[squid-users] Authentication pop-ups. Questions

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 9 21:56:04 UTC 2015

On 10/12/2015 3:25 a.m., VerĂ³nica Ovando wrote:
> Hi. I have Squid 3.5 running over Debian 8.
> I am using AD authentication. This is part of my squid.conf:
> #auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com
> auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
> auth_param ntlm keep_alive off
> auth_param basic program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Servidor proxy-cache de mi Dominio
> auth_param basic credentialsttl 2 hours
> external_acl_type AD_Grupos ttl=10 children=10 %LOGIN
> /usr/lib/squid3/ext_wbinfo_group_acl -d
> acl AD_Standard external Grupos_AD Standard
> acl AD_Exceptuados external Grupos_AD Exceptuados
> acl AD_Bloqueados external Grupos_AD Bloqueados
> acl face url_regex -i "/etc/squid3/facebook"
> acl gob url_regex -i "/etc/squid3/gubernamentales"
> http_access allow AD_Standard
> http_access allow AD_Exceptuados face
> http_access allow AD_Exceptuados gob
> http_access deny AD_Bloqueados
> http_access deny all
> When  a users that belongs to AD_Bloqueados is asked for the AD user and
> password (of course he/she needs one that belongs to AD_Standard or
> AD_Exceptuados). 

The first login check is for "AD_Standard". Users initial login is
checked for that group membership ... then a 407 *re-login* is requested
if they are part of AD_Bloqueados.

All users are logged in, just to check the group. So "deny all" at the
end never actually happens unless the user is part of some 5th or 6th
group (for example "Administrators" or "Domain Servers").

When you are authenticating based on *group* instead of the
user/password things get really weird.

> When I try to use one of those users I cannot
> authenticate correctly. the popup appears many times until I cancel it.
> But sometimes it works. I use all the browsers to do the tests (IE,
> Mozilla and the latest Chrome). With Chrome I get good results, but as I
> said, it works sometimes.
> Because sometimes I login with users not in the domain and I need to
> access to internet, I cannot use the 'all' directive in the end of the
> line of 'http_access deny AD_Bloqueados.'

Which means that whenever that group AD_Bloqueados matches the user will
have to *re-login*. Popups etc are expected in such events, because the
browser has what it thinks are fine credentials to use. But has just
been informed that its known set of credentials were invalid. They
almost all panic at that point and do a popup.

Note that the browser does not get told *why* the rejection (it might be
a random attacker, so that info is privileged). Just that the
credentials are not usable.

> I will appreciate a lot any help you can give me.

I highly recommend that you do it like this:

 acl auth proxy_auth REQUIRED
 http_access deny !auth
 http_access allow AD_Standard
 http_access allow face AD_Exceptuados
 http_access allow gob AD_Exceptuados
 http_access deny all

* that !auth will ensure that users are only authenticated once and the
407 request lookup cycles all happen predictably at that first line
instead of interleaved within the group checks.

* the line ordering change of face/gob ACLs will greatly reduce the time
and CPU spent on helper lookups for non-face and non-gob traffic. (up to
50% reduction in proxy caused latency).

Note that you dont even need to check group AD_Bloqueados. The "deny
all" at the end rejects that groups access along with all other
undefined groups.


More information about the squid-users mailing list