliezer Croitoru <elie...@ngtech.co.il>
Sent: Wednesday, March 15, 2017 12:01:15 PM
To: 'Serhat Koroglu'
Cc: squid-users@lists.squid-cache.org
Subject: RE: [squid-users] Squid Authentication with HTTP REST API

Hey Serhat,(first name right?)

>From what I understand you have a specific case.
Today the squid project doesn't have an example on how to implement such a 
solution.
I am willing to write an example for such a use case.
If you are willing to give me some of the details privately I would be able to 
put up together an ICAP server as an example.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Wednesday, March 15, 2017 4:04 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid Authentication with HTTP REST API

On 14/03/2017 8:15 p.m., Serhat Koroglu wrote:
> Hello,
>
> Is there any possibilty implementing an authentication through a custom XML 
> Web Service or HTTP REST API? What should I check?
>

Squid supports the HTTP authentication framework (RFC 7235
<https://tools.ietf.org/html/rfc7235>). Squid is intentionally designed
not to touch the message payloads.

If the API uses custom headers then you can possibly do it with an
external_acl_type helper that takes those headers and returns
credentials to Squid.

But, if the API uses message payloads you will likely need something
like an ICAP service or eCAP module to do the payload processing.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication with HTTP REST API

[Eliezer Croitoru]

Hey Serhat,(first name right?)

From what I understand you have a specific case.
Today the squid project doesn't have an example on how to implement such a 
solution.
I am willing to write an example for such a use case.
If you are willing to give me some of the details privately I would be able to 
put up together an ICAP server as an example.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Wednesday, March 15, 2017 4:04 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid Authentication with HTTP REST API

On 14/03/2017 8:15 p.m., Serhat Koroglu wrote:
> Hello,
> 
> Is there any possibilty implementing an authentication through a custom XML 
> Web Service or HTTP REST API? What should I check?
> 

Squid supports the HTTP authentication framework (RFC 7235
<https://tools.ietf.org/html/rfc7235>). Squid is intentionally designed
not to touch the message payloads.

If the API uses custom headers then you can possibly do it with an
external_acl_type helper that takes those headers and returns
credentials to Squid.

But, if the API uses message payloads you will likely need something
like an ICAP service or eCAP module to do the payload processing.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication with HTTP REST API

[Amos Jeffries]

On 14/03/2017 8:15 p.m., Serhat Koroglu wrote:
> Hello,
> 
> Is there any possibilty implementing an authentication through a custom XML 
> Web Service or HTTP REST API? What should I check?
> 

Squid supports the HTTP authentication framework (RFC 7235
). Squid is intentionally designed
not to touch the message payloads.

If the API uses custom headers then you can possibly do it with an
external_acl_type helper that takes those headers and returns
credentials to Squid.

But, if the API uses message payloads you will likely need something
like an ICAP service or eCAP module to do the payload processing.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Authentication with HTTP REST API

[Serhat Koroglu]

Hello,

Is there any possibilty implementing an authentication through a custom XML Web 
Service or HTTP REST API? What should I check?


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Authentication - Problems

[Marcio Demetrio Bacci]

Hi

I have tried to use only Kerberos authentication, but didn't work! I have
already used the 3 way below:

1) auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
2) auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s
GSS_C_NO_NAME -i
3) auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s
HTTP/proxy.cms.ensino...@cms.ensino.br

Now, kerberos and NTLM together is OK with Windows worstations, but with
Linux appear the message in my Browser: "cache denied access".
Thus, I have used the basic_ldap_auth to Linux machines.

Following is authentication block the my squid.conf:

### Kerberos and NTLM ###
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d
--ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=CMS --kerberos
/usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off

### LDAP ###
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
DC=cms,DC=ensino,DC=br -D CN=proxy,CN=Users,DC=cms,DC=ensino,DC=br -w
passwd -h 192.168.200.25 -p 389 -s sub -v 3 -f "sAMAccountName=%s"
auth_param basic children 50
auth_param basic realm "Acesso Monitorado - CMS"
auth_param basic credentialsttl 8 hours
auth_param basic casesensitive off

Now I would like to identify groups of the users (admins, managers and
domain users) to create access profiles. How can I do this?
ext_ldap_group_acl or ext_kerberos_ldap_group_acl ?

Regards,
Márcio
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication

[Amos Jeffries]

On 15/08/2016 10:19 p.m., Marcio Demetrio Bacci wrote:
> In my network I have Windows and Linux computers.
> I tried the NTLM authentication method, but is experiencing many problems.

FYI, Microsoft deprecated NTLM in 2006 and all software produced by them
since has been migrating towards Kerberos-only support. Since that is a
decade ago you can expect a lot of trouble with recent Windows machines
doing NTLM-only auth.

Try Negotiate/Kerberos authentication instead. It does all the things
NTLM claimed to provide, faster and in a more secure way.


> So I wonder if the authentication method "squid_ldap_auth" is designed for
> Windows and Linux stations?
> 

The auth helper is just a way of connecting Squid to the auth backend
system. In your case probably AD, right?

Any of the helpers that run on the Squid machine OS and connect to AD
will "work" as they are designed to - but that says nothing about
whether they do suits your setup needs.

The LDAP helper you mention runs on Linux or BSD and connects to AD
using the LDAP database protocol. That is all. AFAIK, unless things have
changed recently AD itself restricts the LDAP interface to only
servicing Basic authentication credentials or group checks.


PS. if that is the helper installed with your Squid then you need to
upgrade. That has not been the official helper name since Squid-3.1
which is long ago deprecated.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Authentication

[Marcio Demetrio Bacci]

In my network I have Windows and Linux computers.
I tried the NTLM authentication method, but is experiencing many problems.
So I wonder if the authentication method "squid_ldap_auth" is designed for
Windows and Linux stations?

Regards,

Márcio
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication with Window AD

[Amos Jeffries]

On 16/03/2016 10:25 p.m., vibhorsaraswat wrote:
> Hello All,
> 
> I am getting the below error during authentication, can any one helo me
> 

EHLO.

> 
> wbinfo -a auth_squi
> Enter auth_squid's password:
> plaintext password authentication failed
> Could not authenticate user auth_squid with plaintext password
> Enter auth_squid's password:
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind separator!

That seems pretty clear. wbinfo cannot understand the credentials you
gave it.

Since this is a Windows auth system you need to pass it Windows format
credentials.

NTLM:  DOMAIN\user
Negotiate:  user@DOMAIN


> challenge/response password authentication failed
> Could not authenticate user auth_squid with challenge/response
> 


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication with Window AD

[vibhorsaraswat]

Hello,

Can anyone help me.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Authentication-with-Window-AD-tp4676708p4676709.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Authentication with Window AD

[vibhorsaraswat]

Hello All,

I am getting the below error during authentication, can any one helo me


wbinfo -a auth_squi
Enter auth_squid's password:
plaintext password authentication failed
Could not authenticate user auth_squid with plaintext password
Enter auth_squid's password:
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind separator!
challenge/response password authentication failed
Could not authenticate user auth_squid with challenge/response



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Authentication-with-Window-AD-tp4676708.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication mechs

[Amos Jeffries]

On 17/12/2015 5:35 a.m., Eugene M. Zheganin wrote:
> Hi.
> 
> Is there a way to limit the number of available authentication
> mechanisms (for a client browser) basing on certain squid IP which this
> browser connects to, like, using http_port configuration directive ? For
> example this is needed when one need to allow the non-domain machines to
> pass through authentication/authorization checks using squid with
> full-fledged AD integraion (or Kerberos/NTLM, anyway), otherwise they
> are unable to do it. Once they were, for example using Chrome < 41, but
> since >41 Chrome has removed all the options to exclude certain
> authentication methods from it's CLI sequence (I still wander what a
> genious proposed this).

Theoretically the client browser is fully aware of what credentials it
can use for what schemes (Kerberos, Basic, NTLM, Digest [in that orer of
security]). And also for remembering which credentials worked or failed
on previosu attempts with the offered schemes.

So there is no need to filter them at the proxy. *it* is perfectly able
to authenticate any credentials it gets given using any of the schemes
it is offering. You just happen to not like the outcome when validation
prevents login.


> 
> If not(and I believe there isn't) could this message be treated as a
> feature request ?

It has been a feature request for years to allow ACL control of auth
schemes offered. I even have a design plan laid out for implemeting it.
But nobody seems to want it enough to sponsor the addition (if you do
please contact me directly to discuss).

I am specifically waiting for sponsorship on this one because it needs
someone with an actual use-case and implementation to test that it works
properly with Negotiate and NTLM.

Otherwise please open a feature request bug to track the status and get
notification when somebody does get around to adding it.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid authentication mechs

[Eugene M. Zheganin]

Hi.

Is there a way to limit the number of available authentication 
mechanisms (for a client browser) basing on certain squid IP which this 
browser connects to, like, using http_port configuration directive ? For 
example this is needed when one need to allow the non-domain machines to 
pass through authentication/authorization checks using squid with 
full-fledged AD integraion (or Kerberos/NTLM, anyway), otherwise they 
are unable to do it. Once they were, for example using Chrome < 41, but 
since >41 Chrome has removed all the options to exclude certain 
authentication methods from it's CLI sequence (I still wander what a 
genious proposed this).


If not(and I believe there isn't) could this message be treated as a 
feature request ?


Thanks.
Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[snakeeyes]

:16.301 kid1| AsyncCallQueue.cc(55) fireNext: entering 
MaintainSwapSpace()
2015/02/12 22:46:16.301 kid1| AsyncCall.cc(38) make: make call 
MaintainSwapSpace [call156]
2015/02/12 22:46:16.302 kid1| event.cc(322) schedule: schedule: Adding 
'MaintainSwapSpace', in 1.00 seconds
2015/02/12 22:46:16.302 kid1| AsyncCallQueue.cc(57) fireNext: leaving 
MaintainSwapSpace()




Agia I put the user/pwd in y browser with ni luck , each time it refuse my 
connection .

Here is access.log :
1423799039.114   1072 192.168.1.6 TCP_DENIED/407 4197 CONNECT 
developer.mozilla.org:443 nikesh HIER_NONE/- text/html
1423799152.251117 192.168.1.6 TCP_DENIED/407 4097 GET http://yahoo.com/ - 
HIER_NONE/- text/html
1423799173.404   1143 192.168.1.6 TCP_DENIED/407 4200 GET http://yahoo.com/ 
nikesh HIER_NONE/- text/html


1423799270.459   1556 192.168.1.6 TCP_DENIED/407 4194 GET http://yahoo.com/ 
nikesh HIER_NONE/- text/html



Any help ??

Should shoud I try more ?






-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, February 10, 2015 1:58 PM
To: snakeeyes; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid authentication to remote sql server

On 11/02/2015 8:40 p.m., snakeeyes wrote:
 Hi amos
 I hadded squi/squid in the table
 
 mysql show tables
 - ;
 +-+
 | Tables_in_squid |
 +-+
 | passwd  |
 +-+
 1 row in set (0.00 sec)
 
 mysql select * from passwd;
 ++--+-+---+-+
 | user   | password | enabled | fullname  | comment |
 ++--+-+---+-+
 | Nikesh | test |   1 | Test User | for testing purpose |
 | squid  | squid|   1 | Test User | for testing purpose |
 ++--+-+---+-+
 2 rows in set (0.00 sec)
 
 mysql
 
 
 
 still has same error ?
 
 
 
 how can u help me ?
 login with md5 or wt ??
 

Try renaming the password column.
 - rename it in the DB, change the squid.conf helper parameter, then reload 
squid config.


Perhapse show us what you are entering on the command line test for username 
and password?

Perhapse try using the --debug option? to get the helper to record in cache log 
(or on screen for the manul tests).

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication , ACL select from databse SQL , is that possible ?

[squid-list]

Hi,

You can authenticate user and password from sql database using the 
helper squid_db_auth.


But, allowing website for corresponding user by storing in db is not 
possible. You can use various ACLs to control the site access for the 
individual users.


Instead of storing website in particular column in db, you can store it 
in separate txt file and can control the site access of the users.


Squid will support user defined helper. If it necessary to verify site 
from db, you can create your own helper as per you requirement and you 
can use it. If you need any customization assistance, you can contact 
us(sq...@visolve.com).


Regards,
Siva Prakash
ViSolve Squid Team

On 02/12/2015 06:25 AM, snakeeyes wrote:


Hi

I need to do many operations :

I need squid with sql with the following needs :

1-Squid authenticate user/pwd from sql databse.

2-Then if authentication was okay  , they I need to see that username 
logged in and go to sql databse and select from there a cloum with the 
websites correspond to that user


3-Then I will do access list that permit the websites domain name only 
for that user based on info from sql.


Is that possible with squid ?

Im using last squid stable version 3.5.1 and hope it be okay .

cheers



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Ahmad]

Thank you amos , I fixed the table thing , but I have new error now :

/lib/squid/basic_db_auth --dsn 
DBI:mysql:host=x.xx..189.177;port=3306;database=squid --user squid 
--password squid --table passwd --usercol user --passwdcol password 
--cond  --plaintext

ERR unknown login
ERR unknown login
ERR unknown login
ERR unknown login
ERR unknown login


Wt do u think ??
Mysql issue ?


