<div dir="ltr">Amos,<br><div><br>The squid version is 3.1.19. The network is set up
with a 192.168.0.X network on the lan side, and a 192.168.1.x network on
the internet side. Both ports 3120 and 4120 require authentication,
but port 4120 is meant to be restricted to only the whitelisted sites
which are in a separate file. Port 3120 allows access to any site. The
browser causing trouble is configured for port 3120, not 4120. Here is
my squid.conf file:<br><br>http_port 3120<br>http_port 4120 intercept<br><br>cache_dir ufs /var/spool/squid3 500 16 256<br></div><div><br></div><div>#not sure what this block is for<br></div><div>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern ^gopher: 1440 0% 1440<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>refresh_pattern . 0 20% 4320<br><br>acl whitelist dstdomain "/etc/squid3/whitelist.conf"<br><br>auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd<br>auth_param basic children 6<br>auth_param basic realm Squid proxy-caching web server<br>auth_param basic credentialsttl 4 hours<br>auth_param basic casesensitive off<br><br>acl ncsa_users proxy_auth REQUIRED<br></div><div><br></div><div>#not sure what this line does<br></div><div>acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-<wbr>internal-mgr/<br><br>acl localhost src <a href="http://127.0.0.1/32" target="_blank">127.0.0.1/32</a> ::1<br>acl to_localhost dst <a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a> <a href="http://0.0.0.0/32" target="_blank">0.0.0.0/32</a> ::1<br><br>acl localnet src <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> # RFC 1918 possible internal network<br>acl localnet src <a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a> # RFC 1918 possible internal network<br>acl localnet src <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> # RFC 1918 possible internal network<br>acl localnet src fc00::/7 # RFC 4193 local private network range<br>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br><br>#acl http proto http<br>acl SSL_ports port 443<br>acl port_80 port 80<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br><br>#list of computers that have access by ip address<br>acl
allowed_clients src 192.168.0.9-192.168.0.45 192.168.0.53 192.168.0.65
192.168.0.83 192.168.0.90 192.168.0.91 192.168.0.179 192.168.0.186
192.168.0.220 192.168.0.221 192.168.0.244<br><br>acl portX myportname 4120<br>http_access allow portX whitelist<br>http_access deny portX<br><br>acl deny_websites dstdomain "/etc/squid3/deny_websites.<wbr>conf"<br>acl CONNECT method CONNECT<br>#acl wuCONNECT dstdomain "/etc/squid3/whitelist.conf"<br>#acl wuCONNECT dstdomain <a href="http://sls.microsoft.com" target="_blank">sls.microsoft.com</a><br><br>#rule allowing nonauthenticated users<br>#http_access allow http port_80 whitelist<br>http_access allow CONNECT SSL_ports whitelist<br><br>#other access rules<br>#http_access deny !ncsa_users<br>http_access allow CONNECT localnet<br>http_access deny deny_websites<br>http_access allow allowed_clients ncsa_users<br>http_access deny !allowed_clients<br>#http_access allow ncsa_users<br>http_access allow manager localhost<br>http_access deny manager<br>http_access deny !Safe_ports<br>#http_access deny CONNECT !SSL_ports<br>http_access allow localhost<br>#http_access allow localnet<br><br>http_access deny all<br><br></div><div>If
the conf file is a mess, or has some problems, feel free to say so, as I
don't know what all of the directives in it are for. I marked a couple
of lines I don't understand. I would be happy for it to be optimized
more if anyone has ideas.</div><div><br></div><div>Thanks,</div>PH<div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 11, 2017 at 7:16 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 12/12/17 11:04, Paul Hackmann wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Has anyone had the instance where the proxy will ask the user to authenticate several times as they are browsing the web? I have been seeing this as a random occurrence for some of the users on the server. It will pop up a login prompt in the browser repeatedly for a minute or two. Then it will settle down and be fine for hours. I'm trying to track it down, but I can't find anything amiss. The access logs haven't shown anything unusual. I am using basic authentication with the proxy settings set in firefox. Is this something that a spike in traffic on the server could cause? Anybody have any suggestions? The server is linux based.<br>
<br>
</blockquote>
<br></span>
What version of Squid?<br>
What ACLs and http_access configuration?<br>
<br>
Amos<br>
______________________________<wbr>_________________<div class="HOEnZb"><div class="h5"><br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
</div></div></blockquote></div></div></div>