[squid-users] squid 3.3.3 : deny_info with NTLM - remove popup auth -

[David Touzeau]

Dear,
i would like squid to not display authentication popup if the client is not 
authenticated trough NTLM
For this i have understood that if  deny_info is set then Squid redirect the 
error to the specified url.

I have set this:
auth_param ntlm program 
/usr/bin/ntlm_auth --domain=ABC.LAB --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20 startup=1 idle=1
auth_param ntlm keep_alive on
auth_param basic program 
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 3 startup=1 idle=1
auth_param basic realm Basic Identification
auth_param basic credentialsttl 2 hours


acl AUTHENTICATED proxy_auth REQUIRED
acl AllowedUrisTemplates dstdomain .domain.tld

http_access  allow AllowedUrisTemplates
http_access deny !AUTHENTICATED all
deny_info http://proxy-error.domain.tld AUTHENTICATED
http_access deny all

But it seems that squid did not care about the deny_info defined for 
AUTHENTICATED acl and force to use the ERR_CACHE_ACCESS_DENIED template.

Why ?

Best regards

2013/07/03 20:20:29.171 kid1| Acl.cc(339) matches: ACLList::matches: result 
is false
2013/07/03 20:20:29.171 kid1| Checklist.cc(275) matchNode: 0x135c238 
matched=0 async=0 finished=0
2013/07/03 20:20:29.171 kid1| Checklist.cc(299) matchNode: 0x135c238 simple 
mismatch
2013/07/03 20:20:29.172 kid1| Checklist.cc(160) checkAccessList: 0x135c238 
checking 'http_access deny !AUTHENTICATED'
2013/07/03 20:20:29.172 kid1| Acl.cc(336) matches: ACLList::matches: 
checking !AUTHENTICATED
2013/07/03 20:20:29.172 kid1| Acl.cc(319) checklistMatches: 
ACL::checklistMatches: checking 'AUTHENTICATED'
2013/07/03 20:20:29.172 kid1| Acl.cc(66) AuthenticateAcl: returning 3 
sending authentication challenge.
2013/07/03 20:20:29.172 kid1| Checklist.cc(146) markFinished: 0x135c238 
answer AUTH_REQUIRED for AuthenticateAcl exception
2013/07/03 20:20:29.172 kid1| Acl.cc(321) checklistMatches: 
ACL::ChecklistMatches: result for 'AUTHENTICATED' is -1
2013/07/03 20:20:29.172 kid1| Acl.cc(339) matches: ACLList::matches: result 
is false
2013/07/03 20:20:29.172 kid1| Checklist.cc(275) matchNode: 0x135c238 
matched=0 async=0 finished=1
2013/07/03 20:20:29.172 kid1| Checklist.cc(294) matchNode: 0x135c238 
exception: AUTH_REQUIRED
2013/07/03 20:20:29.172 kid1| Checklist.cc(88) matchNonBlocking: 
ACLChecklist::check: 0x135c238 match found, calling back with AUTH_REQUIRED
2013/07/03 20:20:29.172 kid1| Checklist.cc(182) checkCallback: 
ACLChecklist::checkCallback: 0x135c238 answer=AUTH_REQUIRED
2013/07/03 20:20:29.172 kid1| client_side_request.cc(778) 
clientAccessCheckDone: The request GET 
http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp 
is AUTH_REQUIRED, because it matched 'AUTHENTICATED'
2013/07/03 20:20:29.172 kid1| client_side_request.cc(794) 
clientAccessCheckDone: Access Denied: 
http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp
2013/07/03 20:20:29.172 kid1| client_side_request.cc(795) 
clientAccessCheckDone: AclMatchedName = AUTHENTICATED
2013/07/03 20:20:29.172 kid1| client_side_request.cc(798) 
clientAccessCheckDone: Proxy Auth Message = <null>
2013/07/03 20:20:29.172 kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7ffff93bb370
2013/07/03 20:20:29.172 kid1| Checklist.cc(334) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7ffff93bb370
2013/07/03 20:20:29.172 kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7ffff93bb250
2013/07/03 20:20:29.172 kid1| Checklist.cc(334) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7ffff93bb250
2013/07/03 20:20:29.172 kid1| client_side_request.cc(1314) 
sslBumpAccessCheck: cannot SslBump this request
2013/07/03 20:20:29.172 kid1| store.cc(825) storeCreateEntry: 
storeCreateEntry: 
'http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp'
2013/07/03 20:20:29.172 kid1| store.cc(401) StoreEntry: new StoreEntry 
0x135c4f0
2013/07/03 20:20:29.172 kid1| MemObject.cc(88) MemObject: new MemObject 
0x135c570
2013/07/03 20:20:29.172 kid1| HttpHeader.cc(402) HttpHeader: init-ing hdr: 
0x135c688 owner: 3
2013/07/03 20:20:29.172 kid1| store_key_md5.cc(109) storeKeyPrivate: 
storeKeyPrivate: GET 
http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp
2013/07/03 20:20:29.172 kid1| store.cc(487) hashInsert: 
StoreEntry::hashInsert: Inserting Entry 0x135c4f0 key 
'464E68CBC43B3990C6A6986641D292AB'
2013/07/03 20:20:29.172 kid1| store.cc(541) setReleaseFlag: 
StoreEntry::setReleaseFlag: '464E68CBC43B3990C6A6986641D292AB'
2013/07/03 20:20:29.172 kid1| store.cc(530) lock: StoreEntry::lock: key 
'464E68CBC43B3990C6A6986641D292AB' count=2
2013/07/03 20:20:29.172 kid1| Checklist.cc(153) preCheck: 0x7ffff93bafd0 
checking fast rules
2013/07/03 20:20:29.172 kid1| Checklist.cc(414) fastCheck: aclCheckFast: 
list: 0x13178e8
2013/07/03 20:20:29.172 kid1| Acl.cc(336) matches: ACLList::matches: 
checking all
2013/07/03 20:20:29.172 kid1| Acl.cc(319) checklistMatches: 
ACL::checklistMatches: checking 'all'
2013/07/03 20:20:29.172 kid1| Ip.cc(560) match: aclIpMatchIp: 
'192.168.1.225:53970' found
2013/07/03 20:20:29.172 kid1| Acl.cc(321) checklistMatches: 
ACL::ChecklistMatches: result for 'all' is 1
2013/07/03 20:20:29.172 kid1| Acl.cc(343) matches: ACLList::matches: result 
is true
2013/07/03 20:20:29.172 kid1| Checklist.cc(275) matchNode: 0x7ffff93bafd0 
matched=1 async=0 finished=0
2013/07/03 20:20:29.172 kid1| Checklist.cc(260) matchNodes: 0x7ffff93bafd0 
success: all ACLs matched
2013/07/03 20:20:29.172 kid1| Checklist.cc(146) markFinished: 0x7ffff93bafd0 
answer DENIED for first matching rule won
2013/07/03 20:20:29.172 kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7ffff93bafd0
2013/07/03 20:20:29.172 kid1| Checklist.cc(334) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7ffff93bafd0
2013/07/03 20:20:29.172 kid1| errorpage.cc(615) errorAppendEntry: Creating 
an error page for entry 0x135c4f0 with errorstate 0x135c408 page id 2