-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, February 10, 2015 12:42 PM
To: Ahmad; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid authentication to remote sql server

Replying again because I missed the --table parameter value earlier.


On 11/02/2015 7:24 p.m., Ahmad wrote:
 Thank you amos , but I have an issue with connection :


 mysql select * from  passwd;


=== notice the TABLE NAME.

 ++--+-+---+-+
 | user   | password | enabled | fullname  | comment |
 ++--+-+---+-+
 | Nikesh | test |   1 | Test User | for testing purpose |
 ++--+-+---+-+
 1 row in set (0.00 sec)
 

 
 now on the squid box , I do the conection below :
 
 here is the connection from remote squid:
 /lib/squid/basic_db_auth --dsn 
 DBI:mysql:database=squid:host=x.x189.177 \

blah. blah about semi-colons from both of my earlier posts..


 --user squid --password squid --table user

==  notice the TABLE NAME

 --usercol user --passwdcol password 


 --cond  --plaintext
 

You have an enabled column in the table for disabling peoples accounts. The 
default --cond is fine.

 
 DBD::mysql::st execute failed: Table 'squid.user' doesn't exist at 
 /lib/squid/basic_db_auth line 215,  line 1.
 DBD::mysql::st execute failed: MySQL server has gone away at 
 /lib/squid/basic_db_auth line 218,  line 1.
 ERR database error

Because TABLE NAME.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Amos Jeffries]

On 11/02/2015 8:17 p.m., Ahmad wrote:
 Thank you amos , I fixed the table thing , but I have new error now :
 
 /lib/squid/basic_db_auth --dsn 
 DBI:mysql:host=x.xx..189.177;port=3306;database=squid --user squid 
 --password squid --table passwd --usercol user --passwdcol password 
 --cond  --plaintext
 
 ERR unknown login
 ERR unknown login
 ERR unknown login
 ERR unknown login
 ERR unknown login
 
 
 Wt do u think ??
 Mysql issue ?

Input issue. Thats a user:password combination being presented that does
not exist in the table.

Though it might be mysql interpreting the password in queries as the
built-in password() function. I renamed that column to token in my
auth DB.

And like Yuri pointed out a DB of passwords in clear-text is not the
greatest of security. At minimum use salted MD5 for the final setup.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[snakeeyes]

Hi amos
I hadded squi/squid in the table

mysql show tables
- ;
+-+
| Tables_in_squid |
+-+
| passwd  |
+-+
1 row in set (0.00 sec)

mysql select * from passwd;
++--+-+---+-+
| user   | password | enabled | fullname  | comment |
++--+-+---+-+
| Nikesh | test |   1 | Test User | for testing purpose |
| squid  | squid|   1 | Test User | for testing purpose |
++--+-+---+-+
2 rows in set (0.00 sec)

mysql



still has same error ?



how can u help me ?
login with md5 or wt ??


-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, February 10, 2015 1:29 PM
To: Ahmad; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid authentication to remote sql server

On 11/02/2015 8:17 p.m., Ahmad wrote:
 Thank you amos , I fixed the table thing , but I have new error now :
 
 /lib/squid/basic_db_auth --dsn 
 DBI:mysql:host=x.xx..189.177;port=3306;database=squid --user squid 
 --password squid --table passwd --usercol user --passwdcol 
 password --cond  --plaintext
 
 ERR unknown login
 ERR unknown login
 ERR unknown login
 ERR unknown login
 ERR unknown login
 
 
 Wt do u think ??
 Mysql issue ?

Input issue. Thats a user:password combination being presented that does not 
exist in the table.

Though it might be mysql interpreting the password in queries as the built-in 
password() function. I renamed that column to token in my auth DB.

And like Yuri pointed out a DB of passwords in clear-text is not the greatest 
of security. At minimum use salted MD5 for the final setup.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Amos, MD5 insufficient. As minimum, SHA256 with salt. New Oracle RDBMS
use SHA to store user's password.

And don't forget about SQL Injection and password cracking farms..

11.02.15 3:28, Amos Jeffries пишет:
 On 11/02/2015 8:17 p.m., Ahmad wrote:
 Thank you amos , I fixed the table thing , but I have new error
 now :
 
 /lib/squid/basic_db_auth --dsn
 DBI:mysql:host=x.xx..189.177;port=3306;database=squid --user
 squid --password squid --table passwd --usercol user
 --passwdcol password --cond  --plaintext
 
 ERR unknown login ERR unknown login ERR unknown login ERR unknown
 login ERR unknown login
 
 
 Wt do u think ?? Mysql issue ?
 
 Input issue. Thats a user:password combination being presented that
 does not exist in the table.
 
 Though it might be mysql interpreting the password in queries as
 the built-in password() function. I renamed that column to token
 in my auth DB.
 
 And like Yuri pointed out a DB of passwords in clear-text is not
 the greatest of security. At minimum use salted MD5 for the final
 setup.
 
 Amos ___ squid-users
 mailing list squid-users@lists.squid-cache.org 
 http://lists.squid-cache.org/listinfo/squid-users
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJU2nwxAAoJENNXIZxhPexGR84H/0A1ZldvWUbknbLPggemiXI7
fGF4B06K1IlgpVcXFZuyrCl9YQWdQfCv2PYbh5bVJuHzao4D146dmom7Ppvh0H4r
lcZEHb8ahr69Mzn43iozx5g8uuWJtoLRv3MFg73yR209H08XClJo7cnBYIj/Ije5
CftttAz0c+kxnR2GkyOU2Rp3xkwK1RQdre8BeRSPRYrFww11jqv35QY4O0M2VCQg
L5Ljx2s+rBto1Bg79VvV5syyEo3aOMIOXS8nUFqFYboVR4LFrakFk6mKVOI7klvH
t+4x/oUG3ZGlMdSbxKEn1w2mP1dpWnrN1d2lKCkQPv2qVmm6gInNPzXr2PAoNAI=
=gzYx
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

(facepalm)


11.02.15 13:40, snakeeyes пишет:
 Hi amos I hadded squi/squid in the table
 
 mysql show tables - ; +-+ | Tables_in_squid | 
 +-+ | passwd  | +-+ 1 row
 in set (0.00 sec)
 
 mysql select * from passwd; 
 ++--+-+---+-+ |
 user   | password | enabled | fullname  | comment | 
 ++--+-+---+-+ |
 Nikesh | test |   1 | Test User | for testing purpose | |
 squid  | squid|   1 | Test User | for testing purpose | 
 ++--+-+---+-+ 2
 rows in set (0.00 sec)
 
 mysql
 
 
 
 still has same error ?
 
 
 
 how can u help me ? login with md5 or wt ??

Of course, no.

 
 
 -Original Message- From: Amos Jeffries
 [mailto:squ...@treenet.co.nz] Sent: Tuesday, February 10, 2015 1:29
 PM To: Ahmad; squid-users@lists.squid-cache.org Subject: Re:
 [squid-users] squid authentication to remote sql server
 
 On 11/02/2015 8:17 p.m., Ahmad wrote:
 Thank you amos , I fixed the table thing , but I have new error
 now :
 
 /lib/squid/basic_db_auth --dsn 
 DBI:mysql:host=x.xx..189.177;port=3306;database=squid --user
 squid --password squid --table passwd --usercol user
 --passwdcol password --cond  --plaintext
 
 ERR unknown login ERR unknown login ERR unknown login ERR unknown
 login ERR unknown login
 
 
 Wt do u think ?? Mysql issue ?
 
 Input issue. Thats a user:password combination being presented that
 does not exist in the table.
 
 Though it might be mysql interpreting the password in queries as
 the built-in password() function. I renamed that column to token
 in my auth DB.
 
 And like Yuri pointed out a DB of passwords in clear-text is not
 the greatest of security. At minimum use salted MD5 for the final
 setup.
 
 Amos
 
 ___ squid-users mailing
 list squid-users@lists.squid-cache.org 
 http://lists.squid-cache.org/listinfo/squid-users
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJU2nx0AAoJENNXIZxhPexGt0cH/3JsKrG62EZryBe6fAjtxxXW
mJ505t31637yV5ajjn52jN+drwj+Xm+BvW/I9zaM9Xj3apf8cw6V0wM/JTNjdsr3
VFt+QHH8ZOIy+TpMbriEcl0VIxG1F9TRi7WR/O6DbLe3uyhKbj4pdsgYTs/aho8i
uzwWMDnnejWrN0ekT4YuC5ewTwild6rmJUxbwxWlHOLAsPut1ZqWPp0/3UPgElDJ
B/8pUIUq05BAaoK2TQwHsobyYUltVyLUK2DFgzd3uGf2Kkpfp1Z1MGrG8tkQKKcj
FBSwWijRot4Or//EgQWx9qMaq78XHJHCkPwJCJ7qWPHcOxR337m1dTfxdD5y0b8=
=bc1A
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/02/2015 9:35 a.m., Yuri Voinov wrote:
 Wow, it just cannot connect with DB?!
 

Maybe, maybe not, maybe its connecting to the localhost instead of
remote (he had a localhost test earlier). I just spotted table names
were different too.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJU2m2QAAoJELJo5wb/XPRjsCcH/2wibaD27jyliAcZZAu5o0jF
f1rfT57rg7J4GaBOhbhTJPm1JYJKkra+bD4OTjOo3lPyZxqi5hq1hxjmOn0UEoe9
HIgaTJxyCuvoyWUsROEVKsw9ReAJoUqpLCMAuTyJkvV0w1tIwyCWovjbGsgsMc/K
xYELuTg/60yAlF4+xHdIZiuSOOhqgrEfAsSIIMdT/RfB+2hjjfyBZmIx6irqTfpg
w5O9iGpOhuFg/A1wD8EUsIHp1bre+t7YC2FWbwHcU0V+ba90mZMAZAOMHoMzi1rm
RpZx3enB1eTXOY9uQjcBZH+5JTSDMo7KI9rx+0cnk7IQENqouGB4jH6qca6ahKc=
=YjS+
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Ahmad]

Thank you amos , but I have an issue with connection :
Here is my mysql info :

grant select on squid.* to 'squid'@'%' identified by 'squid';
=
mysql show databases;
++
| Database   |
++
| information_schema |
| mysql  |
| squid  |
++
3 rows in set (0.00 sec)

mysql use squid
Database changed
mysql ;
ERROR: 
No query specified

mysql show tables;
+-+
| Tables_in_squid |
+-+
| passwd  |
+-+
1 row in set (0.00 sec)

mysql select from * passwd;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that 
corresponds to your MySQL server version for the right syntax to use near 'from 
* passwd' at line 1
mysql select * from  passwd;
++--+-+---+-+
| user   | password | enabled | fullname  | comment |
++--+-+---+-+
| Nikesh | test |   1 | Test User | for testing purpose |
++--+-+---+-+
1 row in set (0.00 sec)

mysql show GRANTS FOR 'squid'
- ;
+--+
| Grants for squid@%
   |
+--+
| GRANT USAGE ON *.* TO 'squid'@'%' IDENTIFIED BY PASSWORD 
'*AFD42D37182BDB40880BEF624CC64B0F4A1E35B4' |
| GRANT SELECT ON `squid`.* TO 'squid'@'%'  
   |
+--+
2 rows in set (0.00 sec)

mysql
===

now on the squid box , I do the conection below :

here is the connection from remote squid:
/lib/squid/basic_db_auth --dsn DBI:mysql:database=squid:host=x.x189.177 
--user squid --password squid --table user --usercol user --passwdcol 
password --cond  --plaintext





DBD::mysql::st execute failed: Table 'squid.user' doesn't exist at 
/lib/squid/basic_db_auth line 215,  line 1.
DBD::mysql::st execute failed: MySQL server has gone away at 
/lib/squid/basic_db_auth line 218,  line 1.
ERR database error
DBD::mysql::st execute failed: Table 'squid.user' doesn't exist at 
/lib/squid/basic_db_auth line 215,  line 2.
DBD::mysql::st execute failed: MySQL server has gone away at 
/lib/squid/basic_db_auth line 218,  line 2.
ERR database error
DBD::mysql::st execute failed: Table 'squid.user' doesn't exist at 
/lib/squid/basic_db_auth line 215,  line 3.
DBD::mysql::st execute failed: MySQL server has gone away at 
/lib/squid/basic_db_auth line 218,  line 3.
ERR database error
DBD::mysql::st execute failed: Table 'squid.user' doesn't exist at 
/lib/squid/basic_db_auth line 215,  line 4.
DBD::mysql::st execute failed: MySQL server has gone away at 
/lib/squid/basic_db_auth line 218,  line 4.
ERR database error
^C


Selinux , iptables are down on both mahcines .


Any other things we need to look @  ??

The question is being asked , is it suid or mysql issue??

Wt other thing need to check ?


