[squid-users] Authentication help

Amos Jeffries squid3 at treenet.co.nz
Wed Mar 11 09:01:25 UTC 2015 

On 6/03/2015 9:49 a.m., Informatico Neurodesarrollo wrote:
> Hi list,
> I am new in the list and I want to solve a problem with the
> authentication process in the factory that I worked some years ago and
> in this place I began work with Linux.
> They use openSuSE 13.2 (64bits) with squid 3.4.4, the specification are:
> - the authentication is local, Unix users
> - two groups created :intranet (only can access to domain ".cu" ),internet
> 
> What is the deal?:
> 
> When I try to access, in the surfer arise a windows ask me the user and
> password, but when I push Enter key, this windows arise again and I have
> to press several times the "ESC" key to can navigate.

The client software (browser?) is responsible for locating suitable
credentials that teh authenticatio system will accept. The popup window
you are seeing is one of several options available to it and most modern
browsers use it as a last resort only if the automated alternatives fail.

If the proxy is offering multiple types of authentication and the client
browser sends the credentials for Type A when they should have been
labeled type B, then you can see the popup happen multiple times. There
is nothing we (the proxy people) can do about this type of problem in
the client browser.


It can also keep popping up if your rules say that the provided
credentials are not adequate for the access desired, but other
credentials might work. Your brower is given a chance to try those other
credentials.

So lets look at the specific config...

> 
> I attach bellow squid.conf file.
> 
> My best regards.
> 
> PD Apologist my english, but if any body else understand Spanish
> language I can explain better.
> 
> 
> squid.conf:
> 
> # Squid normally listens to port 3128
> http_port 3128
>
<snip>
> 
> ########################################################
> #Autenticación
> 
> auth_param basic program /usr/sbin/basic_getpwnam_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 20
> auth_param basic realm Servidor Proxy JVR
> auth_param basic credentialsttl 1 hours
> auth_param basic casesensitive off
> 

NOTE: The basic_getpwnam_auth helper does not take any command line
parameter "--helper-protocol=squid-2.5-basic"

That should not have been causing any issue though. These settings
appear to be fine other than the garbage parameer.


> ############
> #Grupos Unix
> 
> external_acl_type groupo_linux %LOGIN /usr/sbin/ext_unix_group_acl -p
> 
> acl nav_nac external groupo_linux intranet
> acl nav_int external groupo_linux internet

The above two ACls will match the groups.

> 
> acl nav_full proxy_auth nav_int
> acl nav_cuba proxy_auth nav_nac

The above two ACLs will match the *individual user login* name "nav_int"
or "nav_nac".

> 
> acl Auth_jvr proxy_auth REQUIRED
> 

<snip>
> cache_log /var/log/squid/cache.log
> access_log /var/log/squid/access.log
> cache_store_log /var/log/squid/store.log
> error_directory /usr/share/squid/errors/es

I recommend setting this instead:
 default_error_language es

Your Squid will then report errors your users can read (with Espanol as
default), instead of forcing Espanol on all of them.

> 
> acl localnet src 10.44.1.0/24
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT
> 
> acl restricted_sites dstdomain "/etc/squid/listas/blocked_sites.acl"
> acl restricted_dst dst "/etc/squid/listas/blocked_src"
> acl nacional dstdomain .cu
> 
> # Regla para denegar palabras indebidas
> acl palabras url_regex -i "/etc/squid/deneg"
> 
<snip>
> 
> http_access allow localnet !restricted_sites !restricted_dst !palabras
> http_access allow Auth_jvr nav_full !nav_nac

The above rule will require authentication for the single user name
"nav_int" in the group "internet". Otherwise will request new
credentials that can pass the tests (the popup).

> http_access allow Auth_jvr nav_cuba nacional

The above will request authentication, and if it provide and the other
check passes will allow the request. Due to the "nacional" ACL being lat
it will NOT request different credentials.


I suspect your use of individual username ACLs is a mistake. Your policy
description only mentioned restricting access by group.

Which means your custom ACL tests should be:

 # allow access *from* LAN machines unless requesting restricted URLs
 http_access allow localnet !restricted_sites !restricted_dst !palabras

 # require login for restricted URLs
 http_access deny !Auth_jvr

 # group "internet" users can access anywhere
 http_access allow nav_int all

 # group "intranet" users can access restricted .cu domains
 http_access allow nav_cuba nacional


Amos

More information about the squid-users mailing list