Hi Amos; Ok, we can discussed the issue in Two part 1. For Windows AD Authentication & SSO and 2. Linux server unable to access via squid proxy.
For First point- Requirement to have SSO for accessing internet via squid proxy and based on user's AD group membership allow access to specific sites only. I believe current configuration of squid is working as expected. For Second point - Point I would like to highlight here is, the Linux server IWCCP01 is not part of domain at all. Hence the below error as squid configured for AD_auth. So how can we allow Linux server or non domain machine to access specific sites? > Error 407 is "proxy auth required", so the proxy is expecting authentication > for some reason. ==================================== > Can you confirm that the hostname vseries-test.bottomline.com is contained in > your site file /etc/squid/sitelist/dbs_allowed_site ? YES, we have entry as .bottomline.com , which work fine when access via windows machine having proxy enabled for that user. ============================== > Can you temporarily change the line "http_access allow IWCCP01 allowedsite" to > "http_access allow IWCCP01" and see whether the machine then gets access? I made the changes as suggested but still it is giving same Error 407. ======================================== If that works, please list the output of the command: grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site o/p of above command as below - [root@Proxy02 ~]# grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site .bottomline.com [root@Proxy02 ~]# ======================================= Thanks & Regards Nilesh Suresh Gavali Message: 2 Date: Wed, 5 Oct 2016 00:11:08 +1300 From: Amos Jeffries <squ...@treenet.co.nz> To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Squid - AD kerberos auth and Linux Server proxy access not working Message-ID: <d35ad0ca-761d-60e3-c594-04697110a...@treenet.co.nz> Content-Type: text/plain; charset=utf-8 On 4/10/2016 11:36 p.m., Antony Stone wrote: > On Tuesday 04 October 2016 at 12:28:44, Nilesh Gavali wrote: > >> Hello Antony; >> I have double checked the current working configuration of my squid.conf >> and it has same settings which I posted earlier. somehow it is working for >> us. > > I'm not saying the whole thing won't work; I'm saying there is no point in > having a line "http_access allow ad_auth" following the line "http_access deny > all". The ad_auth line can never be invoked. Not knowing why authentication works is dangerous. You might have been allowing non-authenticated traffic and invalid user accounts through. The only reason it does "work" is that the ACL called "USERS" is _not_ actually checking user logins. It is a group checking ACL which requires authentication to happen before it can be checked. In this specific case invalid logins cannot be a member of the group. So they will not get through the proxy. However, people who accidentally type the user/password wrong, or whose machines automatically login with an account not a member of the group will not be allowed any way to try again short of shutting down their browser or maybe even logging out of the machine and trying from another one. That may or may not be a problem for you. > >> below is the error from access.log file. >> >> 1475518342.279 0 10.xx.15.103 TCP_DENIED/407 3589 CONNECT >> vseries-test.bottomline.com:443 - NONE/- text/html > > Error 407 is "proxy auth required", so the proxy is expecting authentication > for some reason. > > Can you confirm that the hostname vseries-test.bottomline.com is contained in > your site file /etc/squid/sitelist/dbs_allowed_site ? > > Can you temporarily change the line "http_access allow IWCCP01 allowedsite" to > "http_access allow IWCCP01" and see whether the machine then gets access? > If that works, please list the output of the command: grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site Amos ******************************************* =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users