[squid-users] squid asking for authentication repeatedly

Paul Hackmann phackmann at gmail.com
Tue Dec 12 15:10:28 UTC 2017


Amos,

The squid version is 3.1.19.  The network is set up with a 192.168.0.X
network on the lan side, and a 192.168.1.x network on the internet side.
Both ports 3120 and 4120 require authentication, but port 4120 is meant to
be restricted to only the whitelisted sites which are in a separate file.
Port 3120 allows access to any site.  The browser causing trouble is
configured for port 3120, not 4120.  Here is my squid.conf file:

http_port 3120
http_port 4120 intercept

cache_dir ufs /var/spool/squid3 500 16 256

#not sure what this block is for
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

acl whitelist dstdomain "/etc/squid3/whitelist.conf"

auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
auth_param basic children 6
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 4 hours
auth_param basic casesensitive off

acl ncsa_users proxy_auth REQUIRED

#not sure what this line does
acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-
internal-mgr/

acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines

#acl http proto http
acl SSL_ports port 443
acl port_80 port 80
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

#list of computers that have access by ip address
acl allowed_clients src 192.168.0.9-192.168.0.45 192.168.0.53 192.168.0.65
192.168.0.83 192.168.0.90 192.168.0.91 192.168.0.179 192.168.0.186
192.168.0.220 192.168.0.221 192.168.0.244

acl portX myportname 4120
http_access allow portX whitelist
http_access deny portX

acl deny_websites dstdomain "/etc/squid3/deny_websites.conf"
acl CONNECT method CONNECT
#acl wuCONNECT dstdomain "/etc/squid3/whitelist.conf"
#acl wuCONNECT dstdomain sls.microsoft.com

#rule allowing nonauthenticated users
#http_access allow http port_80 whitelist
http_access allow CONNECT SSL_ports whitelist

#other access rules
#http_access deny !ncsa_users
http_access allow CONNECT localnet
http_access deny deny_websites
http_access allow allowed_clients ncsa_users
http_access deny !allowed_clients
#http_access allow ncsa_users
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost
#http_access allow localnet

http_access deny all

If the conf file is a mess, or has some problems, feel free to say so, as I
don't know what all of the directives in it are for.  I marked a couple of
lines I don't understand.  I would be happy for it to be optimized more if
anyone has ideas.

Thanks,
PH

On Mon, Dec 11, 2017 at 7:16 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 12/12/17 11:04, Paul Hackmann wrote:
>
>> Has anyone had the instance where the proxy will ask the user to
>> authenticate several times as they are browsing the web?  I have been
>> seeing this as a random occurrence for some of the users on the server.  It
>> will pop up a login prompt in the browser repeatedly for a minute or two.
>> Then it will settle down and be fine for hours.  I'm trying to track it
>> down, but I can't find anything amiss.  The access logs haven't shown
>> anything unusual.  I am using basic authentication with the proxy settings
>> set in firefox.  Is this something that a spike in traffic on the server
>> could cause?  Anybody have any suggestions?  The server is linux based.
>>
>>
> What version of Squid?
> What ACLs and http_access configuration?
>
> Amos
> _______________________________________________
>
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171212/4464a336/attachment.html>


More information about the squid-users mailing list