[squid-users] Problem with squid3 authentication

Amos Jeffries squid3 at treenet.co.nz
Sun Nov 15 23:42:45 UTC 2015 

On 16/11/2015 7:17 a.m., Marcio Demetrio Bacci wrote:
> Hi,
> 
> My problem is as follows:
> 
> The Windows stations in the domain are automatically authenticated on the
> proxy, though the Linux stations ask for the password twice, even if the
> password is entered correctly the first time.
> 
> Does somebody has an idea?

How are you identifying "ask for the password twice" ?

 two popups? (one for NTLM then one for Basic)

or,
 two 407 responses? (NTLM requirement)


Also what Squid version are you using?


> 
> Follow my squid.conf file
> 
> 
> 
> ### Configuracoes Basicas
> http_port 3128
> 
> #debug_options ALL,111,2 29,9 84,6
> 
> hierarchy_stoplist cgi-bin ?
> 
> ### Bloqueia o cache de CGI's
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

If you have a current Squid the above QUERY and hierarchy_stoplist lines
are not useful, and may be harming your cache ratios.


> 
> cache_mem 512 MB
> cache_swap_low 80
> cache_swap_high 90
> maximum_object_size 512 MB
> minimum_object_size 0 KB
> maximum_object_size_in_memory 4096 KB
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap LFUDA
> 
> #Para não bloquear downloads
> quick_abort_min -1 KB
> 
> 
> #Resolve um problema com conexoes persistentes
> detect_broken_pconn on
> 
> #Provoca ganho de performace ao usar conexoe pipeline
> pipeline_prefetch on

NTLM authentication behaviour does not comply with HTTP specification
requirements, one of the side effects is that it breaks HTTP pipelines.


> 
> fqdncache_size 1024
> 
> ### Parametros de atualizacao da memoria cache
> refresh_pattern ^ftp:    1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%     0
> refresh_pattern .        0    20%    4320
> 
> ### Localizacao dos logs
> access_log /var/log/squid3/access.log
> cache_log /var/log/squid3/cache.log
> 
> 
> ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai
> e subdiretorios
> cache_dir aufs /var/spool/squid3 600 16 256
> 
> #Controle do arquivo de log
> #logfile_rotate 10
> 
> #Libera acesso ao site da caixa
> acl caixa dstdomain .caixa.gov.br
> always_direct allow caixa
> cache deny caixa


You do not use cache_peer directives. The always_direct is not doing
anything.

> 
> 
> ### Realiza a autenticacao no AD via Winbind
> 
> # NTLM
> # para quem esta logado em maquinas windows, aproveita a senha do logon
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 50
> auth_param ntlm keep_alive off
> 
> 
> # para clientes nao windows, user/senha tem de ser solicitado
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 10
> auth_param basic realm "Autenticacao - CMB - Acesso Monitorado"
> auth_param basic credentialsttl 2 hours
> 
> external_acl_type ad_group ipv4 ttl=600 children-max=35 %LOGIN
> /usr/lib/squid3/ext_wbinfo_group_acl
> 
> 
> ### ACLs
> 
> #acl manager proto cache_object
> acl localhost src 192.168.100.1/32
> #acl to_localhost dst 192.168.100.1/32
> acl SSL_ports port 22 443 563 10000 # https, snews
> acl Safe_ports port 80 8080         # http
> acl Safe_ports port 21         # ftp
> acl Safe_ports port 443 563         # https, snews
> acl Safe_ports port 70         # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535     # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 3001            # imprenssa nacional
> 
> acl purge method PURGE
> acl CONNECT method CONNECT
> 
> 
> ### Regras iniciais do Squid
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> 
> #acl manager proto cache_object
> 
> acl connect_abertas maxconn 8
> 
> 
> # acl ligada a autenticacao
> acl grupo_admins external ad_group gg_webadmins
> acl grupo_liberado external ad_group gg_webliberados
> acl grupo_restrito external ad_group gg_webcontrolados
> 
> 
> ### Bloqueia extensoes de arquivos
> acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"
> 
> ### Liberar alguns sites
> acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"
> 
> ### Bloqueia sites por URL
> acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"
> 
> ### Realiza o bloqueio por palavras
> acl palavras_bloqueadas url_regex -i "/etc/squid3/acls/palavras-proibidas"
> 
> 
> ### Exige autenticacao
> acl autenticados proxy_auth REQUIRED
> 
> ### Incorpora as regras do SquidGuard ####
> #redirect_program /usr/bin/squidGuard
> #redirect_children 20
> #redirector_bypass on
> 
> #libera o grupo internet
> http_access allow grupo_admins

grupo_admins requires authentication to be tested.

> 
> #http_access deny extensoes_bloqueadas
> http_access allow sites_liberados
> http_access deny sites_bloqueados
> http_access deny palavras_bloqueadas
> 
> ##### Libera acesso ao grupo de chefes e professores
> http_access allow grupo_liberado
> 
> ### Liberando midia social e musica no horario do almoco
> acl almoco time 11:30-13:30
> http_access allow almoco

Almost unlimited proxy access to *anybody* for two hours each day.
This does not seem to be a desireable situation.



> 
> #bloqueia midia social durante o expediente
> acl social_proibido url_regex -i "/etc/squid3/acls/media-social"
> http_access deny social_proibido
> 
> # Regra para bloqueio de extensoes de radios online / arquivos de streaming:
> acl streaming req_mime_type -i "/etc/squid3/acls/mimeaplicativo"
> 
> #acl proibir_musica urlpath_regex -i "/etc/squid3/acls/audioextension"
> acl proibir_musica url_regex -i "/etc/squid3/acls/audioextension"
> http_access deny proibir_musica
> http_reply_access deny streaming

"streaming" is checking *request* Content-Type header (uploads only). It
is not useful on *reply* access.

I think you are intending to use reply mime type (downloads), which is
matched by rep_mime_type (note the 'p').


> 
> ### Controle de banda
> ### So existe um pool (1)
> delay_pools 1
> ### nr do pool (1) e tipo de classe (2): total da banda disponivel e total
> de banda por usuario
> delay_class 1 2
> 
> ### aprox 32Mbps para todos e 500Kbps para cada usuario
> delay_parameters 1 4194304/4194304 64000/64000
> delay_access 1 allow grupo_restrito
> 
> http_access allow grupo_restrito
> 
> #liberando acesso a todos os usuarios autenticados
> http_access allow autenticados
> 
> ### Rede LAN #####
> acl rede_lan src 192.168.100.0/22
> 
> ### Nega acesso de quem nao esta na rede local
> http_access deny !rede_lan
> 

"deny !rede_lan" does not do anything useful when followed by "deny all".

NP: You also allowed unlimited access earlier.


> #negando o acesso para todos que nao estiverem nas regras anteriores
> http_access deny all


Amos

More information about the squid-users mailing list