==
squid -v
Squid Cache: Version 3.5.1
Service Name: squid
configure options:  '--prefix=/usr' '--includedir=/include' 
'--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' 
'--enable-cachemgr-hostname=drx' '--localstatedir=/var' 
'--libexecdir=/lib/squid' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.' 
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' 
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' 
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' 
'--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' 
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
 '--enable-ntlm-auth-helpers=smb_lm' 
'--enable-digest-auth-helpers=ldap,password' 
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-esi' 
'--disable-translation' '--with-logdir=/var/log/squid' 
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=131072' 
'--with-large-files' '--with-default-user=squid' '--enable-linux-netfilter' 
'--enable-ltdl-convenience' '--enable-ssl' '--enable-ssl-crtd' 
'--enable-arp-acl' 'CXXFLAGS=-DMAXTCPLISTENPORTS=2' '--with-openssl' 
'--enable-snmp'
[root@squid ~]#
==

Thanks again for help
-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Monday, February 9, 2015 4:15 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid

Re: [squid-users] squid authentication to remote sql server

[Amos Jeffries]

On 11/02/2015 7:24 p.m., Ahmad wrote:
 Thank you amos , but I have an issue with connection :
 Here is my mysql info :
 
 grant select on squid.* to 'squid'@'%' identified by 'squid';
 =
 mysql show databases;
 ++
 | Database   |
 ++
 | information_schema |
 | mysql  |
 | squid  |
 ++
 3 rows in set (0.00 sec)
 
 mysql use squid
 Database changed
 mysql ;
 ERROR: 
 No query specified
 
 mysql show tables;
 +-+
 | Tables_in_squid |
 +-+
 | passwd  |
 +-+
 1 row in set (0.00 sec)
 
 mysql select from * passwd;
 ERROR 1064 (42000): You have an error in your SQL syntax; check the manual 
 that corresponds to your MySQL server version for the right syntax to use 
 near 'from * passwd' at line 1
 mysql select * from  passwd;
 ++--+-+---+-+
 | user   | password | enabled | fullname  | comment |
 ++--+-+---+-+
 | Nikesh | test |   1 | Test User | for testing purpose |
 ++--+-+---+-+
 1 row in set (0.00 sec)
 
snip

 mysql
 ===
 
 now on the squid box , I do the conection below :
 
 here is the connection from remote squid:
 /lib/squid/basic_db_auth --dsn DBI:mysql:database=squid:host=x.x189.177

No *semi-colons* in the driver parameters bit.

 --dsn DBI:mysql:host=x.x189.177;port=3306;database=squid


NP: I also like to order them by significance just in case they are
processed in-order.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

As I think, this is around DB. Not squid. :) Just misconfiguration.

11.02.15 2:44, Amos Jeffries пишет:
 On 11/02/2015 9:35 a.m., Yuri Voinov wrote:
 Wow, it just cannot connect with DB?!
 
 
 Maybe, maybe not, maybe its connecting to the localhost instead of 
 remote (he had a localhost test earlier). I just spotted table
 names were different too.
 
 Amos ___ squid-users
 mailing list squid-users@lists.squid-cache.org 
 http://lists.squid-cache.org/listinfo/squid-users
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJU2m7nAAoJENNXIZxhPexGO24H/2IxYwtls5RZOSD6wYEqPPNQ
2xeGrmLZeyc9L9G+wIgYUgjvwmQzR+GerGiDA36lTNiRntZWlTVjyvGcAjwf/PsH
9p3N8X0UeJoA1lDSUfGpKeEDLOWCtVXWJ9wxK+a+wMyB3TGWS/GB6DZ+4DwYamT9
V8P78Ud7o4p2O1L3A1TIaY/GezG+te2qxydLYzlCeX41yDx54AVeBnyg/Eh4qd5i
8QZCZoLpKOZ67w8L43EjS0syBx5g70oHx3lDhafB7C9ZNV01u/Cds66TpuclqBug
tpa5MIIBOjSwLZV5RIQMfdaMjmKEbusqSrTe+IPi7/ymlfWhVzQRFhKoghA6DQA=
=2kOM
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Yuri Voinov]

- From: squid-users
 [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of
 Amos Jeffries Sent: Monday, February 9, 2015 4:15 PM To:
 squid-users@lists.squid-cache.org Subject: Re: [squid-users] squid
 authentication to remote sql server
 
 On 10/02/2015 5:01 p.m., Ahmad wrote:
 Hi ,
 
 I followed the article in  :
 
 http://wiki.squid-cache.org/ConfigExamples/Authenticate/Mysql
 
 
 
 
 
 I need to connect  squid to external sql server  , what do I need
 to modify in the helper command ?
 
 
 
 I think that the command below :
 
 auth_param basic program /usr/local/squid/libexec/squid_db_auth
  --user someuser --password  --plaintext --persist
 
 
 
 Shoud include the ip   port of the sql server .
 
 
 The Data Source Name (--dsn) parameter is the option string passed
 to the Perl DBI module for locating the database to use.
 
 It takes the syntax:
 
 DSN: driver : params
 
 The params bit depends on what database driver (type) is. The
 mysql driver uses semi-colon separated key=value pairs.
 
 So you can write something like:
 
 --dsn DSN:mysql:host=example.com;port=3306;database=squid
 
 
 Amos ___ squid-users
 mailing list squid-users@lists.squid-cache.org 
 http://lists.squid-cache.org/listinfo/squid-users
 
 ___ squid-users mailing
 list squid-users@lists.squid-cache.org 
 http://lists.squid-cache.org/listinfo/squid-users
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJU2moZAAoJENNXIZxhPexGBNYH/2vArGMG2/iepXT3FV29ZqAK
XsBd8Cn+FzssnlmGiwp6yfNurMJVxu1DlAtRC8HOvduoI4IwfF1E4L/cFhfFw+Zr
uTyVwb1nzZ/yFrErjU2XEE0Va4pGtskAKWgSXnOSo1cJ9af+IltLtWZGbv1RO6yO
4mvCosjJX4TosFVO/bi4xIssqz+4+Yn249HXzey8DA/kiIkUF7TMi09ttwp6yW1w
YxTu5MAy7gNNpbCwgBaosLl+1JpJt+r7/Omdv8ojNJ838TtR/iDDu6TAlf6PEVud
/Y002/uo2QrOp7jfc9nkbhsBXXWKUzCCKKVf0wEgJLs6c/wDikSfgI+55AaZ3Fg=
=cJ4m
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Wow, it just cannot connect with DB?!

11.02.15 2:32, Amos Jeffries пишет:
 On 11/02/2015 7:24 p.m., Ahmad wrote:
 Thank you amos , but I have an issue with connection : Here is my
 mysql info :  grant select on squid.* to 'squid'@'%'
 identified by 'squid'; = mysql show
 databases; ++ | Database   | 
 ++ | information_schema | | mysql
 | | squid  | ++ 3 rows in set
 (0.00 sec)
 
 mysql use squid Database changed mysql ; ERROR: No query
 specified
 
 mysql show tables; +-+ | Tables_in_squid | 
 +-+ | passwd  | +-+ 1 row
 in set (0.00 sec)
 
 mysql select from * passwd; ERROR 1064 (42000): You have an
 error in your SQL syntax; check the manual that corresponds to
 your MySQL server version for the right syntax to use near 'from
 * passwd' at line 1 mysql select * from  passwd; 
 ++--+-+---+-+

 
| user   | password | enabled | fullname  | comment |
 ++--+-+---+-+

 
| Nikesh | test |   1 | Test User | for testing purpose |
 ++--+-+---+-+

 
1 row in set (0.00 sec)
 
 snip
 
 mysql ===
 
 now on the squid box , I do the conection below :
 
 here is the connection from remote squid: 
 /lib/squid/basic_db_auth --dsn
 DBI:mysql:database=squid:host=x.x189.177
 
 No *semi-colons* in the driver parameters bit.
 
 --dsn DBI:mysql:host=x.x189.177;port=3306;database=squid
 
 
 NP: I also like to order them by significance just in case they
 are processed in-order.
 
 Amos ___ squid-users
 mailing list squid-users@lists.squid-cache.org 
 http://lists.squid-cache.org/listinfo/squid-users
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJU2muCAAoJENNXIZxhPexGwVUH/3GLWgF+hvm2EKIFI5FN/GI0
tPf7+GmRn+/5Aq3qVJxPUll363Q5jxw8eCRG17Z1W/oqsncjZW3VNYbBUwtCLazj
5MsRaMYkQdhmgLhkRCH2uTiOKfeen76BySrhYm6lb09A9be40JbMwhpVwBAyREdj
Dx7u4LFdgUyEWPTOLXxZmZ+3vaO1egidxhf55+yUOXKyuUVFqlSc3bVRiIqUaPq8
qCxSwVDJrUcXB5UOLSttugftTh3zmm/HVg9JDC6G6N2CL6vm8jmCntIKvO5YcQrH
eIcjbnSlFbuvOPe1kOMyP+zqgciCscGdv9XKVUySDILdrWEKs+aazJ9HSQVvBIY=
=Hz+L
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Amos Jeffries]

Replying again because I missed the --table parameter value earlier.


On 11/02/2015 7:24 p.m., Ahmad wrote:
 Thank you amos , but I have an issue with connection :


 mysql select * from  passwd;


=== notice the TABLE NAME.

 ++--+-+---+-+
 | user   | password | enabled | fullname  | comment |
 ++--+-+---+-+
 | Nikesh | test |   1 | Test User | for testing purpose |
 ++--+-+---+-+
 1 row in set (0.00 sec)
 

 
 now on the squid box , I do the conection below :
 
 here is the connection from remote squid:
 /lib/squid/basic_db_auth --dsn DBI:mysql:database=squid:host=x.x189.177 \

blah. blah about semi-colons from both of my earlier posts..


 --user squid --password squid --table user

==  notice the TABLE NAME

 --usercol user --passwdcol password 


 --cond  --plaintext
 

You have an enabled column in the table for disabling peoples
accounts. The default --cond is fine.

 
 DBD::mysql::st execute failed: Table 'squid.user' doesn't exist at 
 /lib/squid/basic_db_auth line 215,  line 1.
 DBD::mysql::st execute failed: MySQL server has gone away at 
 /lib/squid/basic_db_auth line 218,  line 1.
 ERR database error

Because TABLE NAME.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Heh. Pure SQL database is VERY bad idea to store any security
credentials or ACL's. They too easy to hack.

11.02.15 2:32, Amos Jeffries пишет:
 On 11/02/2015 7:24 p.m., Ahmad wrote:
 Thank you amos , but I have an issue with connection : Here is my
 mysql info :  grant select on squid.* to 'squid'@'%'
 identified by 'squid'; = mysql show
 databases; ++ | Database   | 
 ++ | information_schema | | mysql
 | | squid  | ++ 3 rows in set
 (0.00 sec)
 
 mysql use squid Database changed mysql ; ERROR: No query
 specified
 
 mysql show tables; +-+ | Tables_in_squid | 
 +-+ | passwd  | +-+ 1 row
 in set (0.00 sec)
 
 mysql select from * passwd; ERROR 1064 (42000): You have an
 error in your SQL syntax; check the manual that corresponds to
 your MySQL server version for the right syntax to use near 'from
 * passwd' at line 1 mysql select * from  passwd; 
 ++--+-+---+-+

 
| user   | password | enabled | fullname  | comment |
 ++--+-+---+-+

 
| Nikesh | test |   1 | Test User | for testing purpose |
 ++--+-+---+-+

 
1 row in set (0.00 sec)
 
 snip
 
 mysql ===
 
 now on the squid box , I do the conection below :
 
 here is the connection from remote squid: 
 /lib/squid/basic_db_auth --dsn
 DBI:mysql:database=squid:host=x.x189.177
 
 No *semi-colons* in the driver parameters bit.
 
 --dsn DBI:mysql:host=x.x189.177;port=3306;database=squid
 
 
 NP: I also like to order them by significance just in case they
 are processed in-order.
 
 Amos ___ squid-users
 mailing list squid-users@lists.squid-cache.org 
 http://lists.squid-cache.org/listinfo/squid-users
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJU2m16AAoJENNXIZxhPexGIr8IALMxa6Gfh9qGLtE+LPLOozfb
YB5U/+QvNMV9/BD4wYD9B9/jTi9DGXOp7QvkG+OM3xB6etR1hOA0/Ppt1OOWY8co
Mc4QZhWNHXP+iLoajI6yIeXYQu6I8Hj3rYUbetf80M8j5TiIMivJjNpejGOJcJ76
6j0qwDbvfl/pV7q8qs+b4+gax7oqC8Zc5jHJM8uKwr8tknHfuGlqVTY7QPbYBX+G
an2HlaIr/gSY6p3drPCsvY3faprp24o8xuXNEex56558mOAw8dV8R7/7NVfd2bIJ
Mig+rYa4BPCEPu9Q8FELOwkiSaYl8c0LsQVvNyx7lptNNywcuj5IETxggflNHyY=
=vMtZ
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Amos Jeffries]

On 11/02/2015 8:40 p.m., snakeeyes wrote:
 Hi amos
 I hadded squi/squid in the table
 
 mysql show tables
 - ;
 +-+
 | Tables_in_squid |
 +-+
 | passwd  |
 +-+
 1 row in set (0.00 sec)
 
 mysql select * from passwd;
 ++--+-+---+-+
 | user   | password | enabled | fullname  | comment |
 ++--+-+---+-+
 | Nikesh | test |   1 | Test User | for testing purpose |
 | squid  | squid|   1 | Test User | for testing purpose |
 ++--+-+---+-+
 2 rows in set (0.00 sec)
 
 mysql
 
 
 
 still has same error ?
 
