[squid-users] Problems with Linux Worstations

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 2 14:10:17 UTC 2016 

On 2/09/2016 3:21 p.m., Marcio Demetrio Bacci wrote:
> In my Windows workstations the authentication works correctly, however in
> Ubuntu 14.04 the user and password are asked twice.
> 
> I am using the basic_ncsa_auth with Squid 3.4.8
> 
> Is there any setting that I do in Squid?
> 
> Bellow is my squid.conf
> 
...
> 
> auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd
> auth_param basic children 5
> auth_param basic realm AUTENTICACAO
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> 
...
> 
> ### Regras iniciais do Squid
> http_access allow localhost
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

Please re-order the above security rules to be:

  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow localhost
  http_access deny purge

> 
> ### Exige autenticacao
> acl autenticados proxy_auth REQUIRED
> http_access allow autenticados
> 
> ### Bloqueia extensoes de arquivos
> acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"
> 
> ### Liberar alguns sites
> acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"
> 
> ### Bloqueia sites por URL
> acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"
> 
> #bloqueios basicos
> http_access allow sites_liberados
> http_access deny extensoes_bloqueadas
> http_access deny sites_bloqueados
> 
> ### LAN #####
> acl rede_lan src 192.168.200.0/22
> 
> ### Nega acesso de quem nao esta na rede local do CMB
> http_access allow rede_lan
> 
> #negando o acesso para todos que nao estiverem nas regras anteriores
> http_access deny all
>
...


With your config Squid will only challenge the browser to send some if
they are completely missing. It will not deny access when invalid
credentials are sent.

That means the browser probably does not have access to any Basic auth
credentials it can send.

The two popups are probably from two TCP connections being made with no
credentials (maybe the result of the "Happy Eyeballs" algorithm doing
its thing). You can check for that with "debug_options 11,2" and seeing
what HTTP messages are happening with what IP:port details.

Amos

More information about the squid-users mailing list