[squid-users] Issues with authentication

Joe O notjoe at gmail.com
Tue Oct 11 05:18:10 UTC 2016 

Thanks for the reply Amos! I started following another thread in which you were helping some one else with showing pages to / redirecting unauthenticated users
but still haven’t been able to get that to work either. The thread was this one http://squid-web-proxy-cache.1019090.n4.nabble.com/redirecting-unauthenticated-users-td1038146.html <http://squid-web-proxy-cache.1019090.n4.nabble.com/redirecting-unauthenticated-users-td1038146.html>
I think this approach would work well for what I am doing if I could get it working :)


error_directory /usr/share/squid/errors/en
cache deny all
debug_options ALL,1 11,3 20,3
acl whitelist dstdomain .whitelist.com 127.0.0.1

acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 127.0.0.1      # RFC1918 possible internal network
acl localnet src 10.0.0.0/8
acl localhost src 127.0.0.1/32 ::1

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet
http_access allow localhost

http_port 3128

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

auth_param basic program /usr/bin/php /etc/squid/authenticate.php
auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off

acl noAuth src all
acl AuthUsers proxy_auth REQUIRED

http_access allow whitelist
http_access allow AuthUsers
deny_info ERR_ACCESS_DENIED noAuth
http_access deny !AuthUsers noAuth
http_access deny all

> On Oct 11, 2016, at 3:02 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> 
> On 11/10/2016 7:01 a.m., Joe O wrote:
>> 
>> 
>> I have an issue with my browser and squid where they both seem to be stuck in an infinite loop of denied requests.
>> I have a a helper script that authenticates the user. The script works. Here is an example of the output of authentication 
>> being successful and not successful.
>> 
>> [root at 1 ~]# /etc/squid/authenticate.php
>> test1 test1
>> OK
>> test1 test2
>> ERR login failure
>> So, I am sending the right info back to squid. When I authenticate successfully then squid and my browser play nice and there is no power struggle.
>> If the authentication fails then I get this:
>> 
>> 1476120287.143     24 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
>> 1476120287.143     25 45.63.40.55 TCP_DENIED/407 4253 CONNECT www.facebook.com:443 test HIER_NONE/- text/html
>> 1476120287.143     25 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
>> 1476120287.216     18 45.63.40.55 TCP_DENIED/407 4293 CONNECT www.facebook.com:443 test HIER_NONE/- text/html
>> 1476120287.216      9 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
>> 1476120287.216     15 45.63.40.55 TCP_DENIED/407 4253 CONNECT www.facebook.com:443 test HIER_NONE/- text/html
>> 1476120287.216     15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
>> 1476120287.216     15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
>> 1476120287.216     15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
>> 1476120287.216     15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
>> 
>> Here is my squid config:
> 
> <snip defaults>
> 
>> 
>> http_access allow localnet
>> http_access allow localhost
>> 
> 
> Okay if you want LAN traffic and things going from the Squid machine not
> to be authenticated. Otherwise these two lines should go below the auth
> checks.
> 
> 
>> auth_param basic program /usr/bin/php /etc/squid/authenticate.php
>> auth_param basic children 5
>> auth_param basic realm Web-Proxy
>> auth_param basic credentialsttl 1 minute
>> auth_param basic casesensitive off
>> 
>> acl db-auth proxy_auth REQUIRED
>> http_access allow db-auth
>> http_access allow localhost
> 
> localhost is already permitted on a line above the auth stuff. This one
> will just waste CPU cycles checking an impossible requirement.
> 
>> http_access deny all
>> 
> 
> <snip defaults>
> 
>> 
>> 
>> Everything I’ve read and tried always left me with the same result
>> which was an infinite loop rather than squid returning an
>> unauthorized result page.
> 
> 
> Firstly; The 407 you see in access.log *is* the unauthorized being
> returned by the proxy. That is accompanied by a error "page" from Squid.
> 
> Note that all these are parallel transactions (same ending timestamp,
> different durations). Browsers open quite a few connections to proxies.
> If it was trying the same bad credentials for all these you can expect
> them to fail of course.
> 
> 
> Secondly; Browsers refuse to display anything a proxy returns in
> response to CONNECT method. That is a browser internal problem we cannot
> do anything about. What you should see next is not a page, but a popup
> from the browser trying to get working credentials since these ones failed.
> 
> 
> Thirdly; If the popup is not appearing you may need to explicitly tell
> Squid what to do when credentials are present but invalid.
> 
> You do that with a "deny" rule like this:
> 
> http_access deny !db-auth
> http_access allow db-auth
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users <http://lists.squid-cache.org/listinfo/squid-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161011/92f5c605/attachment-0001.html>

More information about the squid-users mailing list