 
 
 how can u help me ?
 login with md5 or wt ??
 

Try renaming the password column.
 - rename it in the DB, change the squid.conf helper parameter, then
reload squid config.


Perhapse show us what you are entering on the command line test for
username and password?

Perhapse try using the --debug option? to get the helper to record in
cache log (or on screen for the manul tests).

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid authentication to remote sql server

[Ahmad]

Hi , 

I followed the article in  :

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Mysql

 

 

I need to connect  squid to external sql server  , what do I need to modify
in the helper command ?

 

I think that the command below :

auth_param basic program /usr/local/squid/libexec/squid_db_auth --user
someuser --password  --plaintext --persist

 

Shoud include the ip   port of the sql server .

 

 

 

cheers

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication to remote sql server

[Amos Jeffries]

On 10/02/2015 5:01 p.m., Ahmad wrote:
 Hi , 
 
 I followed the article in  :
 
 http://wiki.squid-cache.org/ConfigExamples/Authenticate/Mysql
 
  
 
  
 
 I need to connect  squid to external sql server  , what do I need to modify
 in the helper command ?
 
  
 
 I think that the command below :
 
 auth_param basic program /usr/local/squid/libexec/squid_db_auth --user
 someuser --password  --plaintext --persist
 
  
 
 Shoud include the ip   port of the sql server .
 

The Data Source Name (--dsn) parameter is the option string passed to
the Perl DBI module for locating the database to use.

It takes the syntax:

  DSN: driver : params

The params bit depends on what database driver (type) is. The mysql
driver uses semi-colon separated key=value pairs.

So you can write something like:

  --dsn DSN:mysql:host=example.com;port=3306;database=squid


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication

[Amos Jeffries]

On 2/02/2015 5:27 p.m., Raju M K wrote:
 Need squid Authentication syntax for local users in Windows 7/8 workgroup
 Presently using squid 2.7 stable 8

2.7 was end-of-lifed *5 years ago*. Please upgrade.
http://www.squid-cache.org/Versions/

PS. I know we dont have a native windows version available of anything
newer (though Cygwin does provide 3.2/3.3 builds). But there is no
reason for Squid being tied down onto a Windows server while servicing
Windows users, and many reasons for it to *not* be.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication

[Rafael Akchurin]

Hello Amos,

We will soon be able to have latest 3.5 built for Cygwin x64 (hopefully).

Rafael


From: squid-users squid-users-boun...@lists.squid-cache.org on behalf of Amos 
Jeffries squ...@treenet.co.nz
Sent: Monday, February 2, 2015 10:54 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid Authentication

On 2/02/2015 5:27 p.m., Raju M K wrote:
 Need squid Authentication syntax for local users in Windows 7/8 workgroup
 Presently using squid 2.7 stable 8

2.7 was end-of-lifed *5 years ago*. Please upgrade.
http://www.squid-cache.org/Versions/

PS. I know we dont have a native windows version available of anything
newer (though Cygwin does provide 3.2/3.3 builds). But there is no
reason for Squid being tied down onto a Windows server while servicing
Windows users, and many reasons for it to *not* be.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Harry up, Raf :)

I'm waiting for 3.5 Win64 for my notebook :)

And don't forget SSL Bump ! :)

02.02.2015 20:47, Rafael Akchurin пишет:
 Eldar will send soon as we finish some initial testing.
 Raf


 
 From: Amos Jeffries squ...@treenet.co.nz
 Sent: Monday, February 2, 2015 3:32 PM
 To: Rafael Akchurin; squid-users@lists.squid-cache.org
 Subject: Re: [squid-users] Squid Authentication

 On 3/02/2015 3:04 a.m., Rafael Akchurin wrote:
 Hello Amos,

 We will soon be able to have latest 3.5 built for Cygwin x64 (hopefully).


 Yay! Are there any patches I can merge that will help minimize the
 tracking work for future releases?

 Amos


 Rafael

 
 From: Amos Jeffries

 On 2/02/2015 5:27 p.m., Raju M K wrote:
 Need squid Authentication syntax for local users in Windows 7/8
workgroup
 Presently using squid 2.7 stable 8

 2.7 was end-of-lifed *5 years ago*. Please upgrade.
 http://www.squid-cache.org/Versions/

 PS. I know we dont have a native windows version available of anything
 newer (though Cygwin does provide 3.2/3.3 builds). But there is no
 reason for Squid being tied down onto a Windows server while servicing
 Windows users, and many reasons for it to *not* be.

 Amos

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users


 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUz6L/AAoJENNXIZxhPexGRPsH/AhWdMapx+a/k9iS+QnzHp/w
hQHy0HBHS4V6pQyqcWOmBxgq14SLxLUTwe8th6EavBDAERo3xstq5dt/Ped35Gg0
gK1YjT3io/WCfqs2nIzvp2UycVmbQjt5Yld1hGlPEoP5H4WaulrffkaSzdZUJOlf
0XYPTHRnQiNFb2g6f37zbQyZmhWkkx9rTIobzuMAvnLcmXACFQjv7O0pY+pbS0nO
q4S8ou7vfdhTfCkXSUd+jTqQ3dL8Vi3ZlSC8QDxDUEXCZPkBy8iHJR3pl1iRQA6u
ZLomlz1pr6cHjr6AURw5rGqPMmt4DtqJskS4yrd/Ky/rIlrGTFyhltJNvtuC2wo=
=k1L/
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Authentication

[Eliezer Croitoru]

Hey Raju,

For how many users?

Eliezer

On 02/02/2015 06:27, Raju M K wrote:

Need squid Authentication syntax for local users in Windows 7/8 workgroup
Presently using squid 2.7 stable 8
-- Regards, M K Raju.



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Authentication

[Raju M K]

Need squid Authentication syntax for local users in Windows 7/8 workgroup
Presently using squid 2.7 stable 8
-- 
Regards,
M K Raju.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid authentication failing

[Kinkie]

On Mon, Aug 11, 2014 at 7:59 PM, Sarah Baker sba...@brightedge.com wrote:
 Background:
 Squid: squid-3.1.23-2.el6.x86_64
 OS: CentOS 6.5 - Linux 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:5=
 1 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

 Issue:
 I have two boxes, same OS, same squid binary, same config file, same squid-= 
 passwd file.
 Configuration is setup for ncsa_auth.  Squid runs as user squid.

 Both systems return OK to use of command line of ncsa_auth as squid user to=  
 the login and password in the squid-passwd file.

 Using squid however via a curl thru one of the proxy ips/port of the system=
 : one system gives 403 forbidden, the other works just fine.
 Tried removing authentication entirely, a fully open squid.  It fails - same 
 message.

403 forbidden means that the authenticator doesn't even get to kick
in; it's a final deny.
Are you really sure that the 403 is generated by Squid, and not by the
origin server? you can tell by looking at the error page.

 Also looked at thusfar:
 rpm -q query_options --requires squid-3.1.23-2.el6.x86_64
 the same on both boxes.
 Ran yum update on both to insure everything was up to latest - no change.

The issue is either not in squid or it's related to the http_access
configuration.
Would you mind sharing an excerpt of your squid.conf with including that part?

 Any ideas what I should look far?


-- 
Francesco

Re: [squid-users] squid authentication failing

[nicolas]

El 2014-08-11 18:59, Sarah Baker escribió:

Background:
Squid: squid-3.1.23-2.el6.x86_64
OS: CentOS 6.5 - Linux 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 
17:20:5=

1 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Issue:
I have two boxes, same OS, same squid binary, same config file, same
squid-= passwd file.
Configuration is setup for ncsa_auth.  Squid runs as user squid.

Both systems return OK to use of command line of ncsa_auth as squid
user to=  the login and password in the squid-passwd file.

Using squid however via a curl thru one of the proxy ips/port of the 
system=

: one system gives 403 forbidden, the other works just fine.

Tried removing authentication entirely, a fully open squid.  It fails
- same message.

Also looked at thusfar:
rpm -q query_options --requires squid-3.1.23-2.el6.x86_64
the same on both boxes.
Ran yum update on both to insure everything was up to latest - no 
change.


Any ideas what I should look far?
-
S. Baker
Manager of Technical Operations, BrightEdge


Maybe some SELinux/Apparmor/Similar application blocking some context of 
Squid and therefore throwing a 403 code?

[squid-users] squid authentication failing

[Sarah Baker]

Background:
Squid: squid-3.1.23-2.el6.x86_64
OS: CentOS 6.5 - Linux 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:5=
1 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Issue:
I have two boxes, same OS, same squid binary, same config file, same squid-= 
passwd file.
Configuration is setup for ncsa_auth.  Squid runs as user squid.

Both systems return OK to use of command line of ncsa_auth as squid user to=  
the login and password in the squid-passwd file.

Using squid however via a curl thru one of the proxy ips/port of the system=
: one system gives 403 forbidden, the other works just fine.

Tried removing authentication entirely, a fully open squid.  It fails - same 
message.

Also looked at thusfar:
rpm -q query_options --requires squid-3.1.23-2.el6.x86_64 
the same on both boxes. 
Ran yum update on both to insure everything was up to latest - no change.

Any ideas what I should look far?
-
S. Baker
Manager of Technical Operations, BrightEdge

[squid-users] squid authentication not working with mysql

[Tshooter]

I am using ubuntu 12.04 and centos 6 as virtual machine on it. I've
configured squid on centos and I'm trying to access it from browsers in
ubuntu. I checked using browsers in Centos also.

It worked fine when I used ncsa authentication, but it is not working with
mysql db authentication. 
I used this page to configure squid authentication using mysql
(http://wiki.squid-cache.org/ConfigExamples/Authenticate/Mysql?)

Here is the cache.log file

[root@centos ~]# tail /var/log/squid/cache.log


My squid.conf file is 



It worked fine with ncsa authentication. Am I doing something wrong?


Regards,
Tshooter



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-authentication-not-working-with-mysql-tp4662355.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] squid authentication not working with mysql

[Amos Jeffries]

Can Nabble users please post directly to the squid-users mailing list.

The Nabble forum is supposed to only be a mirror of our mailing list. 
Their interface for posting often removes critical information, 
re-formats submissions, and sometimes even does not deliver posts to the 
mailing list.


Thank You
Amos Jeffries
Squid Project


On 30/09/2013 8:27 p.m., Tshooter wrote:

I am using ubuntu 12.04 and centos 6 as virtual machine on it. I've
configured squid on centos and I'm trying to access it from browsers in
ubuntu. I checked using browsers in Centos also.

It worked fine when I used ncsa authentication, but it is not working with
mysql db authentication.
I used this page to configure squid authentication using mysql
(http://wiki.squid-cache.org/ConfigExamples/Authenticate/Mysql?)

Here is the cache.log file

[root@centos ~]# tail /var/log/squid/cache.log


My squid.conf file is



It worked fine with ncsa authentication. Am I doing something wrong?


Regards,
Tshooter



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-authentication-not-working-with-mysql-tp4662355.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Squid authentication stopped working

[Eric Vanderveer]

Looks like I got it working.  Not sure exactly why all of a sudden it
stopped but with Kinkie's help we cleaned up my squid.conf file and
(I'm not sure if this helped) reconnected to the domain.  I think I
was already connected but redid to be on the safe side.
Eric

On Wed, Sep 25, 2013 at 1:59 PM, Kinkie gkin...@gmail.com wrote:
 That's the way NTLM is supposed to work. It requires 2x 407 DENIED for
 each new tcp connection.

 On Wed, Sep 25, 2013 at 7:36 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I see The reply for POST http://somedomain.com is DENIED because it
 matched 'ntlm_auth' but then right after I see the same thing but it
 says is ALLOWED.

 On Wed, Sep 25, 2013 at 1:30 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 Still at a loss on this.  If anyone has an idea let me know.


 On Wed, Sep 25, 2013 at 12:57 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I am assuming you mean -V and its Version 3.6.3

 On Wed, Sep 25, 2013 at 12:56 PM, Kinkie gkin...@gmail.com wrote:
 can you do a ntlm_auth -v?

 On Wed, Sep 25, 2013 at 6:54 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I am using /usr/bin/ntlm_auth with squid.

 On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote:
 so it's kerberos, not ntlm, is it?

 On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I already rejoined to the domain.  I checked to make sure and I can
 see the certificate when i do a klist.

 On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote:
 What kind of ntlm auth helper are you using? Samba's?

 If so, othe simplest reason I can think of without additional info  is
 that your machine account in AD went stale for some reason.. can you
 try rejoining the domain?

 On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 Hi,
I have been running squid, dansguardian and ntlm_authentication 
 for
 about 2 months now with no problem.  This morning it stopped working.
 I can no longer surf and I get login pop ups on my window clients.  
 On
 the squid server I can see the domain and its users so I am 
 connected.
  My cache.log is showing a lot of stuff but most of it is greek to 
 me.
  Here is a snippet

 http://pastebin.com/YryKkC0J

 Any ideas?

 Thanks
 Eric Vanderveer



 --
 /kinkie



 --
 /kinkie



 --
 /kinkie



 --
 /kinkie

[squid-users] Squid authentication stopped working

[Eric Vanderveer]

Hi,
   I have been running squid, dansguardian and ntlm_authentication for
about 2 months now with no problem.  This morning it stopped working.
I can no longer surf and I get login pop ups on my window clients.  On
the squid server I can see the domain and its users so I am connected.
 My cache.log is showing a lot of stuff but most of it is greek to me.
 Here is a snippet

http://pastebin.com/YryKkC0J

Any ideas?