2013/07/03 20:20:29.172 kid1| Acl.cc(336) matches: ACLList::matches: 
checking all
2013/07/03 20:20:29.172 kid1| Acl.cc(319) checklistMatches: 
ACL::checklistMatches: checking 'all'
2013/07/03 20:20:29.172 kid1| Ip.cc(560) match: aclIpMatchIp: 
'192.168.1.225:53970' found
2013/07/03 20:20:29.172 kid1| Acl.cc(321) checklistMatches: 
ACL::ChecklistMatches: result for 'all' is 1
2013/07/03 20:20:29.172 kid1| Acl.cc(343) matches: ACLList::matches: result 
is true
2013/07/03 20:20:29.172 kid1| Checklist.cc(275) matchNode: 0x7ffff93bafd0 
matched=1 async=0 finished=0
2013/07/03 20:20:29.172 kid1| Checklist.cc(260) matchNodes: 0x7ffff93bafd0 
success: all ACLs matched
2013/07/03 20:20:29.172 kid1| Checklist.cc(146) markFinished: 0x7ffff93bafd0 
answer DENIED for first matching rule won
2013/07/03 20:20:29.172 kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7ffff93bafd0
2013/07/03 20:20:29.172 kid1| Checklist.cc(334) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7ffff93bafd0
2013/07/03 20:20:29.172 kid1| errorpage.cc(615) errorAppendEntry: Creating 
an error page for entry 0x135c4f0 with errorstate 0x135c408 page id 2
2013/07/03 20:20:29.172 kid1| store.cc(530) lock: StoreEntry::lock: key 
'464E68CBC43B3990C6A6986641D292AB' count=3
2013/07/03 20:20:29.172 kid1| HttpHeader.cc(402) HttpHeader: init-ing hdr: 
0x135c978 owner: 3
2013/07/03 20:20:29.172 kid1| HttpHeader.cc(968) getList: 0x135b2b8: joined 
for id 3: 0x7ffff93bb0c0
2013/07/03 20:20:29.172 kid1| errorpage.cc(448) loadFor: Testing Header: 
'fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3'
2013/07/03 20:20:29.172 kid1| errorpage.cc(458) loadFor: Found language 
'fr', testing for available template
2013/07/03 20:20:29.172 kid1| disk.cc(95) file_open: file_open: FD 12
2013/07/03 20:20:29.172 kid1| fd.cc(221) fd_open: fd_open() FD 12 
/usr/share/squid3/errors/fr/ERR_CACHE_ACCESS_DENIED
2013/07/03 20:20:29.173 kid1| disk.cc(150) file_close: file_close: FD 12 
really closing
2013/07/03 20:20:29.173 kid1| fd.cc(116) fd_close: fd_close FD 12 
/usr/share/squid3/errors/fr/ERR_CACHE_ACCESS_DENIED
2013/07/03 20:20:29.173 kid1| ModEpoll.cc(139) SetSelect: FD 12, type=1, 
handler=0, client_data=0, timeout=0
2013/07/03 20:20:29.173 kid1| ModEpoll.cc(139) SetSelect: FD 12, type=2, 
handler=0, client_data=0, timeout=0
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%} --> '%}'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%; --> '%;'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%; --> '%;'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%  --> '% '
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%} --> '%}'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%} --> '%}'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%} --> '%}'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%} --> '%}'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%} --> '%}'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%; --> '%;'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%U --> 
'http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%U --> 
'http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%U --> 
'http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%h --> 'squid32-64.localhost.localdomain'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%T --> 'Wed, 03 Jul 2013 18:20:29 GMT'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%h --> 'squid32-64.localhost.localdomain'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%s --> 'squid/3.3.3-20130414-r12525'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: 
%%c --> 'ERR_CACHE_ACCESS_DENIED'
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding 
entry: 50 at 0
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding 
entry: 36 at 1
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding 
entry: 21 at 2
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding 
entry: 18 at 3
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding 
entry: 14 at 4
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding 
entry: 70 at 5
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding 
entry: 61 at 6
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding 
entry: 13 at 7