Search squid archive

Re: Squid2.6 Stable with Mac OSX issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Eric Young wrote:
I am running Squid2.6 stable running on Win2003

I have a stable config running with 120+ WinXP boxes and 130+ users. I have 3 Mac OSX workstations that like the XP workstations are setup with manual proxy settings. My problem is that Mac users are getting prompt every 15-20 meeting for authentication again. They are able to surf but are getting errors on RSS streams and WebDav. XP users are getting authenticated via NTLM.

Authentication caching is the responsibility of the browser, as HTTP is a stateless protocol. That said, if your access controls are set up such that access is denied to a certain resource for certain people, Squid will re-prompt for authentication to give the surfer a chance to give authentication that will allow access. I don't see that situation below, but...

auth_param ntlm program e:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 5
auth_param ntlm max_challenge_lifetime 600 minutes
auth_param ntlm keep_alive on
external_acl_type win_domain_group ttl=120 %LOGIN e:/squid/libexec/mswin_check_lm_group.exe -G
acl ProxyUsers external win_domain_group ProxyAccess
acl NoProxyUsers external win_domain_group NoProxyAccess
acl password proxy_auth REQUIRED
http_access allow password ProxyUsers

This line should really go down just above the "http_access deny all" line. Otherwise, the other restrictions you have (only allowing manager from localhost, denying CONNECTS to ports other than 443) are bypassed. http_access processing exits on the first match.

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80                # http
acl Safe_ports port 21                # ftp
acl Safe_ports port 443               # https
acl Safe_ports port 70                # gopher
acl Safe_ports port 210               # wais
acl Safe_ports port 1025-65535   # unregistered ports
acl Safe_ports port 280               # http-mgmt
acl Safe_ports port 488               # gss-http
acl Safe_ports port 591               # filemaker
acl Safe_ports port 777               # multiling http
acl CONNECT method CONNECT
http_access allow !Safe_ports

Yikes. Anyone that can access your proxy can use it without authentication to reach ports not included in the Safe_ports acl. Probably not what you want to do. If you want to access ports not listed in the Safe_ports ACL, either add them with their own "acl Safe_ports port NNN" line (recommended), or drop this line and the "http_access deny Safe_ports" line below entirely (better than what you have).
http_access allow localhost
cache_mgr eric.young@xxxxxxxxxx
httpd_suppress_version_string on
visible_hostname Tullys
via off
forwarded_for off
log_icp_queries off
client_db off
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow all
http_port x.x.x.x:8002
cache_dir ufs e:/squid/var/cache 3000 16 256
access_log e:/squid/var/logs/access.log common
cache_log e:/squid/var/logs/cache.log
cache_store_log e:/squid/var/logs/store.log
pid_filename e:/squid/var/logs/squid.pid
debug_options ALL,1 33,2
unlinkd_program e:/squid/libexec/unlinkd.exe
refresh_pattern ^http://.*\.gif$ 1440 50% 20160 reload-into-ims
refresh_pattern ^http://.*\.asis$ 1440 50% 20160
refresh_pattern -i \.png$ 10080 150% 40320 reload-into-ims
refresh_pattern -i \.jpg$ 10080 150% 40320 reload-into-ims
refresh_pattern -i \.bmp$ 10080 150% 40320 reload-into-ims
refresh_pattern -i \.gif$ 10080 300% 40320 reload-into-ims
refresh_pattern -i \.ico$ 10080 300% 40320 reload-into-ims
refresh_pattern -i \.swf$ 10080 300% 40320 reload-into-ims
refresh_pattern -i \.flv$ 10080 300% 40320 reload-into-ims
refresh_pattern -i \.rar$ 10080 150% 40320
refresh_pattern -i \.ram$ 10080 150% 40320
refresh_pattern -i \.txt$ 1440 100% 20160 reload-into-ims override-lastmod
refresh_pattern -i \.css$ 1440 60% 20160
refresh_pattern ^http:// 1 100% 20160 reload-into-ims ignore-reload
refresh_pattern ^ftp:// 240 50% 20160
refresh_pattern ^gopher:// 240 40% 20160
refresh_pattern /cgi-bin/ 0 0% 30
refresh_pattern . 0 100% 20160 reload-into-ims
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
icp_port 3130
htcp_port 4827
icon_directory e:/squid/share/icons
error_directory e:/squid/share/errors/English
coredump_dir e:/squid/var/cache

Eric Young
Senior Network Engineer
Tully's Coffee Corporation
206.695.6504

As for the RSS and WebDav errors, check your cache_log (e:\squid\var\logs\cache.log) to see if it gives a reason.

Chris

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux