[squid-users] Squid 3.3.8 -- Authentication Problems when using Alias Host Name

Markus Sonnenberg lassmichinruhe at rz-amper.de
Mon Feb 15 12:40:00 UTC 2016


Hi,

i've set up a CentOS 7 machine with Squid 3.3.8 and kerberos/ntlm 
authentication in order to replace our older Squid Proxy.
The new Squid server runs fine and authentication is working as 
expected. We use group policies to set proxy server address at terminal 
servers and workstations,which is "proxy.company.com". This address is 
an A record and currently points to the ip address of our old proxy 
server. The hostname of our old proxy server is "euprx001.company.com" 
and the hostname of our new proxy server is "euprx101.company.com"

When I change the A record for "proxy.company.com" pointing to the ip 
address of our new proxy server then authentication is not working.

   proxy.company.com            10.222.40.106
   euprx101.company.com      10.222.40.106

Authentication work if internet explorer uses the real host name but it 
does not work if uses "proxy.company.com"

Gues what, this A record is pointing currently to our old proxy server 
and works fine regardless if internet explorer connects to proxy... or 
euprx001....

Here's the current config I'm using on our new proxy server.

<snip>
#  Network Options
# 
+-------------------------------------------------------------------------+
http_port 8080
icp_port 0
offline_mode off

#  Administrative Options
# 
+-------------------------------------------------------------------------+
via off
cache_mgr edc.helpdesk at company.com
cachemgr_passwd ap0ll0 all
cache_effective_user squid
cache_effective_group squid
# cache_dir rock /cache 40000 max-size=4194304 slot-size=32768
cache_mem 6144 MB
memory_pools on
pid_filename /var/run/squid.pid
ftp_user anonymous
ftp_passive off
check_hostnames off
request_header_max_size 20 KB
snmp_port 3401
shutdown_lifetime 2 seconds
maximum_object_size 1048576 KB
maximum_object_size_in_memory 10240 KB
forwarded_for on
snmp_incoming_address 0.0.0.0
workers 4
error_directory /usr/share/squid/errors/TTI
deny_info ERR_AD_REMOVED AdServer
deny_info ERR_BLOCKED_FILES BlockedFiles
deny_info ERR_BLOCKED_SITES BlockedSites
deny_info ERR_BLOCKED_SOCIAL BlockedSocialnet
deny_info ERR_BLOCKED_WEBMAIL BlockedWebmail

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm 
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--domain=DE.COMPANY.COM --kerberos 
/usr/lib64/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=10 idle=10
auth_param negotiate keep_alive on

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp --domain=DE.COMPANY.COM
auth_param ntlm children 10
auth_param ntlm keep_alive on

### provide basic authentication via ldap for clients not authenticated 
via kerberos/ntlm
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b 
"dc=DE,dc=COMPANY,dc=COM" -D SVC_Squid at company.com -W 
/etc/squid/ldappass.txt -f sAMAccountName=%s -h euads201.de.company.com
auth_param basic children 10 startup=0 idle=1
auth_param basic realm Company, Inc. European Web Proxy
auth_param basic credentialsttl 120 minute

### ldap authorisation
external_acl_type memberof %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R 
-K -S -b "dc=DE,dc=COMPANY,dc=COM" -D SVC_Squid at de.company.com -W 
/etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v) 
(memberof=cn=%g,cn=Users,dc=DE,dc=COMPANY,dc=COM))" -h 
euads201.de.company.com

#  Logging
# 
+-------------------------------------------------------------------------+
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log daemon:/var/log/squid/squid-cache-access.log squid

#  Refresh Pattern
# 
+-------------------------------------------------------------------------+
refresh_pattern ^http://.*\.gif$   10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.png$          10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.jpg$          10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.jpeg$         10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.bmp$          10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.gif$          10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.ico$          10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.swf$          10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.flv$          10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.rar$          10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.ram$          10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.txt$          10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.css$          10080     100%       120960 
reload-into-ims override-expire ignore-reload
refresh_pattern ^http://           1         100%       20160 
reload-into-ims ignore-reload
refresh_pattern ^ftp://            10080     100%       120960
refresh_pattern ^gopher://         240       40%        20160
refresh_pattern -i (/cgi-bin/|\?)  0         0%         0
refresh_pattern .                  0         100%       20160 
reload-into-ims

#  Access Control List
# 
+-------------------------------------------------------------------------+
### acl for proxy auth and ldap authorizations
#
#   aclname             acltype  typename activedirectorygroup
acl snmppublic          snmp_community public
acl Java                browser Java/1.4 Java/1.5 Java/1.6 Java/1.7 
Java/1.8 Java/1.9
acl auth                proxy_auth REQUIRED
acl AdminAccess         external memberof "/etc/squid/group_admin.txt"
acl BlockedAccess       external memberof "/etc/squid/group_blocked.txt"
acl RestrictedAccess    external memberof "/etc/squid/group_restricted.txt"
acl StandardAccess      external memberof "/etc/squid/group_standard.txt"
acl FullAccess          external memberof "/etc/squid/group_full.txt"
acl AdServer            dstdom_regex "/etc/squid/dst_adserver.txt"
acl BlockedSites        dstdom_regex "/etc/squid/dst_blocked.txt"
acl BlockedSocialnet    dstdom_regex "/etc/squid/dst_socialnet.txt"
acl BlockedWebmail      dstdom_regex "/etc/squid/dst_webmail.txt"
acl AllowedSites        dstdomain "/etc/squid/dst_allowed.txt"
acl noauthsites         dstdomain "/etc/squid/dst_noauth.txt"
acl dontcache           dstdomain "/etc/squid/dst_dontcache.txt"
acl BlockedFiles        urlpath_regex "/etc/squid/blockedfiles.txt"
acl vlan3042            dst 10.222.42.0/23
acl vlan3044            dst 10.222.44.0/23
acl vlan3247            dst 10.222.247.0/24
acl SSL_ports           port 80 87 443 446 447 481 482 563 1494 2598 
6400 8020 8443 9250 9443 10000 10020 44300
acl Safe_ports          port 21 70 80 210 210 280 443 446 447 481 482 
488 563 591 666 777 1025-65535
acl CONNECT             method CONNECT

### cache directives
cache deny dontcache

### snmp_access rules
snmp_access allow       snmppublic

### http_access rules
http_access allow       manager localhost
http_access deny        manager
http_access deny        !Safe_ports
http_access deny        CONNECT !SSL_ports
http_access allow       localhost

# enforce authentication, order of rules is important for authorization 
levels
http_access allow       Java
http_access allow       noauthsites
http_access deny        !auth
http_access deny        AdServer
http_access allow       AdminAccess
http_access deny        BlockedAccess all
http_access deny        BlockedFiles
http_access allow       AllowedSites
http_access deny        RestrictedAccess all
http_access allow       FullAccess auth
http_access deny        BlockedSites
http_access deny        BlockedSocialnet
http_access deny        BlockedWebmail
http_access allow       StandardAccess auth
# DO NOT REMOVE THE FOLLOWING LINE
http_access deny all

# The End
# 
+-------------------------------------------------------------------------+
You have new mail in /var/spool/mail/root
</snip>

best regards
Markus

ct,



More information about the squid-users mailing list