[squid-users] squid asking for authentication repeatedly

[Amos Jeffries]

On 14/12/17 11:32, Paul Hackmann wrote:
> Amos,
> 
> I will do an update to the most recent version and see if that helps.  
> It was one of those situations where if it ain't broke, don't fix it.  
> And up until now, it has worked very well.
> 
> You are right, I had brain fade about port 4120.  It should NOT ask for 
> authentication ever, and only connect to whitelisted sites, which is 
> what I want.
> 
> I've made the changes you recommended to the conf file.  So far, 
> everything seems to be working as I expect it to.  Thank you!
> 
> One more question if you don't mind.  I am trying to add some ip 
> addresses as whitelisted for port 4120.  I guess I can't add those to 
> the whitelist file, because it's formatting doesn't work with IP 
> addresses?

Sort of. dstdomain can accept IPs for matching against raw-IP text 
strings in URLs where domain should have been. But does not do ranges 
like you need there.

So yes dst is the one to use there.

However, be aware that it will match if *any* IPs for the domain being 
fetched is in your whitelist set. It has nothing to do with whether that 
matching dst-IP is actually used by Squid on the server connection.
To workaround that is where explicitly configuring "never_direct allow 
all" comes in handy.


>  I read that you can add them into the conf file.  I've 
> created the following acl line:
> 
> acl 8x8 dst 8.5.248.0/23 8.28.0.0/22 63.209.12.0/24 
> 162.221.236.0/23 162.221.238.0/23 192.84.16.0/22
> 
> and I tried to add 8x8 to the the http_access line:
> 
> http_access allow whitelist 8x8
> 
> but when I did that, the 4120 port started asking for authentication, 
> which is wrong. Can you tell me how to open those ip address ranges for 
> port 4120?
> 

Your use of http_access is not quite right.

see <https://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes>


Amos