[squid-users] Squid authentication problem (Amos Jeffries)
Amos Jeffries
squid3 at treenet.co.nz
Tue Jun 20 10:48:23 UTC 2017
On 20/06/17 10:50, Sonya Roy wrote:
> Hi,
>
> Thanks for the links. So I tried what you suggested and for testing, I
> was using this simple config:-
>
> http_port 8080
> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
> auth_param basic realm proxy
> external_acl_type checkclient children-max=20 %MYADDR %LOGIN
> /usr/local/squidauth.py
> acl authenticated external checkclient
> http_access allow authenticated
> cache deny all
> forwarded_for delete
> request_header_access Via deny all
>
> I made sure that the squidauth.py file was executable and when
> debugging, I found that the helper processes were running. But nothing
> was getting passed to the helper processes. In the python code, I was
> running a loop which reads lines from the stdin and parses them and
> writes output to the stdout. I checked and it wasn't getting anything
> from stdin. (I added a line which reads the input line from stdin and
> sends it to another server through a http request to make sure if it was
> getting anything from stdin at all)
>
> But, when I tried to use the proxy(and of course I was using a username
> and password that was stored in /etc/squid/passwords), I kept getting
> the error that authentication required, i.e. the server was sending back
> the header Proxy-Authenticate: Basic realm="proxy". I am not sure what I
> am doing wrong here.
Sounds to me like the auth_param helper is not accepting the credentials
you are testing with. The %LOGIN parameter needs auth to be completed
successfully before the ACL helper is called with the resulting username.
Note that the NCSA helper uses a database file (/etc/squid/passwords) of
hashes encoded by the Apache htpasswd tool. It is not a plain-text nor
Unix passwd file, that difference catches some people out.
To simplify what is going on I would use the following config sequence:
acl login proxy_auth REQUIRED
http_access deny !login
acl userip_check external checkclient
http_access allow userip_check
http_access deny all
Amos
More information about the squid-users
mailing list