[squid-users] Issues with authentication

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 11 01:02:00 UTC 2016 

On 11/10/2016 7:01 a.m., Joe O wrote:
> 
> 
> I have an issue with my browser and squid where they both seem to be stuck in an infinite loop of denied requests.
> I have a a helper script that authenticates the user. The script works. Here is an example of the output of authentication 
> being successful and not successful.
> 
> [root at 1 ~]# /etc/squid/authenticate.php
> test1 test1
> OK
> test1 test2
> ERR login failure
> So, I am sending the right info back to squid. When I authenticate successfully then squid and my browser play nice and there is no power struggle.
> If the authentication fails then I get this:
> 
> 1476120287.143     24 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
> 1476120287.143     25 45.63.40.55 TCP_DENIED/407 4253 CONNECT www.facebook.com:443 test HIER_NONE/- text/html
> 1476120287.143     25 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
> 1476120287.216     18 45.63.40.55 TCP_DENIED/407 4293 CONNECT www.facebook.com:443 test HIER_NONE/- text/html
> 1476120287.216      9 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
> 1476120287.216     15 45.63.40.55 TCP_DENIED/407 4253 CONNECT www.facebook.com:443 test HIER_NONE/- text/html
> 1476120287.216     15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
> 1476120287.216     15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
> 1476120287.216     15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
> 1476120287.216     15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
> 
> Here is my squid config:

<snip defaults>

>  
> http_access allow localnet
> http_access allow localhost
>  

Okay if you want LAN traffic and things going from the Squid machine not
to be authenticated. Otherwise these two lines should go below the auth
checks.


> auth_param basic program /usr/bin/php /etc/squid/authenticate.php
> auth_param basic children 5
> auth_param basic realm Web-Proxy
> auth_param basic credentialsttl 1 minute
> auth_param basic casesensitive off
>  
> acl db-auth proxy_auth REQUIRED
> http_access allow db-auth
> http_access allow localhost

localhost is already permitted on a line above the auth stuff. This one
will just waste CPU cycles checking an impossible requirement.

> http_access deny all
>  

<snip defaults>

> 
> 
> Everything I’ve read and tried always left me with the same result
> which was an infinite loop rather than squid returning an
> unauthorized result page.


Firstly; The 407 you see in access.log *is* the unauthorized being
returned by the proxy. That is accompanied by a error "page" from Squid.

Note that all these are parallel transactions (same ending timestamp,
different durations). Browsers open quite a few connections to proxies.
If it was trying the same bad credentials for all these you can expect
them to fail of course.


Secondly; Browsers refuse to display anything a proxy returns in
response to CONNECT method. That is a browser internal problem we cannot
do anything about. What you should see next is not a page, but a popup
from the browser trying to get working credentials since these ones failed.


Thirdly; If the popup is not appearing you may need to explicitly tell
Squid what to do when credentials are present but invalid.

You do that with a "deny" rule like this:

 http_access deny !db-auth
 http_access allow db-auth

Amos

More information about the squid-users mailing list