[squid-users] Problems with Squid3 Authentication

Amos Jeffries squid3 at treenet.co.nz
Wed Sep 30 01:04:31 UTC 2015 

On 30/09/2015 12:35 p.m., Marcio Demetrio Bacci wrote:
> I have configured a Squid 3 proxy server on Debian 7, integrated with Samba
> 4 domain.
> 
> For windows machines integrated in the domain, Squid uses the network user
> credential to allow navigation.
> 
> On Linux stations, even in the domain, when is opened the browser, the
> user's password is requested. When the user type the correct password in
> the first time, access is allowed. However if the user wrong the password,
> a new authentication is required. Now is that the problem starts. Even that
> user to enter the correct password, appear again a box asking the username
> and password. In this point is not more possible authenticate in the proxy.
> It is as if the user were wrong the password. To work the user needs logout
> and logon again and enter the correct password first time in the browser.
> 
> Does anyone have an idea what can be?
> 

Try:
 auth_param ntlm keep_alive off

Squid has become HTTP/1.1 software with different keep-alive defaults.
An annoying amount of software cannot handle real HTTP behaviour when
doing NTLM.


> This is my squid.conf
> 
> ### Configuracoes Basicas
> http_port 3128
> 
> #hierarchy_stoplist cgi-bin ?
> 
> ### Bloqueia o cache de CGI's
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> 

You can remove the above in the current Squid. Your HIT ratio should go
up a few %.


> maximum_object_size 4096 KB
> minimum_object_size 0 KB
> maximum_object_size_in_memory 64 KB
> cache_mem 60 MB
> 
> #Para não bloquear downloads
> quick_abort_min -1 KB
> 
> detect_broken_pconn on
> 
> pipeline_prefetch on
> 
> fqdncache_size 1024
> 
> ### Parametros de atualizacao da memoria cache
> refresh_pattern ^ftp:    1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%     0
> refresh_pattern .        0    20%    4320
> 
> ### Parametros de cache em RAM e HD
> cache_swap_low 90
> cache_swap_high 95

These are defaults. You can remove these cache_swap_* lines from squid.conf

> 
> ### Localizacao dos logs
> cache_access_log /var/log/squid3/access.log

The above directive should be called "access_log" since about squid-2.5.

> cache_log /var/log/squid3/cache.log
> cache_store_log /var/log/squid3/store.log
> 

Unless you are using it for something you can remove the cache_store_log
line completely.


> 
> ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai
> e subdiretorios
> cache_dir aufs /var/spool/squid3 600 16 256
> 
> #Controle do arquivo de log
> logfile_rotate 10

This should be removed on Debian. The logrotate.d service takes care of
log maintenance. Edit the /etc/logrotate.d/squid* file to change what it
does.

> 
> hosts_file /etc/hosts

This is default. You can remove it from squid.conf.

> 
> #Libera acesso ao site da caixa
> acl caixa dstdomain .caixa.gov.br
> always_direct allow caixa

You do not have cache_peer configured. This always_direct does nothing.

> cache deny caixa
> 
> 
> ### Realiza a autenticacao no AD via Winbind
> 
> # NTLM
> # para quem esta logado em maquinas windows, aproveita a senha do logon
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
> 
> #auth_param ntlm keep_alive on
> 
> 
> # para clientes nao windows, user/senha tem de ser solicitado
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm "Acesso Monitorado"
> auth_param basic credentialsttl 2 hours
> 
> external_acl_type ad_group ipv4 ttl=600 children-max=35 %LOGIN
> /usr/lib/squid3/ext_wbinfo_group_acl
> 
> 
> ### ACLs
> 
> #acl manager proto cache_object
> acl localhost src 192.168.0.1/32
> acl SSL_ports port 22 443 563     # https, snews
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443 563    # https, snews
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl Safe_ports port 3001        # imprenssa nacional
> 
> acl purge method PURGE
> acl CONNECT method CONNECT
> 
> 
> ### Regras iniciais do Squid
> 

Best practice is now to place these two lines at the top of the list:

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

That prevents DoS attacks against the mgr interface of Squid.

> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> 

<snip>
> 
> ### Rede Local #####
> acl rede_local src 192.168.0.0/22
> 
> ### Nega acesso de quem nao esta na rede local
> http_access deny !rede_local

Followed by "deny all" this rede_local does nothing useful. You can
remove it.

> 
> #negando o acesso para todos que nao estiverem nas regras anteriores
> http_access deny all
> 
> visible_hostname proxy.empresa.com.br
> 
> 
> ### Erros em portugues
> error_directory /usr/share/squid3/errors/Portuguese
> 

errors/Portuguese no longer exists.

Use errors/pt, OR just remove this and Squid will answer users in the
language(s) their browser asks for.

Amos

More information about the squid-users mailing list