hello list
I am using squid/2.6.STABLE5 on debian etch and when and I authenticate to navigate through of my proxy receipt an error TCP_DENIED/407. when I remove [-c] of auth_param digest program /usr/lib/squid/digest_pw_auth -c /etc/apache2/passwd and i put username:passwd format in the passwd file I authenticate myself and I navigate without problems.

before making that I made sure of creating the passwds in the correct format using my realm (Linux-Squid-Proxy-Server ) for example htdigest / etc/apache2/passwd Linux-Squid-Proxy-Server username
the user and the passwd stay correctly in the passwd file :
username:Linux-Squid-Proxy-Server:17ef92113012ce22813780e16d9fb7f1

which is the difference among storing the keys in format username:realm:password and username:password???
I don't finish understanding this so simple
somebody could help me to heal this error I am using the script user_manage thanks to Henriknordstorm who recommended it to me and after many intent it is able to make it work to my way, but then I meet with this error TCP_DENIED/407
excuse my English


http_port 192.168.157.92:3128
#ssl_unclean_shutdown off
icp_port 3130
htcp_port 4827
udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255
# -----------------------------------------------------------------------------
hierarchy_stoplist cgi-bin ?
#   objetos que no seran almacenados en la cache.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
# -----------------------------------------------------------------------------
#           OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------------------------------------------------
#  TAG: cache_mem    (bytes)
cache_mem 20 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 20 KB
# -----------------------------------------------------------------------------
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy lru
memory_replacement_policy lru
# -----------------------------------------------------------------------------
#           LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log off
log_ip_on_direct on
mime_table /usr/share/squid/mime.conf
pid_filename /var/run/squid.pid
debug_options ALL,1
log_fqdn off
client_netmask 255.255.255.255
# -----------------------------------------------------------------------------
#           OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# -----------------------------------------------------------------------------
ftp_user [EMAIL PROTECTED]
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol off
#------------------------------------------------------------------------------
#   PROGRAMAS DE AUTENTICACION
#------------------------------------------------------------------------------
#   direcciones ip de los servidores dns INFOCOM
dns_nameservers 169.158.128.136 169.158.128.156

auth_param digest program /usr/lib/squid/digest_pw_auth -c /etc/apache2/passwd
auth_param digest children 20
auth_param digest realm Linux-Squid-Proxy-Server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50

#
# -----------------------------------------------------------------------------
#***********************OPTIONS FOR TUNING THE CACHE***************************
# -----------------------------------------------------------------------------
request_header_max_size 20 KB
request_body_max_size 0 KB
refresh_pattern ^ftp:  1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern .  0 20% 4320

quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95

negative_ttl 5 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 1 minute
range_offset_limit 0 KB
forward_timeout 4 minutes
connect_timeout 1 minute
peer_connect_timeout 30 seconds
read_timeout 15 minutes
request_timeout 1 minutes
persistent_request_timeout 1 minute
client_lifetime 3 hours
half_closed_clients on
pconn_timeout 120 seconds
ident_timeout 10 seconds
shutdown_lifetime 30 seconds



acl all src 0.0.0.0/0.0.0.0
acl Autenticados proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
#   Definicion de los puertos Seguros
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # Puertos no registrados
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
# Denegar  acceso a puertos desconocidos
http_access deny !Safe_ports
# Denegar Metodo CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
icp_access allow all
miss_access allow all

#-------------------------------------------------------------------------------------
# INSERTAR MIS PROPIAS REGLA(S) AQUI PARA PERMITIR EL ACCESO DE LOS USUARIOS
#-------------------------------------------------------------------------------------

acl red_metro src 192.168.157.0/24 192.168.156.0/24 192.168.154.0/24 192.168.155.0/24 192.168.130.0/24 acl denegar urlpath_regex -i \.avi$ \.mov$ \.mpeg$ \.mpg$ \.wav$ \.mp3$ \.midi$ \.iso$ \.rm$ \.exe$ \.nrg$ \.afx$ \.asf$ \.asx$ \.au$ \.divx$ \.m3u$ \.mp2$ \.qt$ \.ra$ \.ram$ \.rm$ \.viv$ \.vivo$ \.vob$ \.vqf$ \.wav$ \.wma$ \.wmv$ \.wma$ \.wmv$ \.vbs$ \.shs$ \.pif$

acl IPForHostname dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$

# CONEXIONES MAXIMAS POR USUARIOS
acl OverConnLimit maxconn 4
# CONEXIONES DE USUARIOS POR DIRECCIONES IPs
acl ip_max max_user_ip 2

# Bloquear streaming video y audio
acl useragent browser -i ^application/NSPlayer$
acl useragent browser -i ^application/Windows-Media-Player$
#acl useragent browser Mozilla

# DEFINICION DE RESPUESTAS CON MIME INDECEABLES.
acl webRadioRep rep_mime_type -i ^video/x-ms-asf$
acl webRadioRep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl webRadioRep rep_mime_type -i ^application/x-mms-framed$
acl webRadioRep rep_mime_type -i ^audio/x-scpls$
acl webRadioRep rep_mime_type video/flv
acl webRadioRep rep_mime_type ^video
acl webRadioRep rep_mime_type ^audio
acl webRadioRep rep_mime_type -i ^application/octet-stream$
acl webRadioRep rep_mime_type video/mpeg
acl webRadioRep rep_mime_type audio/mpeg

# Como el streaming de mp3 suele NO TENER mime/type
# clasificamos tambien segun el user_agent.
acl Agente browser Windows-Media-Player/*
acl Agente browser xmms/*
acl Agente browser gator/*
acl Agente browser MPlayer/*
acl Agente browser NSPlayer/*
acl Agente browser QuickTime*/*
acl Agente browser Winamp/*

acl FTP url_regex -i ^ftp://.*\.mp3$
acl FTP url_regex -i ^ftp://.*\.exe$
acl FTP url_regex -i ^ftp://.*\.mpg$
acl FTP url_regex -i ^ftp://.*\.avi$
acl FTP url_regex -i ^ftp://.*\.pdf$
acl FTP url_regex -i ^ftp://.*\.jpg$

http_access deny Agente all

http_reply_access deny FTP webRadioRep
http_reply_access allow All

http_access deny OverConnLimit
http_access allow red_metro Autenticados !denegar !ip_max !IPForHostname
http_access allow localhost

Reply via email to