[squid-users] Authentication Passthrough Failing

Curtis.M curtism at connect-up.co.uk
Thu Feb 26 18:38:13 UTC 2015


Hi all, 

I have squid 2.7 setup on a Win2012R2 DC used for caching purposes. The main
use is for caching Apple iOS updates but is also starting to be used for
general web browsing. 

The issue I have is there is a web filtering system being used in this
environment that relies on AD usernames to filter web traffic. When clients
are configured with squid, they are essentially unfiltered. Reason being is
the box squid runs off is excluded from filtering and it seems all clients
using the configured proxy receive the same level of filtering as the host
squid is running from. 

I have already researched this and found that I may need to use Connection
Pinning but when the line "connection-auth=on" is added to the conf, squid
refuses to start. 
(Full error below) 

So my questions are: 
     Am I right in trying to use Connection Pinning to resolve this issue? 
     Am I missing code needed from the conf I mentioned? 
      

Thanks for reading and I hope you can help! 

Kind Regards, 

Curtis. 


Squid.conf 
----------------------------------------------------------------------------------------------------------------------- 
http_port 3128 connection-auth=on 

acl all src all 
acl manager proto cache_object 
acl localhost src 127.0.0.1/32 
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network 
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network 
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network 
acl SSL_ports port 443 
acl Safe_ports port 80	# http 
acl Safe_ports port 21	# ftp 
acl Safe_ports port 443	# https 
acl Safe_ports port 70	# gopher 
acl Safe_ports port 210	# wais 
acl Safe_ports port 1025-65535	# unregistered ports 
acl Safe_ports port 280	# http-mgmt 
acl Safe_ports port 488	# gss-http 
acl Safe_ports port 591	# filemaker 
acl Safe_ports port 777	# multiling http 
acl CONNECT method CONNECT 

http_access allow manager localhost 
http_access deny manager 
http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 

http_access allow localnet 

http_access deny all 



icp_access allow localnet 
icp_access deny all 



hierarchy_stoplist cgi-bin ? 

maximum_object_size 3072000000 bytes 
cache_dir aufs C:\squid\var\cache 256000 128 256 max-size=2048000000 

access_log c:/squid/var/logs/access.log squid 

Cache-Control: max-age=0, no-cache, no-store 
Pragma: no-cache 
refresh_pattern -i appldnld\.apple\.com 129600 100% 129600 ignore-reload
ignore-no-store override-expire override-lastmod ignore-must-revalidate 
refresh_pattern -i phobos\.apple\.com 129600 100% 129600 ignore-reload
ignore-no-store override-expire override-lastmod ignore-must-revalidate 
refresh_pattern ^ftp:	1440	20%	10080 
refresh_pattern ^gopher:	1440	0%	1440 
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0 
refresh_pattern .	0	20%	4320 

acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] 
upgrade_http0.9 deny shoutcast 

acl apache rep_header Server ^Apache 
broken_vary_encoding allow apache 

coredump_dir c:/squid/var/cache 
----------------------------------------------------------------------------------------------------------------------- 
Full Error: 
FATAL: Bungled squid.conf line 1: http_port 3128 connection-auth=on 
Squid Cache (Version 2.7.STABLE8): Terminated abnormally.



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-Passthrough-Failing-tp4670095.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list