[squid-users] nonce_garbage_interval problem?

[Amos Jeffries]

On 23/10/2015 3:08 a.m., Athos Fiolo wrote:
> Hi Amos.
> 
>> Please check if a helper lookup is being performed on each request as well as new nonce generated.
> 
> I guess you are right, but I don't know how to solve it.
> cache.log doesn’t show restarts for the heelper, even if only 1/5 helper is started.
> The output log of the helper shows no caching of the result (see later).
> On the contrary, the external type helper shows the result is cached for 30s (correct).
> 

Okay, that would make it the side effect of the CVE-2014-9749 fix (aka.
bug 4066) that was included in the Debian package doing its job overly-well.

Its unfortunatey verbose, but should not be a huge problem.

> 
> squid.conf
> auth_param digest program /usr/bin/php /etc/squid3/check_user.php
> auth_param digest children 5
> auth_param digest realm MySquidProxy
> auth_param digest nonce_garbage_interval 5 minutes
> auth_param digest nonce_max_duration 2 hours
> auth_param digest nonce_max_count 50
> 
> auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd
> auth_param basic children 5
> auth_param basic realm MySquidProxy
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> 
> external_acl_type reqtype_filter ttl=30 children-max=20 %LOGIN %DST %PORT %METHOD %URI %PATH /usr/bin/php /etc/squid3/check_request.php
> 
> acl auth_users proxy_auth REQUIRED
> acl userx_auth proxy_auth userx
> acl auth_reqtype external reqtype_filter
> acl to_vpn dst 1.2.3.4/16
> 
> [...]
> http_access allow userx_auth to_vpn #maybe better post-pone this line to the following one?
> http_access allow auth_reqtype auth_users to_vpn
> 

I would put the "to_vpn" first on those lines. Since the non-to_vpn
transactions dont seem to need authenticating.

Amos