[squid-users] random forward proxy authentication pop-up
Berkes, David
David.J.Berkes at pjc.com
Mon Jul 27 17:09:29 UTC 2015
Thanks. Here is my feedback.
1. what page do you see if you fail to authenticate correctly - is it from the origin server cdn0.vox-cdn.com (in this case) or is it the page your users would see if they failed to correctly authenticate to squid in the first place?
> When the origin server prompts for credentials, I hit "cancel" or "login" without credentials and it continues to work and load the page. I don’t get any other prompts from either action. I don’t get an authentication pop-up from squid and/or a message from the squid server.
2. can you authenticate, and get the expected page from the origin server, by using the user's Squid credentials?
> I have not tried that because if I hit cancel or login, the authentication pop-up goes away and the page loads.. I know these origin servers are not secured with authentication and can test that from my non-proxy browser. I have all my companies iPhones set to use the squid proxy, but this has been causing a lot of user grief as you can expect.
-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Antony Stone
Sent: Monday, July 27, 2015 11:57 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] random forward proxy authentication pop-up
On Monday 27 Jul 2015 at 17:21, Berkes, David wrote:
> Here is the information requested. From the log, everything looks to
> be normal. The log example is from the cdn0.vox-cdn.com traffic.
>
> **** ORIGIN URL's
> pixel.adsafeprotected.com
> cdn0.vox-cdn.com
> sb.scorecardresearch.com
>
> **** SQUID LOG
> access.log.2:1437683164.693 0 70.197.241.219 TCP_DENIED/407 4213
> CONNECT cdn0.vox-cdn.com:443 - HIER_NONE/- text/html
> access.log.2:1437683164.815 0 70.197.241.219 TCP_DENIED/407 4213
> CONNECT cdn0.vox-cdn.com:443 - HIER_NONE/- text/html
> access.log.2:1437683164.815 0 70.197.241.219 TCP_DENIED/407 4213
> CONNECT cdn0.vox-cdn.com:443 - HIER_NONE/- text/html
> access.log.2:1437683164.816 0 70.197.241.219 TCP_DENIED/407 4213
> CONNECT cdn0.vox-cdn.com:443 - HIER_NONE/- text/html
> access.log.2:1437683164.816 0 70.197.241.219 TCP_DENIED/407 4213
> CONNECT cdn0.vox-cdn.com:443 - HIER_NONE/- text/html
> access.log.2:1437683164.816 0 70.197.241.219 TCP_DENIED/407 4213
> CONNECT cdn0.vox-cdn.com:443 - HIER_NONE/- text/html
> access.log.2:1437683166.464 1590 70.197.241.219 TCP_TUNNEL/200 29114
> CONNECT cdn0.vox-cdn.com:443 proxyid HIER_DIRECT/54.192.120.85 -
> access.log.2:1437683166.464 1590 70.197.241.219 TCP_TUNNEL/200 72579
> CONNECT cdn0.vox-cdn.com:443 proxyid HIER_DIRECT/54.192.120.85 -
> access.log.2:1437683166.464 1582 70.197.241.219 TCP_TUNNEL/200 39476
> CONNECT cdn0.vox-cdn.com:443 proxyid HIER_DIRECT/54.192.120.85 -
> access.log.2:1437683166.464 1583 70.197.241.219 TCP_TUNNEL/200 5909
> CONNECT cdn0.vox-cdn.com:443 proxyid HIER_DIRECT/54.192.120.85 -
> access.log.2:1437683167.244 2354 70.197.241.219 TCP_TUNNEL/200 59238
> CONNECT cdn0.vox-cdn.com:443 proxyid HIER_DIRECT/54.192.120.85 -
> access.log.2:1437683167.244 2362 70.197.241.219 TCP_TUNNEL/200 75369
> CONNECT cdn0.vox-cdn.com:443 proxyid HIER_DIRECT/54.192.120.85 -
The first obvious thing that stands out to me from this is that these are HTTPS connections, not HTTP, so I'm going to let someone more familiar with Squid's current handling of HTTPS pass further comment, except for my question further down...
> **** CONFIG
> auth_param basic program /usr/lib64/squid/basic_ncsa_auth
> /etc/squid/squid_passwd auth_param basic children 20 auth_param basic
> realm Squid proxy-caching web server auth_param basic credentialsttl 8
> hours auth_param basic casesensitive on
>
> acl whitelist1 dstdomain pipergo.pjc.com .apple.com .yahoo.com .wp.com
> acl whitelist2 dstdom_regex (^|\.)*img\.com$ acl ncsa_users proxy_auth
> REQUIRED
>
> http_access allow whitelist1
> http_access allow whitelist2
> http_access allow ncsa_users
> http_access deny all
>
> cache_mem 4096 MB
> memory_cache_mode always
> refresh_pattern . 1440 100% 525949 ignore-auth cache_dir aufs
> /squid/cache 40000 128 512 maximum_object_size 200 MB
> maximum_object_size_in_memory 2 MB cache_swap_low 90 cache_swap_high
> 95 buffered_logs on
>
> #
> half_closed_clients off
> memory_pools off
>
> # DNS-record cache
> ipcache_size 10240
> ipcache_low 90
> ipcache_high 95
> negative_dns_ttl 5 minutes
>
> # listening port
> http_port 3128
When the unexpected authentication dialog appears:
1. what page do you see if you fail to authenticate correctly - is it from the origin server cdn0.vox-cdn.com (in this case) or is it the page your users would see if they failed to correctly authenticate to squid in the first place?
2. can you authenticate, and get the expected page from the origin server, by using the user's Squid credentials?
Regards,
Antony.
--
You can tell that the day just isn't going right when you find yourself using
the telephone before the toilet.
Please reply to the list;
please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
________________________________
Piper Jaffray & Co. Since 1895. Member SIPC and NYSE. Learn more at www.piperjaffray.com. Piper Jaffray corporate headquarters is located at 800 Nicollet Mall, Minneapolis, MN 55402.
Piper Jaffray outgoing and incoming e-mail is electronically archived and recorded and is subject to review, monitoring and/or disclosure to someone other than the recipient. This e-mail may be considered an advertisement or solicitation for purposes of regulation of commercial electronic mail messages. If you do not wish to receive commercial e-mail communications from Piper Jaffray, go to: www.piperjaffray.com/do_not_email to review the details and submit your request to be added to the Piper Jaffray "Do Not E-mail Registry." For additional disclosure information see www.piperjaffray.com/disclosures
More information about the squid-users
mailing list