[squid-users] Doesnt authorize with Squid
Amos Jeffries
squid3 at treenet.co.nz
Thu Dec 14 04:02:11 UTC 2017
On 14/12/17 06:03, Edwin Quijada wrote:
> Hi!
> I have installed a debian server with Squid3 to authorize surf for
> internet. My problem is when I get the screen for credentials I put my
> rigth credentials and always I get denied.
>
Is this "screen" a popup box or an actual visual page displayed?
HTTP auth popups should be relatively small and grey outlined, asking
only for username and password with the proxy Realm string as the title
or initial text.
> I have used a different helpers for authentication and I did my own using C
>
> but the authorization is continue
>
Whether to show the popup is a Browser decision. Properly working you
should only ever see 0 or 1 of them.
>
> There is a way to see or debug the autorization process?
>
The available helpers should all provide a -d command line option for
testing and troubleshooting. You can configure that in their 'auth_param
... program' squid.conf line. Squid logs the debug info from helpers to
cache.log.
Your custom helper is up to you how it gets debugged. Anything it sends
to stderr is sent to cache.log so you can use that instead of having to
worry about custom log files yourself.
>
> It is the squid.conf. The helper just takes the values but always
> autorize, Always print OK
>
>
> #Recommended minimum configuration:
> http_port 3128
> cache_dir ufs /var/spool/squid3 2048 16 256
> maximum_object_size 100 MB
> cache_swap_low 90
> cache_swap_high 95
>
> #--------------- Reglas de Autorizacion -------------
> auth_param basic program /root/squid_helper3
> auth_param basic children 20
> auth_param basic casesensitive off
> auth_param basic realm Proxy Test --> Usuario Y Clave
> auth_param basic credentialsttl 5 hours
That credentialsttl setting is how long Squid remembers helper responses
about credentials. Once credentials are given an OK/ERR result no
further changes to the auth system for that credential pair (eg, user
account addition, removal or password changes) are noticed by Squid
until that TTL expires and a fresh lookup performed.
This is a value you should tune to be short, but long enough not to
overload the helpers and slow your clients traffic down at peak times.
For initial testing of auth leave it *very* short until you are sure the
auth is working okay. Then test longer timings until you are happy with
the performance vs security tradeoff.
> #----------------------------------------------------
> #
> acl AuthenticatedUsers proxy_auth REQUIRED
> http_access allow AuthenticatedUsers
The best way to perform auth is to deny non-authenticated users. That
includes the ones with *invalid* credentials (attackers or forgotten
passwords etc.).
Then further access controls can rely on credentials being both present
and valid and do allows for various reasons. For example; client being
on the LAN / localnet.
> #-------------------- ACL Puertos --------------------
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
> acl CONNECT method CONNECT
>
> #---------------------- HTTP ACCES DEFAULT-------------
> #http_access allow manager localhost
> #http_access deny manager
> http_access deny !Safe_ports
>
> Any help ?
>
Your custom rules should all be down below the !Safe_Ports and "CONNECT
!SSL_Ports" protections. So attacks using those DoS methods cannot
overload your auth system and more complicated ACL things.
While the http_access rules are not great they should still have
"worked" for the request(s) after you entered the credentials.
What I'd do along with enabling debug in the auth helper is to also
configure "debug_options 11,2" in squid.conf to get a trace of whet the
HTTP messages contain. That may show some clues about where the problem
is starting.
Amos
More information about the squid-users
mailing list