[squid-users] squid time out

ANDRINANTENAINA Avo avo.andrinantenaina at gmail.com
Thu Jul 18 13:57:17 UTC 2019


Dear all,



I have the following setup :

*# ../sbin/squid
-v
/usr/local/squid/etc*

*Squid Cache: Version 5.0.0-VCS*

*Service Name: squid*

*configure options:  '--with-logdir=/var/log/squid'
'--enable-auth-basic=LDAP,PAM,SMB,RADIUS'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-digest=LDAP,eDirectory' '--with-default-user=proxy'*

*#
/usr/local/squid/etc*



I have a huge range in terms of network, but awkwardly, the
authentication/ACL and everything works well in one given subnet but not on
the others. The users in the other subnets are not able to surf the
internet, and this without any specific logs from the proxy side ( the most
significant part of the config could be seen below). Any request from these
users just times out.



*#debug_options 29,9*

*#dns_nameservers 192.168.0.9 192.168.0.4*

*#connect_timeout 1  minute*

*debug_options ALL,9 11,3 20,3*

*### negotiate kerberos and ntlm authentication*

*auth_param negotiate program
/usr/local/squid/libexec/negotiate_wrapper_auth   -d --ntlm
/usr/local/samba/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp  --domain=BCM --kerberos
/usr/local/squid/libexec/ext_kerberos_sid_group_acl -d -s GSS_C_NO_NAME*

*auth_param negotiate children 60*

*auth_param negotiate keep_alive off*



*### pure ntlm authentication*

*auth_param ntlm program /usr/local/samba/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp  --domain=KATANA*

*auth_param ntlm children 60*

*auth_param ntlm keep_alive off*





*# warning: basic authentication sends passwords plaintext*

*# a network sniffer can and will discover passwords*

*auth_param basic program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic*

*auth_param basic children 60*

*auth_param basic credentialsttl 4 hours*



*##*

*auth_param basic program /usr/local/squid/libexec/basic_ldap_auth  -R -b
"dc=KATANA,dc=LOCAL" -D simpleuser at katana.local -W
/usr/local/squid/etc/pass.txt -f sAMAccountName=%s -h 192.168.111.4*

*auth_param basic children 60*

*auth_param basic realm Banky Foibe*

*auth_param basic credentialsttl 1 minute*





*acl local0  dst  172.16.0.0/12 <http://172.16.0.0/12>*

*acl local1  dst  192.168.0.0/16 <http://192.168.0.0/16>*

*http_access allow local0 all*

*http_access allow local1 all*

*cache deny local1*

*cache deny local0*

*redirector_access deny local0*

*redirector_access deny local1*



*http_access deny !auth*

*http_access allow auth*

*#http_access deny all*

*http_port 8080*



I can’t really understand the issue, from the affected networks:

-          The user is able to ping the proxy and access its port 8080
(through telnet / netcat)

-          The request is able to reach the proxy but the in the access_log
the *“user” *is missing

*1563455060.396      1 192.168.230.195 TCP_DENIED/407 4714 GET
http://api.bing.com/qsml.aspx <http://api.bing.com/qsml.aspx>? -
HIER_NONE/- text/html*

-          TCP_DENIED/407, requesting the user to go through the
authentication phase is presented by the proxy to the user’s browser but
nothing happens. I thought that if the timer set to Kerberos, NTLM expires,
a pop up should appear but nothing (from wireshark)

*GET http://www.bing.com/favicon.ico <http://www.bing.com/favicon.ico>
HTTP/1.1*

*Accept: */**

*UA-CPU: AMD64*

*Accept-Encoding: gzip, deflate*

*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0)
like Gecko*

*Host: www.bing.com <http://www.bing.com>*

*Proxy-Connection: Keep-Alive*



*HTTP/1.1 407 Proxy Authentication Required*

*Server: squid/5.0.0-VCS*

*Mime-Version: 1.0*

*Date: Thu, 18 Jul 2019 10:01:53 GMT*

*Content-Type: text/html;charset=utf-8*

*Content-Length: 3733*

*X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0*

*Vary: Accept-Language*

*Content-Language: en*

*Proxy-Authenticate: Negotiate*

*Proxy-Authenticate: NTLM*

*Proxy-Authenticate: Basic realm="KATANA - PERIMETER"*

*X-Cache: MISS from katana_proxy*

*Via: 1.1 lichtquanta (squid/5.0.0-VCS)*

*Connection: close*



-          On cache.log there is nothing that could mean something, just a
bunch of ARP error. Tried to debug the section 29 for authentication … but
nothing. Checked the IE internet options, just in case the windows
authentication profile is no ticked … but it is there.

I am lost so any help would really be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190718/c9c20c9f/attachment-0001.html>


More information about the squid-users mailing list