[squid-users] Update from Squid 4 to Squid 5 :
Amos Jeffries
squid3 at treenet.co.nz
Thu Nov 10 13:10:16 UTC 2022
On 10/11/2022 4:50 am, Bertrand Friconneau wrote:
> Hi Everyone,
>
> I've got Squid 4.10 on Ubuntu 20.10 LTS
>
> I try to upgrade my server to Ubuntu 22.04 LTS
>
> But the users couldn't get internet no more.
>
> Here is the log in /var/log/squid/access.log :
> 1668004454.050 0 172.22.200.1 TCP_DENIED/407 3951 CONNECT
> drive.google.com:443 - HIER_NONE/- text/html
> 1668004454.052 0 172.22.200.1 TCP_DENIED/407 3951 CONNECT
> drive.google.com:443 - HIER_NONE/- text/html
> 1668004454.057 0 172.22.200.1 TCP_DENIED/407 3951 CONNECT
> drive.google.com:443 - HIER_NONE/- text/html
> 1668004454.063 1 172.22.200.1 TCP_DENIED/407 4454 CONNECT
> drive.google.com:443 - HIER_NONE/- text/html
> 1668004454.076 10 172.22.200.1 NONE_NONE/500 0 CONNECT
> drive.google.com:443 infoe HIER_NONE/- -
>
> And on the client :
> ERR_TUNNEL_CONNECTION_FAILED
>
> According to this page :
> https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
> The cause is due to challenge-response process of NTLM
>
> How can I solve it ?
>
> Regards
>
> Bertrand Friconneau
>
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Here is my config file of squid :
>
> dns_v4_first on
> visible_hostname squid
Please use an actual FQDN hostname. This is the proxies "visible"
hostname - eg sent as the domain name for URLs in error pages etc.
>
> error_directory /usr/share/squid/errors/French
These days it would be better to use:
error_default_language fr
or at least
error_directory /usr/share/squid-langpack/fr
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 250
> auth_param ntlm keep_alive off
>
...
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> http_access allow localhost manager
or maybe limit manager access to administrationzone
> http_access deny manager
>
custom access policy rules should be down here:
> http_access allow sitebypass
> http_access deny tor
> http_access deny url_exe
> http_access allow administrationzone
> #http_access allow pedagozone
> #http_access allow xibozone
All these below are of the same ACL type and all "allow" actions.
Therefore you can combine them into one ACL definition.
> http_access allow informatiquezone
> http_access allow secuzone
> http_access allow srvzone
> http_access allow ntlm
What about invalid logins, missing logins etc?
We highly recommend that the line triggering auth is a "deny" policy to
reject all those.
http_access deny !ntlm
... then you allow what can be done by logged in accounts.
http_access allow localnet
or
http_access allow all
You may see a behaviour difference with this change to how Squid handles
the login.
After doing it, of the problem continues try to get some debug
information from the auth helper to see what it is getting from the
client and why that is not being accepted.
PS. Since you have Kerberos available, please consider moving away from
NTLM to using Negotiate/Kerberos auth. It has both better security and
far better performance for the proxy.
Amos
More information about the squid-users
mailing list