Thanks
Eric Vanderveer

Re: [squid-users] Squid authentication stopped working

[Kinkie]

What kind of ntlm auth helper are you using? Samba's?

If so, othe simplest reason I can think of without additional info  is
that your machine account in AD went stale for some reason.. can you
try rejoining the domain?

On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer
e...@ericvanderveer.com wrote:
 Hi,
I have been running squid, dansguardian and ntlm_authentication for
 about 2 months now with no problem.  This morning it stopped working.
 I can no longer surf and I get login pop ups on my window clients.  On
 the squid server I can see the domain and its users so I am connected.
  My cache.log is showing a lot of stuff but most of it is greek to me.
  Here is a snippet

 http://pastebin.com/YryKkC0J

 Any ideas?

 Thanks
 Eric Vanderveer



-- 
/kinkie

Re: [squid-users] Squid authentication stopped working

[Eric Vanderveer]

I already rejoined to the domain.  I checked to make sure and I can
see the certificate when i do a klist.

On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote:
 What kind of ntlm auth helper are you using? Samba's?

 If so, othe simplest reason I can think of without additional info  is
 that your machine account in AD went stale for some reason.. can you
 try rejoining the domain?

 On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 Hi,
I have been running squid, dansguardian and ntlm_authentication for
 about 2 months now with no problem.  This morning it stopped working.
 I can no longer surf and I get login pop ups on my window clients.  On
 the squid server I can see the domain and its users so I am connected.
  My cache.log is showing a lot of stuff but most of it is greek to me.
  Here is a snippet

 http://pastebin.com/YryKkC0J

 Any ideas?

 Thanks
 Eric Vanderveer



 --
 /kinkie

Re: [squid-users] Squid authentication stopped working

[Kinkie]

so it's kerberos, not ntlm, is it?

On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer
e...@ericvanderveer.com wrote:
 I already rejoined to the domain.  I checked to make sure and I can
 see the certificate when i do a klist.

 On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote:
 What kind of ntlm auth helper are you using? Samba's?

 If so, othe simplest reason I can think of without additional info  is
 that your machine account in AD went stale for some reason.. can you
 try rejoining the domain?

 On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 Hi,
I have been running squid, dansguardian and ntlm_authentication for
 about 2 months now with no problem.  This morning it stopped working.
 I can no longer surf and I get login pop ups on my window clients.  On
 the squid server I can see the domain and its users so I am connected.
  My cache.log is showing a lot of stuff but most of it is greek to me.
  Here is a snippet

 http://pastebin.com/YryKkC0J

 Any ideas?

 Thanks
 Eric Vanderveer



 --
 /kinkie



-- 
/kinkie

Re: [squid-users] Squid authentication stopped working

[Eric Vanderveer]

I am using /usr/bin/ntlm_auth with squid.

On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote:
 so it's kerberos, not ntlm, is it?

 On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I already rejoined to the domain.  I checked to make sure and I can
 see the certificate when i do a klist.

 On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote:
 What kind of ntlm auth helper are you using? Samba's?

 If so, othe simplest reason I can think of without additional info  is
 that your machine account in AD went stale for some reason.. can you
 try rejoining the domain?

 On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 Hi,
I have been running squid, dansguardian and ntlm_authentication for
 about 2 months now with no problem.  This morning it stopped working.
 I can no longer surf and I get login pop ups on my window clients.  On
 the squid server I can see the domain and its users so I am connected.
  My cache.log is showing a lot of stuff but most of it is greek to me.
  Here is a snippet

 http://pastebin.com/YryKkC0J

 Any ideas?

 Thanks
 Eric Vanderveer



 --
 /kinkie



 --
 /kinkie

Re: [squid-users] Squid authentication stopped working

[Kinkie]

can you do a ntlm_auth -v?

On Wed, Sep 25, 2013 at 6:54 PM, Eric Vanderveer
e...@ericvanderveer.com wrote:
 I am using /usr/bin/ntlm_auth with squid.

 On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote:
 so it's kerberos, not ntlm, is it?

 On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I already rejoined to the domain.  I checked to make sure and I can
 see the certificate when i do a klist.

 On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote:
 What kind of ntlm auth helper are you using? Samba's?

 If so, othe simplest reason I can think of without additional info  is
 that your machine account in AD went stale for some reason.. can you
 try rejoining the domain?

 On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 Hi,
I have been running squid, dansguardian and ntlm_authentication for
 about 2 months now with no problem.  This morning it stopped working.
 I can no longer surf and I get login pop ups on my window clients.  On
 the squid server I can see the domain and its users so I am connected.
  My cache.log is showing a lot of stuff but most of it is greek to me.
  Here is a snippet

 http://pastebin.com/YryKkC0J

 Any ideas?

 Thanks
 Eric Vanderveer



 --
 /kinkie



 --
 /kinkie



-- 
/kinkie

Re: [squid-users] Squid authentication stopped working

[Eric Vanderveer]

I am assuming you mean -V and its Version 3.6.3

On Wed, Sep 25, 2013 at 12:56 PM, Kinkie gkin...@gmail.com wrote:
 can you do a ntlm_auth -v?

 On Wed, Sep 25, 2013 at 6:54 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I am using /usr/bin/ntlm_auth with squid.

 On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote:
 so it's kerberos, not ntlm, is it?

 On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I already rejoined to the domain.  I checked to make sure and I can
 see the certificate when i do a klist.

 On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote:
 What kind of ntlm auth helper are you using? Samba's?

 If so, othe simplest reason I can think of without additional info  is
 that your machine account in AD went stale for some reason.. can you
 try rejoining the domain?

 On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 Hi,
I have been running squid, dansguardian and ntlm_authentication for
 about 2 months now with no problem.  This morning it stopped working.
 I can no longer surf and I get login pop ups on my window clients.  On
 the squid server I can see the domain and its users so I am connected.
  My cache.log is showing a lot of stuff but most of it is greek to me.
  Here is a snippet

 http://pastebin.com/YryKkC0J

 Any ideas?

 Thanks
 Eric Vanderveer



 --
 /kinkie



 --
 /kinkie



 --
 /kinkie

Re: [squid-users] Squid authentication stopped working

[Eric Vanderveer]

Still at a loss on this.  If anyone has an idea let me know.


On Wed, Sep 25, 2013 at 12:57 PM, Eric Vanderveer
e...@ericvanderveer.com wrote:
 I am assuming you mean -V and its Version 3.6.3

 On Wed, Sep 25, 2013 at 12:56 PM, Kinkie gkin...@gmail.com wrote:
 can you do a ntlm_auth -v?

 On Wed, Sep 25, 2013 at 6:54 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I am using /usr/bin/ntlm_auth with squid.

 On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote:
 so it's kerberos, not ntlm, is it?

 On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I already rejoined to the domain.  I checked to make sure and I can
 see the certificate when i do a klist.

 On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote:
 What kind of ntlm auth helper are you using? Samba's?

 If so, othe simplest reason I can think of without additional info  is
 that your machine account in AD went stale for some reason.. can you
 try rejoining the domain?

 On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 Hi,
I have been running squid, dansguardian and ntlm_authentication for
 about 2 months now with no problem.  This morning it stopped working.
 I can no longer surf and I get login pop ups on my window clients.  On
 the squid server I can see the domain and its users so I am connected.
  My cache.log is showing a lot of stuff but most of it is greek to me.
  Here is a snippet

 http://pastebin.com/YryKkC0J

 Any ideas?

 Thanks
 Eric Vanderveer



 --
 /kinkie



 --
 /kinkie



 --
 /kinkie

Re: [squid-users] Squid authentication stopped working

[Eric Vanderveer]

I see The reply for POST http://somedomain.com is DENIED because it
matched 'ntlm_auth' but then right after I see the same thing but it
says is ALLOWED.

On Wed, Sep 25, 2013 at 1:30 PM, Eric Vanderveer
e...@ericvanderveer.com wrote:
 Still at a loss on this.  If anyone has an idea let me know.


 On Wed, Sep 25, 2013 at 12:57 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I am assuming you mean -V and its Version 3.6.3

 On Wed, Sep 25, 2013 at 12:56 PM, Kinkie gkin...@gmail.com wrote:
 can you do a ntlm_auth -v?

 On Wed, Sep 25, 2013 at 6:54 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I am using /usr/bin/ntlm_auth with squid.

 On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote:
 so it's kerberos, not ntlm, is it?

 On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I already rejoined to the domain.  I checked to make sure and I can
 see the certificate when i do a klist.

 On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote:
 What kind of ntlm auth helper are you using? Samba's?

 If so, othe simplest reason I can think of without additional info  is
 that your machine account in AD went stale for some reason.. can you
 try rejoining the domain?

 On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 Hi,
I have been running squid, dansguardian and ntlm_authentication for
 about 2 months now with no problem.  This morning it stopped working.
 I can no longer surf and I get login pop ups on my window clients.  On
 the squid server I can see the domain and its users so I am connected.
  My cache.log is showing a lot of stuff but most of it is greek to me.
  Here is a snippet

 http://pastebin.com/YryKkC0J

 Any ideas?

 Thanks
 Eric Vanderveer



 --
 /kinkie



 --
 /kinkie



 --
 /kinkie

Re: [squid-users] Squid authentication stopped working

[Kinkie]

That's the way NTLM is supposed to work. It requires 2x 407 DENIED for
each new tcp connection.

On Wed, Sep 25, 2013 at 7:36 PM, Eric Vanderveer
e...@ericvanderveer.com wrote:
 I see The reply for POST http://somedomain.com is DENIED because it
 matched 'ntlm_auth' but then right after I see the same thing but it
 says is ALLOWED.

 On Wed, Sep 25, 2013 at 1:30 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 Still at a loss on this.  If anyone has an idea let me know.


 On Wed, Sep 25, 2013 at 12:57 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I am assuming you mean -V and its Version 3.6.3

 On Wed, Sep 25, 2013 at 12:56 PM, Kinkie gkin...@gmail.com wrote:
 can you do a ntlm_auth -v?

 On Wed, Sep 25, 2013 at 6:54 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I am using /usr/bin/ntlm_auth with squid.

 On Wed, Sep 25, 2013 at 12:53 PM, Kinkie gkin...@gmail.com wrote:
 so it's kerberos, not ntlm, is it?

 On Wed, Sep 25, 2013 at 6:52 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 I already rejoined to the domain.  I checked to make sure and I can
 see the certificate when i do a klist.

 On Wed, Sep 25, 2013 at 12:45 PM, Kinkie gkin...@gmail.com wrote:
 What kind of ntlm auth helper are you using? Samba's?

 If so, othe simplest reason I can think of without additional info  is
 that your machine account in AD went stale for some reason.. can you
 try rejoining the domain?

 On Wed, Sep 25, 2013 at 6:27 PM, Eric Vanderveer
 e...@ericvanderveer.com wrote:
 Hi,
I have been running squid, dansguardian and ntlm_authentication for
 about 2 months now with no problem.  This morning it stopped working.
 I can no longer surf and I get login pop ups on my window clients.  On
 the squid server I can see the domain and its users so I am connected.
  My cache.log is showing a lot of stuff but most of it is greek to me.
  Here is a snippet

 http://pastebin.com/YryKkC0J

 Any ideas?

 Thanks
 Eric Vanderveer



 --
 /kinkie



 --
 /kinkie



 --
 /kinkie



-- 
/kinkie

Re: [squid-users] squid authentication with sqlite

[Amos Jeffries]

On 11/09/11 21:41, abderrahmane abdmeziane wrote:

i don't understand it detect that the driver is available isn't ?
vbash-4.1# ./squid_db_auth


snip

Perhaps the DBD::sqlite perl module hasn't been fully installed,
or perhaps the capitalisation of 'sqlite' isn't right.
Available drivers: DBM, ExampleP, File, Gofer, Proxy, SQLite, Sponge.



sqlite is not the same as SQLite. Some letters are different.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.15
  Beta testers wanted for 3.2.0.11

[squid-users] squid authentication with sqlite

[abderrahmane abdmeziane]

hey,did squid work with sqlite authentication ?,i see in squid_db_auth
file :my $dsn = DBI:mysql:database=squid;
so i change it my $dsn = DBI:sqlite:database=squid; i create the
squid database and passwd table,it dosen't work i put the squid
database file with squid_db_auth ,not working ! can somone help
please.thanks

Re: [squid-users] squid authentication with sqlite

[Amos Jeffries]

On Wed, 7 Sep 2011 23:12:46 +0200, abderrahmane abdmeziane wrote:
hey,did squid work with sqlite authentication ?,i see in 
squid_db_auth

file :my $dsn = DBI:mysql:database=squid;
so i change it my $dsn = DBI:sqlite:database=squid; i create the
squid database and passwd table,it dosen't work i put the squid
database file with squid_db_auth ,not working ! can somone help
please.thanks


You need the DBI::* perl driver installed, and apparently the DSN 
driver names are case sensitive. The tutorials all use SQLite. It 
could be either of these problems or a problem locating the file. The 
helper will dump details to cache.log when run under Squid or to the 
terminal when run manually.
 NP: it only connects on first lookup, so when testing via command line 
press enter at least once.



