[squid-users] login expired
Amos Jeffries
squid3 at treenet.co.nz
Sat Feb 7 08:14:21 UTC 2015
On 7/02/2015 7:32 p.m., Ignazio Raia wrote:
> Good morning Amos,
> here is my squid.conf, basic_db_auth script and the shell test.
> thanks a lot for your interesting and help.
>
> TEST MADE FROM VIA ssh CONNECTION TO MY LAMP & SQUID SERVER (ssh
> ignazio at 192.168.2.1)
> $ sudo /usr/lib/squid3/basic_db_auth --user root --password rootpasswd --md5
> --cond "1" --persis
NP: missing 't' on --persist, but that seems not to matter for your perl
version.
>
> ignazio 12345678 (wrong password)
> ERR login failure
>
> ignazio mypassword (right password)
> OK
>
> # MY SQUID.CONF
> # OPTIONS FOR AUTHENTICATION
> auth_param basic program /usr/lib/squid3/basic_db_auth --user root
> --password rootpasswd -md5 --cond "1" --persis
Missing '-' on --md5 could be the problem.
If it remains after fixing that '-', try running your manual test again
but this time after "su squid" or "su proxy", whatever Squid is using.
The results may differ.
If that works, look around for things like SELinux or Apparmor
preventing the database connection being setup.
> #auth_param basic program /usr/lib/squid3/basic_ncsa_auth
> /etc/squid3/squid.pass
>
> auth_param basic children 5
> auth_param basic realm Squid Proxy Web Server
> auth_param basic credentialsttl 60 seconds
> #authenticate_cache_garbage_interval 1 hour
> #authenticate_ttl 60 seconds
>
> # MY ACCESS CONTROLS
> #
> -----------------------------------------------------------------------------
> acl localnet src 192.168.2.0/24 #my localnet
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl password proxy_auth REQUIRED
>
> # TAG: MY http_access
> http_access deny !password
> http_access deny !Safe_ports
I would swap the order of those two. So if someone nasty starts
hammering way at port 25 for example, the auth helper wont get the load.
Maybe even moving the CONNECT !SSL_Ports above the auth check too, but
that depends on whether you really want your localhost manager to have
unrestricted CONNECT tunnel abilities.
> http_access allow localhost manager
> http_access deny CONNECT !SSL_ports
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
>
Amos
More information about the squid-users
mailing list