[squid-users] Squid authentication problem (Amos Jeffries)

Tue Jun 20 11:32:07 UTC 2017

Thanks for all the help. I just checked the /etc/squid/passwords file,
turns out I mistakenly used htpasswd -c when saving the last username,
password and all the previous ones got overwritten.

After fixing that, the config file I wrote earlier worked fine.

With regards,
Sonya Roy

On Tue, Jun 20, 2017 at 4:18 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

>
> On 20/06/17 10:50, Sonya Roy wrote:
>
>> Hi,
>>
>> Thanks for the links. So I tried what you suggested and for testing, I
>> was using this simple config:-
>>
>> http_port 8080
>> auth_param basic program /usr/lib/squid/basic_ncsa_auth
>> /etc/squid/passwords
>> auth_param basic realm proxy
>> external_acl_type checkclient children-max=20 %MYADDR %LOGIN
>> /usr/local/squidauth.py
>> acl authenticated external checkclient
>> http_access allow authenticated
>> cache deny all
>> forwarded_for delete
>> request_header_access Via deny all
>>
>> I made sure that the squidauth.py file was executable and when
>> debugging, I found that the helper processes were running. But nothing
>> was getting passed to the helper processes. In the python code, I was
>> running a loop which reads lines from the stdin and parses them and
>> writes output to the stdout. I checked and it wasn't getting anything
>> from stdin. (I added a line which reads the input line from stdin and
>> sends it to another server through a http request to make sure if it was
>> getting anything from stdin at all)
>>
>> But, when I tried to use the proxy(and of course I was using a username
>> and password that was stored in /etc/squid/passwords), I kept getting
>> the error that authentication required, i.e. the server was sending back
>> the header Proxy-Authenticate: Basic realm="proxy". I am not sure what I
>> am doing wrong here.
>>
>
> Sounds to me like the auth_param helper is not accepting the credentials
> you are testing with. The %LOGIN parameter needs auth to be completed
> successfully before the ACL helper is called with the resulting username.
>
> Note that the NCSA helper uses a database file (/etc/squid/passwords) of
> hashes encoded by the Apache htpasswd tool. It is not a plain-text nor Unix
> passwd file, that difference catches some people out.
>
>
> To simplify what is going on I would use the following config sequence:
>
>  acl login proxy_auth REQUIRED
>  http_access deny !login
>
>  acl userip_check external checkclient
>  http_access allow userip_check
>
>  http_access deny all
>
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170620/9404f37e/attachment.html>