I've added a bit of extra help to the error message to display the 
available drivers in future. It can be applied to the basic_db_auth 
helper script already installed to gain that ability immediately: (just 
waiting on the mirrors to pick it up)
  
http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-11714.patch



When using it, run the helper on command line and pressing enter will 
fail and show you what drivers are available. If SQLite is missing you 
need to install that Perl module.


Amos

[squid-users] Squid Authentication Problem

[Michael_Grasso]

I'm running Squid 3.0 Stable 21. I have two reverse proxy sites setup with
LDAP authentication enabled. When I access either site, authentication
works fine. My problem is when I'm authenticated to one site and access
something on the other site, I get prompted to authenticate again. I can't
figure out why. Any help is appreciated. Below is my squid.con settings.

acl ldap-auth proxy_auth REQUIRED
http_access allow ldap-auth

http_port x.x.x.x:80 accel defaultsite=intranet.cadc.circdc.dcn
cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet1
round-robin
cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet2
round-robin
acl sites_intranet dstdomain intranet.cadc.circdc.dcn
http_access allow sites_intranet
cache_peer_access intranet1 allow sites_intranet
cache_peer_access intranet2 allow sites_intranet

http_port x.x.x.x:80 accel defaultsite=www.cadc.circdc.dcn
cache_peer x.x.x.x parent 80 0 no-query originserver name=iis
acl sites_iis dstdomain www.cadc.circdc.dcn
http_access allow sites_iis
cache_peer_access iis allow sites_iis

http_access deny all

Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443

Re: [squid-users] Squid Authentication Problem

[Chris Robertson]

michael_gra...@cadc.uscourts.gov wrote:

I'm running Squid 3.0 Stable 21. I have two reverse proxy sites setup with
LDAP authentication enabled.


How is the authentication prompted for (is it using HTTP auth, or a form)?


 When I access either site, authentication
works fine. My problem is when I'm authenticated to one site and access
something on the other site, I get prompted to authenticate again. I can't
figure out why. 


If you are using basic HTTP authentication, it's because the browser has 
not been configured such that intranet.cadc.circdc.dcn is in any way 
related to www.cadc.circdc.dcn.  If you are using form based 
authentication, you'll have to talk with the person who set that up.



Any help is appreciated. Below is my squid.con settings.

acl ldap-auth proxy_auth REQUIRED
http_access allow ldap-auth

http_port x.x.x.x:80 accel defaultsite=intranet.cadc.circdc.dcn
cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet1
round-robin
cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet2
round-robin
acl sites_intranet dstdomain intranet.cadc.circdc.dcn
http_access allow sites_intranet
cache_peer_access intranet1 allow sites_intranet
cache_peer_access intranet2 allow sites_intranet

http_port x.x.x.x:80 accel defaultsite=www.cadc.circdc.dcn
cache_peer x.x.x.x parent 80 0 no-query originserver name=iis
acl sites_iis dstdomain www.cadc.circdc.dcn
http_access allow sites_iis
cache_peer_access iis allow sites_iis

http_access deny all
  


One workaround to the functionality of basic HTTP auth would be to put 
all of your data under one domain and let Squid pass the data to the 
peers based on URL 
http://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers#Other_Criteria_than_Domain



Mike Grasso
Data Network Administrator
DC Circuit Court of Appeals
(202) 216-7443
  


Chris

[squid-users] squid authentication and redirection

[Rudy Gevaert]

Dear Squid users,

I was wondering if the following can be accomplished in squid:

Say, a user starts using the proxy
1 he is not logged, so he gets redirected to a webpage over https
2 the webpage authenticates him, and sets a cookie in his browser
3 he is then redirected to the original url he was surfing to
4 squid checks if the cookie is valid and authenticates the user
5 the user can surf till he closes his browser 

In step 4 we never go to the authentication webpage unless the cookie is
not valid.  

In the back ground  we would then run a script that parses the log file
and updates a database.  So the next time a user logs in we can deny him
access.

The current solutions I have found have the following problems:
- they use basic authentication, so password is sent in clear text of
  the wire
- they redirect all requests to a redirect url


Can it be done with squid?

Thanks in advance,
-- 
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Rudy Gevaert  rudy.geva...@ugent.be  tel:+32 9 264 4734
Directie ICT, afd. Infrastructuur  Direction ICT, Infrastructure dept.
Groep Systemen Systems group
Universiteit Gent  Ghent University
Krijgslaan 281, gebouw S9, 9000 Gent, Belgie   www.UGent.be
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 

Re: [squid-users] squid authentication and redirection

[Amos Jeffries]

 Dear Squid users,

 I was wondering if the following can be accomplished in squid:

 Say, a user starts using the proxy
 1 he is not logged, so he gets redirected to a webpage over https
 2 the webpage authenticates him, and sets a cookie in his browser
 3 he is then redirected to the original url he was surfing to
 4 squid checks if the cookie is valid and authenticates the user
 5 the user can surf till he closes his browser

 In step 4 we never go to the authentication webpage unless the cookie is
 not valid.

 In the back ground  we would then run a script that parses the log file
 and updates a database.  So the next time a user logs in we can deny him
 access.

 The current solutions I have found have the following problems:
 - they use basic authentication, so password is sent in clear text of
   the wire
 - they redirect all requests to a redirect url


 Can it be done with squid?

Yes. But its very complicated.

Since you are calculating your database of 'not okay' users based on IPs
you can drop the whole cookie thing and simply create an external_acl_type
helper that checks the current database records directly for each request.

Using an external helper, lets you do:
 .. define external helper and ACL 'LoggedIn'

 deny_info https://exmaple.com/login_page LoggedIn
 http_access deny !LoggedIn
 http_access allow LoggedIn

Amos


 Thanks in advance,
 --
 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
 Rudy Gevaert  rudy.geva...@ugent.be  tel:+32 9 264 4734
 Directie ICT, afd. Infrastructuur  Direction ICT, Infrastructure dept.
 Groep Systemen Systems group
 Universiteit Gent  Ghent University
 Krijgslaan 281, gebouw S9, 9000 Gent, Belgie   www.UGent.be
 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

Re: [squid-users] squid authentication against windows Active Directory 2008 ??

[Gregory Machin]

then I would have to install samba from what I understand, and or
policy is not file sharing services allowed on the firewalls . Is
there a way to get a single sign on with out installing samba ?

On Mon, Sep 15, 2008 at 5:56 PM, Kevin Blackwell [EMAIL PROTECTED] wrote:
 Gregory,

 I was running into the same problems. I finally for it working.

 Couple of questions

 1. What OS
 2. Why not use ntlm_auth? Works better.

 Kevin

 On Mon, Sep 15, 2008 at 9:06 AM, Gregory Machin [EMAIL PROTECTED] wrote:
 Hi
 I'm batteling to  get squid_ldap_auth to authenticate against M$
 windows Active Directory 2008 with my config below

 /usr/lib64/squid/squid_ldap_auth -b OU=Organizational
 Structure,DC=example,DC=co,DC=za -h 10.*.*.250 -D
 CN=squid,OU=Other,OU=TC JHB,OU=Company,OU=Organizational
 Structure,DC=example,DC=co,DC=za -w Password1 -f
 ((uid=%s)(objectclass=user))

 I have used a similar config on windows Active Directory 2003 and it
 worked perfectly fine. Is there a catch to authenticating against the
 2008 version of AD ? or have I missed some thing ..

 How is the best way to debug this as squid does not log or output any
 errors even when in debugging mode ..

 when is run
 [EMAIL PROTECTED] ~]# /usr/lib64/squid/squid_ldap_auth -b
 OU=Organizational Structure,DC=techconcepts,DC=co,DC=za -h
 10.0.1.250 -D CN=squid,OU=Other,OU=TC
 JHB,OU=Company,OU=Organizational
 Structure,DC=techconcepts,DC=co,DC=za -w Password1 -f
 ((uid=%s)(objectclass=user)) -v3
 gregory.machin Password1
 ERR Success

 I get ERR Success
 I believe I should get OK
 How can I get more info out of this interface ?

 Thanks in advance .

Re: [squid-users] squid authentication against windows Active Directory 2008 ??

[Amos Jeffries]

Gregory Machin wrote:

then I would have to install samba from what I understand, and or
policy is not file sharing services allowed on the firewalls . Is
there a way to get a single sign on with out installing samba ?


Correct me if I'm wrong, but I don't think the NTLM helper for squid 
requires that samba be installed on the same mahcine. Just at an 
available source over the network.


Amos



On Mon, Sep 15, 2008 at 5:56 PM, Kevin Blackwell [EMAIL PROTECTED] wrote:

Gregory,

I was running into the same problems. I finally for it working.

Couple of questions

1. What OS
2. Why not use ntlm_auth? Works better.

Kevin

On Mon, Sep 15, 2008 at 9:06 AM, Gregory Machin [EMAIL PROTECTED] wrote:

Hi
I'm batteling to  get squid_ldap_auth to authenticate against M$
windows Active Directory 2008 with my config below

/usr/lib64/squid/squid_ldap_auth -b OU=Organizational
Structure,DC=example,DC=co,DC=za -h 10.*.*.250 -D
CN=squid,OU=Other,OU=TC JHB,OU=Company,OU=Organizational
Structure,DC=example,DC=co,DC=za -w Password1 -f
((uid=%s)(objectclass=user))

I have used a similar config on windows Active Directory 2003 and it
worked perfectly fine. Is there a catch to authenticating against the
2008 version of AD ? or have I missed some thing ..

How is the best way to debug this as squid does not log or output any
errors even when in debugging mode ..

when is run
[EMAIL PROTECTED] ~]# /usr/lib64/squid/squid_ldap_auth -b
OU=Organizational Structure,DC=techconcepts,DC=co,DC=za -h
10.0.1.250 -D CN=squid,OU=Other,OU=TC
JHB,OU=Company,OU=Organizational
Structure,DC=techconcepts,DC=co,DC=za -w Password1 -f
((uid=%s)(objectclass=user)) -v3
gregory.machin Password1
ERR Success

I get ERR Success
I believe I should get OK
How can I get more info out of this interface ?

Thanks in advance .




--
Please use Squid 2.7.STABLE4 or 3.0.STABLE9

Re: [squid-users] squid authentication against windows Active Directory 2008 ??

[Kevin Blackwell]

No you wouldn't. I guess the squid one works too, everyone just
recommends that you user the samba one. In my experience, both work
fine. Have you tried the squid one?

Kevin

On Tue, Sep 16, 2008 at 3:56 AM, Gregory Machin [EMAIL PROTECTED] wrote:
 then I would have to install samba from what I understand, and or
 policy is not file sharing services allowed on the firewalls . Is
 there a way to get a single sign on with out installing samba ?

 On Mon, Sep 15, 2008 at 5:56 PM, Kevin Blackwell [EMAIL PROTECTED] wrote:
 Gregory,

 I was running into the same problems. I finally for it working.

 Couple of questions

 1. What OS
 2. Why not use ntlm_auth? Works better.

 Kevin

 On Mon, Sep 15, 2008 at 9:06 AM, Gregory Machin [EMAIL PROTECTED] wrote:
 Hi
 I'm batteling to  get squid_ldap_auth to authenticate against M$
 windows Active Directory 2008 with my config below

 /usr/lib64/squid/squid_ldap_auth -b OU=Organizational
 Structure,DC=example,DC=co,DC=za -h 10.*.*.250 -D
 CN=squid,OU=Other,OU=TC JHB,OU=Company,OU=Organizational
 Structure,DC=example,DC=co,DC=za -w Password1 -f
 ((uid=%s)(objectclass=user))

 I have used a similar config on windows Active Directory 2003 and it
 worked perfectly fine. Is there a catch to authenticating against the
 2008 version of AD ? or have I missed some thing ..

 How is the best way to debug this as squid does not log or output any
 errors even when in debugging mode ..

 when is run
 [EMAIL PROTECTED] ~]# /usr/lib64/squid/squid_ldap_auth -b
 OU=Organizational Structure,DC=techconcepts,DC=co,DC=za -h
 10.0.1.250 -D CN=squid,OU=Other,OU=TC
 JHB,OU=Company,OU=Organizational
 Structure,DC=techconcepts,DC=co,DC=za -w Password1 -f
 ((uid=%s)(objectclass=user)) -v3
 gregory.machin Password1
 ERR Success

 I get ERR Success
 I believe I should get OK
 How can I get more info out of this interface ?

 Thanks in advance .

Re: [squid-users] squid authentication against windows Active Directory 2008 ??

[Kevin Blackwell]

Gregory,

I was running into the same problems. I finally for it working.

Couple of questions

1. What OS
2. Why not use ntlm_auth? Works better.

Kevin

On Mon, Sep 15, 2008 at 9:06 AM, Gregory Machin [EMAIL PROTECTED] wrote:
 Hi
 I'm batteling to  get squid_ldap_auth to authenticate against M$
 windows Active Directory 2008 with my config below

 /usr/lib64/squid/squid_ldap_auth -b OU=Organizational
 Structure,DC=example,DC=co,DC=za -h 10.*.*.250 -D
 CN=squid,OU=Other,OU=TC JHB,OU=Company,OU=Organizational
 Structure,DC=example,DC=co,DC=za -w Password1 -f
 ((uid=%s)(objectclass=user))

 I have used a similar config on windows Active Directory 2003 and it
 worked perfectly fine. Is there a catch to authenticating against the
 2008 version of AD ? or have I missed some thing ..

