[squid-users] random forward proxy authentication pop-up
Antony Stone
Antony.Stone at squid.open.source.it
Mon Jul 27 16:56:41 UTC 2015
On Monday 27 Jul 2015 at 17:21, Berkes, David wrote:
> Here is the information requested. From the log, everything looks to be
> normal. The log example is from the cdn0.vox-cdn.com traffic.
>
> **** ORIGIN URL's
> pixel.adsafeprotected.com
> cdn0.vox-cdn.com
> sb.scorecardresearch.com
>
> **** SQUID LOG
> access.log.2:1437683164.693 0 70.197.241.219 TCP_DENIED/407 4213
> CONNECT cdn0.vox-cdn.com:443 - HIER_NONE/- text/html
> access.log.2:1437683164.815 0 70.197.241.219 TCP_DENIED/407 4213
> CONNECT cdn0.vox-cdn.com:443 - HIER_NONE/- text/html
> access.log.2:1437683164.815 0 70.197.241.219 TCP_DENIED/407 4213
> CONNECT cdn0.vox-cdn.com:443 - HIER_NONE/- text/html
> access.log.2:1437683164.816 0 70.197.241.219 TCP_DENIED/407 4213
> CONNECT cdn0.vox-cdn.com:443 - HIER_NONE/- text/html
> access.log.2:1437683164.816 0 70.197.241.219 TCP_DENIED/407 4213
> CONNECT cdn0.vox-cdn.com:443 - HIER_NONE/- text/html
> access.log.2:1437683164.816 0 70.197.241.219 TCP_DENIED/407 4213
> CONNECT cdn0.vox-cdn.com:443 - HIER_NONE/- text/html
> access.log.2:1437683166.464 1590 70.197.241.219 TCP_TUNNEL/200 29114
> CONNECT cdn0.vox-cdn.com:443 proxyid HIER_DIRECT/54.192.120.85 -
> access.log.2:1437683166.464 1590 70.197.241.219 TCP_TUNNEL/200 72579
> CONNECT cdn0.vox-cdn.com:443 proxyid HIER_DIRECT/54.192.120.85 -
> access.log.2:1437683166.464 1582 70.197.241.219 TCP_TUNNEL/200 39476
> CONNECT cdn0.vox-cdn.com:443 proxyid HIER_DIRECT/54.192.120.85 -
> access.log.2:1437683166.464 1583 70.197.241.219 TCP_TUNNEL/200 5909
> CONNECT cdn0.vox-cdn.com:443 proxyid HIER_DIRECT/54.192.120.85 -
> access.log.2:1437683167.244 2354 70.197.241.219 TCP_TUNNEL/200 59238
> CONNECT cdn0.vox-cdn.com:443 proxyid HIER_DIRECT/54.192.120.85 -
> access.log.2:1437683167.244 2362 70.197.241.219 TCP_TUNNEL/200 75369
> CONNECT cdn0.vox-cdn.com:443 proxyid HIER_DIRECT/54.192.120.85 -
The first obvious thing that stands out to me from this is that these are
HTTPS connections, not HTTP, so I'm going to let someone more familiar with
Squid's current handling of HTTPS pass further comment, except for my question
further down...
> **** CONFIG
> auth_param basic program /usr/lib64/squid/basic_ncsa_auth
> /etc/squid/squid_passwd auth_param basic children 20
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 8 hours
> auth_param basic casesensitive on
>
> acl whitelist1 dstdomain pipergo.pjc.com .apple.com .yahoo.com .wp.com
> acl whitelist2 dstdom_regex (^|\.)*img\.com$
> acl ncsa_users proxy_auth REQUIRED
>
> http_access allow whitelist1
> http_access allow whitelist2
> http_access allow ncsa_users
> http_access deny all
>
> cache_mem 4096 MB
> memory_cache_mode always
> refresh_pattern . 1440 100% 525949 ignore-auth
> cache_dir aufs /squid/cache 40000 128 512
> maximum_object_size 200 MB
> maximum_object_size_in_memory 2 MB
> cache_swap_low 90
> cache_swap_high 95
> buffered_logs on
>
> #
> half_closed_clients off
> memory_pools off
>
> # DNS-record cache
> ipcache_size 10240
> ipcache_low 90
> ipcache_high 95
> negative_dns_ttl 5 minutes
>
> # listening port
> http_port 3128
When the unexpected authentication dialog appears:
1. what page do you see if you fail to authenticate correctly - is it from the
origin server cdn0.vox-cdn.com (in this case) or is it the page your users
would see if they failed to correctly authenticate to squid in the first
place?
2. can you authenticate, and get the expected page from the origin server, by
using the user's Squid credentials?
Regards,
Antony.
--
You can tell that the day just isn't going right when you find yourself using
the telephone before the toilet.
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list