[squid-users] NCSA-auth don't work for file contain too many passswords

Garri Djavadyan garryd at comnet.uz
Fri Nov 11 17:29:32 UTC 2016 

On 2016-11-11 21:05, --Ahmad-- wrote:
> hi squid users .
> i have problem when i use basic_ncsa auth
> 
> the auth work when i have few passwords in the file of auth .
> as example
> 
> 
> auth_param basic program /lib/squid/basic_ncsa_auth 
> /etc/squid/squid_user
> acl ncsa_users proxy_auth REQUIRED
> auth_param basic children 100
> http_access allow ncsa_users
> 
> 
> 
> user like 30 in the file /etc/squid/squid_user  is ok
> 
> but when i use like 20K password ….. squid always give me wrong pwd .
> 
> is there any turning i need ?
> 
> I’m using squid 3.5.2
> 
> BTW i use the cmd as ex ——————>     htpasswd -db /etc/squid/squid_user
> user1 user1

Hi Ahmad,

I can't reproduce the problem using Squid 3.5.22. I used following 
method to verify the case:

1. Edit default config.
# diff -u etc/squid.conf.default etc/squid.conf
--- etc/squid.conf.default	2016-10-28 15:54:53.851704360 +0500
+++ etc/squid.conf	2016-11-11 22:21:22.561765731 +0500
@@ -1,3 +1,4 @@
+auth_param basic program /usr/local/squid35/libexec/basic_ncsa_auth 
/usr/local/squid35/etc/passwd
  #
  # Recommended minimum configuration:
  #
@@ -23,6 +24,7 @@
  acl Safe_ports port 591		# filemaker
  acl Safe_ports port 777		# multiling http
  acl CONNECT method CONNECT
+acl AUTHENTICATED proxy_auth REQUIRED

  #
  # Recommended minimum Access Permission configuration:
@@ -45,6 +47,7 @@
  #
  # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  #
+http_access deny !AUTHENTICATED

  # Example rule allowing access from your local networks.
  # Adapt localnet in the ACL section to list your (internal) IP networks


2. Create ncsa passwords db for 20k users.
# for i in {1..20000}; do echo "user${i}:$(openssl passwd -apr1 
pass${i})" >> /usr/local/squid35/etc/passwd; done


3. Initiate requests using different usernames from the db.
$ for i in 1 5000 10000 15000 20000; do curl -v -x 
http://user${i}:pass${i}@127.0.0.1:3128 
http://mirror.comnet.uz/centos/2/readme.txt > /dev/null; done 2>&1 | 
egrep '(user|OK)'
* Proxy auth using Basic with user 'user1'
< HTTP/1.1 200 OK
* Proxy auth using Basic with user 'user5000'
< HTTP/1.1 200 OK
* Proxy auth using Basic with user 'user10000'
< HTTP/1.1 200 OK
* Proxy auth using Basic with user 'user15000'
< HTTP/1.1 200 OK
* Proxy auth using Basic with user 'user20000'
< HTTP/1.1 200 OK


Can you try the method using Squid 3.5.2? If it would fail, can you try 
Squid 3.5.22?

Garri

More information about the squid-users mailing list