 How is the best way to debug this as squid does not log or output any
 errors even when in debugging mode ..

 when is run
 [EMAIL PROTECTED] ~]# /usr/lib64/squid/squid_ldap_auth -b
 OU=Organizational Structure,DC=techconcepts,DC=co,DC=za -h
 10.0.1.250 -D CN=squid,OU=Other,OU=TC
 JHB,OU=Company,OU=Organizational
 Structure,DC=techconcepts,DC=co,DC=za -w Password1 -f
 ((uid=%s)(objectclass=user)) -v3
 gregory.machin Password1
 ERR Success

 I get ERR Success
 I believe I should get OK
 How can I get more info out of this interface ?

 Thanks in advance .

[squid-users] Squid authentication problem

[Monah Baki]

Hi All,

I have squid running, but for users to access the web they must
authenticate. Thing is since its a windows platform (XP professional and
Vista, all running IE 7), Instant Messenger also requires the username and
password in (Options - Connections) and some user is saying an application
called Vongo also requires authentication. Is there a way to have users
authenticate JUST to access the web and every other app to bypass the
proxy.


Thanks

[squid-users] Squid Authentication

[Paulo]

Hi all,

How I can migrate a user database NCSA (Squid authentication) to LDAP?

Thanks. Regards,

Paulo

[squid-users] Squid authentication and authorisation helper programs

[Markus Moeller]

Hi,

I wrote two squid helper programs which are available at 
http://squidkerbauth.sourceforge.net/

The first program is a Kerberos based authentication helper program and uses 
the Proxy Negotiate header with SPNEGO/Kerberos tokens. It will be part of 
future squid-2 releases.

The second help is a authorisation helper program using ldap against Active 
Directory with SASL/GSSAPI authentication. This is in a beta state.

Both programs work in a multi domain Kerberos environment with Firefox and 
IE7 on Linux and Solaris. For more details see the readme in Sourceforge's 
CVS at http://squidkerbauth.cvs.sourceforge.net/squidkerbauth

Regards
Markus 

Re: [squid-users] Squid authentication and authorisation helper programs

[Henrik Nordstrom]

tis 2007-06-12 klockan 19:47 +0100 skrev Markus Moeller:

 I wrote two squid helper programs which are available at 
 http://squidkerbauth.sourceforge.net/
 
 The first program is a Kerberos based authentication helper program and uses 
 the Proxy Negotiate header with SPNEGO/Kerberos tokens. It will be part of 
 future squid-2 releases.

To be exact the kerberos helper will be in 2.6.STABLE14 and later, due
for release in a few weeks.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] Squid Authentication + ldap/samba

[Henrik Nordstrom]

fre 2007-05-11 klockan 11:30 +0100 skrev Duarte Lázaro:

 But in NTLM i cannot ( i think ) restrict a user by an attribute, if  
 the user gets authenticated he has net.

You can. But it's two different things. Don't mix up authentication and
authorization.

The purpose of authentication is solely to verify the identity of the
user. You then use this identity in authorization to grant or deny
access.

authentication is done by auth_param settings, and triggered by acls
based on the user name.

authorization is done by http_access, by using acls matching users and
what they are allowed to do.


 Basic/Digest (squid_ldap_auth/group) are more flexible, because u can 
 use a filter and restrict by attribute.The problem is that browsers are 
 always prompting for password allthought the password can  be stored.

You can still use squid_ldap_group with NTLM if you run a Windows Active
Directory.

Digest is a bit troublesome in that you can not use a user directory
backend, and must have a local digest password file on the proxy.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

[squid-users] Squid Authentication + ldap/samba

[Duarte Lázaro]

Hi there

I´m trying to set up squid whit authentication, but i would need it 
asking the user the credencials.


Allrdy set up an squid_ldap_auth but a login prompt comes, every time.

trying now with squid_ldap_group, but still nothing, from the Unix 
prompt i can authenticate a user whit some filter. where some info :


Squid.conf
---
*external_acl_type InetGroup %LOGIN 
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3


acl InetAccess external InetGroup 513
http_access allow InetAccess
---
*Ldap info
-
ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)

result :
# duarte, Users, pnp.com
dn: uid=duarte,ou=Users,dc=pnp,dc=com
objectClass: top
objectClass: person
...

sn: duarte
givenName: duarte
uid: duarte
uidNumber: 1002
gidNumber: 513
...

# numResponses: 2
# numEntries: 1
--
From the prompt on Unix :
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)) -v 3

duarte 513
OK


so my question is.. whit the browser not authenticating whit squid ?

Thanks in advance.

Re: [squid-users] Squid Authentication + ldap/samba

[Sergey A. Kobzar]

Hello Duarte,

If you want authenticate users from LDAP only, this configuration is
enough:

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
ou=People,dc=test,dc=com ldap.test.com
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
[skipped]
acl ldap_users proxy_auth REQUIRED
[skipped]
http_access allow ldap_users


Thursday, May 10, 2007, 1:17:34 PM, you wrote:

 Hi there

 I´m trying to set up squid whit authentication, but i would need it 
 asking the user the credencials.

 Allrdy set up an squid_ldap_auth but a login prompt comes, every time.

 trying now with squid_ldap_group, but still nothing, from the Unix 
 prompt i can authenticate a user whit some filter. where some info :

 Squid.conf
 ---
 *external_acl_type InetGroup %LOGIN 
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3

 acl InetAccess external InetGroup 513
 http_access allow InetAccess
 ---
 *Ldap info
 -
 ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)

 result :
 # duarte, Users, pnp.com
 dn: uid=duarte,ou=Users,dc=pnp,dc=com
 objectClass: top
 objectClass: person
 ...

 sn: duarte
 givenName: duarte
 uid: duarte
 uidNumber: 1002
 gidNumber: 513
 ...

 # numResponses: 2
 # numEntries: 1
 --
  From the prompt on Unix :
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)) -v 3
 duarte 513
 OK


 so my question is.. whit the browser not authenticating whit squid ?

 Thanks in advance.








-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

Re: [squid-users] Squid Authentication + ldap/samba

[Duarte Lázaro]

Hi,

i really wanna is to authenticated on ldap, but the browser not to show 
a pop-up,

it's possible? samba ( maybe ntlm ?)

what does the [skipped], does ?

thanks

Sergey A. Kobzar wrote:

Hello Duarte,

If you want authenticate users from LDAP only, this configuration is
enough:

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
ou=People,dc=test,dc=com ldap.test.com
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
[skipped]
acl ldap_users proxy_auth REQUIRED
[skipped]
http_access allow ldap_users


Thursday, May 10, 2007, 1:17:34 PM, you wrote:

  

Hi there



  
I´m trying to set up squid whit authentication, but i would need it 
asking the user the credencials.



  

Allrdy set up an squid_ldap_auth but a login prompt comes, every time.



  
trying now with squid_ldap_group, but still nothing, from the Unix 
prompt i can authenticate a user whit some filter. where some info :



  

Squid.conf
---
*external_acl_type InetGroup %LOGIN 
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3



  

acl InetAccess external InetGroup 513
http_access allow InetAccess
---
*Ldap info
-
ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)



  

result :
# duarte, Users, pnp.com
dn: uid=duarte,ou=Users,dc=pnp,dc=com
objectClass: top
objectClass: person
...



  

sn: duarte
givenName: duarte
uid: duarte
uidNumber: 1002
gidNumber: 513
...



  

# numResponses: 2
# numEntries: 1
--
 From the prompt on Unix :
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)) -v 3

duarte 513
OK




  

so my question is.. whit the browser not authenticating whit squid ?



  

Thanks in advance.










  

Re[2]: [squid-users] Squid Authentication + ldap/samba

[Sergey A. Kobzar]

Hello Duarte,

Thursday, May 10, 2007, 2:09:05 PM, you wrote:

 Hi,

 i really wanna is to authenticated on ldap, but the browser not to show
 a pop-up,
  it's possible? samba ( maybe ntlm ?)

I gave you working configuration. Just forgot about -v 3 option. :)

 what does the [skipped], does ?

Line from standard Squid's config.

Show
tail -f /path/to/squid.conf
tail -f /path/to/slapd.conf

?

 thanks

 Sergey A. Kobzar wrote:
 Hello Duarte,

 If you want authenticate users from LDAP only, this configuration is
 enough:

 auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
 ou=People,dc=test,dc=com ldap.test.com
 auth_param basic children 5
 auth_param basic realm Squid proxy-caching web server
 [skipped]
 acl ldap_users proxy_auth REQUIRED
 [skipped]
 http_access allow ldap_users


 Thursday, May 10, 2007, 1:17:34 PM, you wrote:

   
 Hi there
 

   
 I´m trying to set up squid whit authentication, but i would need it 
 asking the user the credencials.
 

   
 Allrdy set up an squid_ldap_auth but a login prompt comes, every time.
 

   
 trying now with squid_ldap_group, but still nothing, from the Unix 
 prompt i can authenticate a user whit some filter. where some info :
 

   
 Squid.conf
 ---
 *external_acl_type InetGroup %LOGIN 
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3
 

   
 acl InetAccess external InetGroup 513
 http_access allow InetAccess
 ---
 *Ldap info
 -
 ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)
 

   
 result :
 # duarte, Users, pnp.com
 dn: uid=duarte,ou=Users,dc=pnp,dc=com
 objectClass: top
 objectClass: person
 ...
 

   
 sn: duarte
 givenName: duarte
 uid: duarte
 uidNumber: 1002
 gidNumber: 513
 ...
 

   
 # numResponses: 2
 # numEntries: 1
 --
  From the prompt on Unix :
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)) -v 3
 duarte 513
 OK
 


   
 so my question is.. whit the browser not authenticating whit squid ?
 

   
 Thanks in advance.
 








   



-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

Re: [squid-users] Squid Authentication + ldap/samba

[Duarte Lázaro]

Ok, i think i´m not explaining so good.

I have allready squid authentication, what i need is that the browser 
does not show the prompt just get the credencials whitout prompting the 
user, for example me user is part of a domain só thé get the user from 
the computer and the user would not have the need to type it, is there 
any way ?


Sergey A. Kobzar wrote:

Hello Duarte,

Thursday, May 10, 2007, 2:09:05 PM, you wrote:

  

Hi,



  

i really wanna is to authenticated on ldap, but the browser not to show
a pop-up,
 it's possible? samba ( maybe ntlm ?)



I gave you working configuration. Just forgot about -v 3 option. :)

  

what does the [skipped], does ?



Line from standard Squid's config.

Show
tail -f /path/to/squid.conf
tail -f /path/to/slapd.conf

?

  

thanks



  

Sergey A. Kobzar wrote:


Hello Duarte,

If you want authenticate users from LDAP only, this configuration is
enough:

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
ou=People,dc=test,dc=com ldap.test.com
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
[skipped]
acl ldap_users proxy_auth REQUIRED
[skipped]
http_access allow ldap_users


Thursday, May 10, 2007, 1:17:34 PM, you wrote:

  
  

Hi there


  
  
I´m trying to set up squid whit authentication, but i would need it 
asking the user the credencials.


  
  

Allrdy set up an squid_ldap_auth but a login prompt comes, every time.


  
  
trying now with squid_ldap_group, but still nothing, from the Unix 
prompt i can authenticate a user whit some filter. where some info :


  
  

Squid.conf
---
*external_acl_type InetGroup %LOGIN 
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3


  
  

acl InetAccess external InetGroup 513
http_access allow InetAccess
---
*Ldap info
-
ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)


  
  

result :
# duarte, Users, pnp.com
dn: uid=duarte,ou=Users,dc=pnp,dc=com
objectClass: top
objectClass: person
...


  
  

sn: duarte
givenName: duarte
uid: duarte
uidNumber: 1002
gidNumber: 513
...


  
  

# numResponses: 2
# numEntries: 1
--
 From the prompt on Unix :
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)) -v 3

duarte 513
OK


  
  

so my question is.. whit the browser not authenticating whit squid ?


  
  

Thanks in advance.









  
  




  

Re[2]: [squid-users] Squid Authentication + ldap/samba

[Sergey A. Kobzar]

Hello Duarte,

Many browsers have option to save username and passwd ;)

Thursday, May 10, 2007, 2:30:40 PM, you wrote:

 Ok, i think i´m not explaining so good.

 I have allready squid authentication, what i need is that the browser 
 does not show the prompt just get the credencials whitout prompting the
 user, for example me user is part of a domain só thé get the user from
 the computer and the user would not have the need to type it, is there
 any way ?

 Sergey A. Kobzar wrote:
 Hello Duarte,

 Thursday, May 10, 2007, 2:09:05 PM, you wrote:

   
 Hi,
 

   
 i really wanna is to authenticated on ldap, but the browser not to show
 a pop-up,
  it's possible? samba ( maybe ntlm ?)
 

 I gave you working configuration. Just forgot about -v 3 option. :)

   
 what does the [skipped], does ?
 

 Line from standard Squid's config.

 Show
 tail -f /path/to/squid.conf
 tail -f /path/to/slapd.conf

 ?

   
 thanks
 

   
 Sergey A. Kobzar wrote:
 
 Hello Duarte,

 If you want authenticate users from LDAP only, this configuration is
 enough:

 auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
 ou=People,dc=test,dc=com ldap.test.com
 auth_param basic children 5
 auth_param basic realm Squid proxy-caching web server
 [skipped]
 acl ldap_users proxy_auth REQUIRED
 [skipped]
 http_access allow ldap_users


 Thursday, May 10, 2007, 1:17:34 PM, you wrote:

   
   
 Hi there
 
 
   
   
 I´m trying to set up squid whit authentication, but i would need it 
 asking the user the credencials.
 
 
   
   
 Allrdy set up an squid_ldap_auth but a login prompt comes, every time.
 
 
   
   
 trying now with squid_ldap_group, but still nothing, from the Unix 
 prompt i can authenticate a user whit some filter. where some info :
 
 
   
   
 Squid.conf
 ---
 *external_acl_type InetGroup %LOGIN 
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3
 
 
   
   
 acl InetAccess external InetGroup 513
 http_access allow InetAccess
 ---
 *Ldap info
 -
 ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)
 
 
   
   
 result :
 # duarte, Users, pnp.com
 dn: uid=duarte,ou=Users,dc=pnp,dc=com
 objectClass: top
 objectClass: person
 ...
 
 
   
   
 sn: duarte
 givenName: duarte
 uid: duarte
 uidNumber: 1002
 gidNumber: 513
 ...
 
 
   
   
 # numResponses: 2
 # numEntries: 1
 --
  From the prompt on Unix :
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)) -v 3
 duarte 513
 OK
 
 
   
   
 so my question is.. whit the browser not authenticating whit squid ?
 
 
   
   
 Thanks in advance.

-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

Re[2]: [squid-users] Squid Authentication + ldap/samba

[Sergey A. Kobzar]

Hello Duarte,

Many browsers have option to save username and passwd ;)

Thursday, May 10, 2007, 2:30:40 PM, you wrote:

 Ok, i think i´m not explaining so good.

 I have allready squid authentication, what i need is that the browser 
 does not show the prompt just get the credencials whitout prompting the
 user, for example me user is part of a domain só thé get the user from
 the computer and the user would not have the need to type it, is there
 any way ?

 Sergey A. Kobzar wrote:
 Hello Duarte,

 Thursday, May 10, 2007, 2:09:05 PM, you wrote:

   
 Hi,
 

   
 i really wanna is to authenticated on ldap, but the browser not to show
 a pop-up,
  it's possible? samba ( maybe ntlm ?)
 

 I gave you working configuration. Just forgot about -v 3 option. :)

   
 what does the [skipped], does ?
 

 Line from standard Squid's config.

 Show
 tail -f /path/to/squid.conf
 tail -f /path/to/slapd.conf

 ?

   
 thanks
 

   
 Sergey A. Kobzar wrote:
 
 Hello Duarte,

 If you want authenticate users from LDAP only, this configuration is
 enough:

 auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
 ou=People,dc=test,dc=com ldap.test.com
 auth_param basic children 5
 auth_param basic realm Squid proxy-caching web server
 [skipped]
 acl ldap_users proxy_auth REQUIRED
 [skipped]
 http_access allow ldap_users


 Thursday, May 10, 2007, 1:17:34 PM, you wrote:

   
   
 Hi there
 
 
   
   
 I´m trying to set up squid whit authentication, but i would need it 
 asking the user the credencials.
 
 
   
   
 Allrdy set up an squid_ldap_auth but a login prompt comes, every time.
 
 
   
   
 trying now with squid_ldap_group, but still nothing, from the Unix 
 prompt i can authenticate a user whit some filter. where some info :
 
 
   
   
 Squid.conf
 ---
 *external_acl_type InetGroup %LOGIN 
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3
 
 
   
   
 acl InetAccess external InetGroup 513
 http_access allow InetAccess
 ---
 *Ldap info
 -
 ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)
 
 
   
   
 result :
 # duarte, Users, pnp.com
 dn: uid=duarte,ou=Users,dc=pnp,dc=com
 objectClass: top
 objectClass: person
 ...
 
 
   
   
 sn: duarte
 givenName: duarte
 uid: duarte
 uidNumber: 1002
 gidNumber: 513
 ...
 
 
   
   
 # numResponses: 2
 # numEntries: 1
 --
  From the prompt on Unix :
 /usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
 ((uid=%u)(gidNumber=%g)) -v 3
 duarte 513
 OK
 
 
   
   
 so my question is.. whit the browser not authenticating whit squid ?
 
 
   
   
 Thanks in advance.

-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

Re: [squid-users] Squid Authentication + ldap/samba

[Duarte Lázaro]

Hi, Sergey

I know that, but for example in IE ou Firefox the prompt still open , 
although the password is saved, my question is if there is some way that 
the prompt ( although the password is save ) is not shown.


Dny way thanks for the tips.

Sergey A. Kobzar wrote:

Hello Duarte,

Many browsers have option to save username and passwd ;)

Thursday, May 10, 2007, 2:30:40 PM, you wrote:

  

Ok, i think i´m not explaining so good.



  
I have allready squid authentication, what i need is that the browser 
does not show the prompt just get the credencials whitout prompting the

user, for example me user is part of a domain só thé get the user from
the computer and the user would not have the need to type it, is there
any way ?



  

Sergey A. Kobzar wrote:


Hello Duarte,

Thursday, May 10, 2007, 2:09:05 PM, you wrote:

  
  

Hi,


  
  

i really wanna is to authenticated on ldap, but the browser not to show
a pop-up,
 it's possible? samba ( maybe ntlm ?)



I gave you working configuration. Just forgot about -v 3 option. :)

  
  

what does the [skipped], does ?



Line from standard Squid's config.

Show
tail -f /path/to/squid.conf
tail -f /path/to/slapd.conf

?

  
  

thanks


  
  

Sergey A. Kobzar wrote:



Hello Duarte,

If you want authenticate users from LDAP only, this configuration is
enough:

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b 
ou=People,dc=test,dc=com ldap.test.com
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
[skipped]
acl ldap_users proxy_auth REQUIRED
[skipped]
http_access allow ldap_users


Thursday, May 10, 2007, 1:17:34 PM, you wrote:

  
  
  

Hi there



  
  
  
I´m trying to set up squid whit authentication, but i would need it 
asking the user the credencials.



  
  
  

Allrdy set up an squid_ldap_auth but a login prompt comes, every time.



  
  
  
trying now with squid_ldap_group, but still nothing, from the Unix 
prompt i can authenticate a user whit some filter. where some info :



  
  
  

Squid.conf
---
*external_acl_type InetGroup %LOGIN 
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)(homePhone=1)) -v 3



  
  
  

acl InetAccess external InetGroup 513
http_access allow InetAccess
---
*Ldap info
-
ldapsearch -vLx -b dc=pnp,dc=com (uid=duarte)



  
  
  

result :
# duarte, Users, pnp.com
dn: uid=duarte,ou=Users,dc=pnp,dc=com
objectClass: top
objectClass: person
...



  
  
  

sn: duarte
givenName: duarte
uid: duarte
uidNumber: 1002
gidNumber: 513
...



  
  
  

# numResponses: 2
# numEntries: 1
--
 From the prompt on Unix :
/usr/local/libexec/squid/squid_ldap_group -R -b dc=pnp,dc=com -f 
((uid=%u)(gidNumber=%g)) -v 3

duarte 513
OK



  
  
  

so my question is.. whit the browser not authenticating whit squid ?



  
  
  

Thanks in advance.



  

Re: [squid-users] Squid Authentication + ldap/samba

[Felipe Augusto van de Wiel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/10/2007 08:44 AM, Duarte Lázaro wrote:
 Hi, Sergey
 
 I know that, but for example in IE ou Firefox the prompt 
 still open , although the password is saved, my question
 is if there is some way that the prompt ( although the
 password is save ) is not shown.

Yes, there is. A single sign-on solution, like
Kerberos, *but*, not sure about how squid will integrate
that, AFAIK thru ntlm auth.

Searching for Single Sign-On (also know as SSO)
you will find some good information and posts on the mail
list about the subject. Good luck and don't forge to
add more information on this thread if you find something
interesting. :-)

Kind regards,
- --
Felipe Augusto van de Wiel [EMAIL PROTECTED]
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGQxpHCj65ZxU4gPQRAmF6AJ4xCeiN9llH+kCD5d6UrMDs7hknGQCgxUhd
F0390uTpA7JcO+y29GvkN/s=
=1H9E
-END PGP SIGNATURE-

Re: [squid-users] Squid Authentication + ldap/samba

[Henrik Nordstrom]

tor 2007-05-10 klockan 12:09 +0100 skrev Duarte Lázaro:

 i really wanna is to authenticated on ldap, but the browser not to show 
 a pop-up,
  it's possible? samba ( maybe ntlm ?)

This depends entirely on browser support and which scheme you are using.

Few if browsers support fully saved proxy passwords when using the Basic
or Digest authentication schemes. Most asks the user once before sending
the password to the proxy.

Most browsers supporting NTLM authentication do this automatically on
Windows stations logged on to a domain, but using NTLM requires a NTLM
capable authentication backend such as Samba connected to the Windows
domain, LDAP can not be used.

But you can use LDAP to check group membership using squid_ldap_group
even if using NTLM via Samba for authentication.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

RE: [squid-users] Squid authentication to a Samba domain controller

[Paul Matthews]

Glade to hear you have figured out your problem, but just encase anyone
else trys tog et Squid working with NTLM authentication i've writtern a
how-to for it on my website.

Squid With NTLM authentication
http://www.opensourcehowto.org/how-to/squid/squid-with-ntlm-authentication.html


 From: Kinkie [mailto:[EMAIL PROTECTED]
 Sent: Saturday, March 17, 2007 9:11 AM

 On Sat, 2007-03-17 at 07:56 +0100, Lux wrote:
  Hi all
 
  I'd like Squid to authenticate, possibly transparently with
 ntlm, to a Samba
  Domain Controller.
  I found, and used in other cases, plenty of documentation about
 doing this
  but with a Windows domain, via winbindd and ntlm_auth. But this
 approach
  seems not to be usable when the Squid box is also a Samba
 domain controller.
  Any ideas? Pointers to docs are appreciated.

 It should work just the same.
 In what ways is your attempt failing?

 You're right. I simply forgot to join the Samba machine to the domain with
 net rpc join, so ntlm_auth was failing.
 I noticed that the command wbinfo -u gives Error looking up domain
 users
 on a Samba DC, whereas it returns the list of usernames when it is issued
 on
 a member server. I tried this on different Samba domain controllers too.
 This led me to think that the Samba domain controller setup was going to
 be
 different at all.
 Now I joined the machine to the domain, and ntlm_auth --username
 xxx --password xxx is working good. Unfortunately I'm not able to try the
 whole squid functionality with a real browser at the moment, but I think
 it's likely to be ok now.

 Thank you.
 Luigi




-- 
OpenSourceHowTo.org
[url]http://www.opensourcehowto.org/[/url]

Wiki.OpenSourceHowTo.org
[url]http://wiki.opensourcehowto.org/[/url]

My ServerSetup Scripts
[url]http://evilperson85.110mb.com[/url]

Please Support OpenSourceHowTo.org
[url]http://www.opensourcehowto.org/how-to/welcome/support-opensourcehowto.org.html[/url]

Re: [squid-users] Squid authentication to a Samba domain controller

[Adrian Chadd]

On Sun, Mar 18, 2007, Paul Matthews wrote:
 Glade to hear you have figured out your problem, but just encase anyone
 else trys tog et Squid working with NTLM authentication i've writtern a
 how-to for it on my website.
 
 Squid With NTLM authentication
 http://www.opensourcehowto.org/how-to/squid/squid-with-ntlm-authentication.html

Would you mind if i added this in as a link from the Squid Wiki?
http://wiki.squid-cache.org/ConfigExamples/ (has a couple new ones too involving
Outlook Web Access..)



Adrian

Re: [squid-users] Squid authentication to a Samba domain controller

[Guido Serassio]

Hi Adrian,

At 09.13 18/03/2007, Adrian Chadd wrote:

On Sun, Mar 18, 2007, Paul Matthews wrote:
 Glade to hear you have figured out your problem, but just encase anyone
 else trys tog et Squid working with NTLM authentication i've writtern a
 how-to for it on my website.

 Squid With NTLM authentication
 
http://www.opensourcehowto.org/how-to/squid/squid-with-ntlm-authentication.html


Would you mind if i added this in as a link from the Squid Wiki?
http://wiki.squid-cache.org/ConfigExamples/ (has a couple new ones 
too involving

Outlook Web Access..)


I don't agree because the content is still outdated to 2.5 squid.conf 
syntax and the Kerberos config often is not needed (as in Samba documentation).


It could be better to link the official Samba HOWTO:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member

Regards

Guido



-

Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1   10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135  Fax. : +39.011.9781115
Email: [EMAIL PROTECTED]
WWW: http://www.acmeconsulting.it/