Re: Squid2.6 Stable with Mac OSX issue

[Chris Robertson <crobertson@xxxxxxx>]

Eric Young wrote:
> I am running Squid2.6 stable running on Win2003
>
>  
>
> I have a stable config running with 120+ WinXP boxes and 130+ users. I have 3 Mac OSX workstations that like the XP workstations are setup with manual proxy settings. My problem is that Mac users are getting prompt every 15-20 meeting for authentication again. They are able to surf but are getting errors on RSS streams and WebDav. XP users are getting authenticated via NTLM.
>   

Authentication caching is the responsibility of the browser, as HTTP is 
a stateless protocol.  That said, if your access controls are set up 
such that access is denied to a certain resource for certain people, 
Squid will re-prompt for authentication to give the surfer a chance to 
give authentication that will allow access.  I don't see that situation 
below, but...

> auth_param ntlm program e:/squid/libexec/mswin_ntlm_auth.exe
> auth_param ntlm children 5
> auth_param ntlm max_challenge_lifetime 600 minutes
> auth_param ntlm keep_alive on
> external_acl_type win_domain_group ttl=120 %LOGIN 
> e:/squid/libexec/mswin_check_lm_group.exe -G
> acl ProxyUsers external win_domain_group ProxyAccess
> acl NoProxyUsers external win_domain_group NoProxyAccess
> acl password proxy_auth REQUIRED
> http_access allow password ProxyUsers

This line should really go down just above the "http_access deny all" 
line.  Otherwise, the other restrictions you have (only allowing manager 
from localhost, denying CONNECTS to ports other than 443) are bypassed.  
http_access processing exits on the first match.

> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80                # http
> acl Safe_ports port 21                # ftp
> acl Safe_ports port 443               # https
> acl Safe_ports port 70                # gopher
> acl Safe_ports port 210               # wais
> acl Safe_ports port 1025-65535   # unregistered ports
> acl Safe_ports port 280               # http-mgmt
> acl Safe_ports port 488               # gss-http
> acl Safe_ports port 591               # filemaker
> acl Safe_ports port 777               # multiling http
> acl CONNECT method CONNECT
> http_access allow !Safe_ports

Yikes.  Anyone that can access your proxy can use it without 
authentication to reach ports not included in the Safe_ports acl.  
Probably not what you want to do.  If you want to access ports not 
listed in the Safe_ports ACL, either add them with their own "acl 
Safe_ports port NNN" line (recommended), or drop this line and the 
"http_access deny Safe_ports" line below entirely (better than what you 
have). 

> http_access allow localhost
> cache_mgr eric.young@xxxxxxxxxx
> httpd_suppress_version_string on
> visible_hostname Tullys
> via off
> forwarded_for off
> log_icp_queries off
> client_db off
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all
> icp_access allow all
> http_port x.x.x.x:8002
> cache_dir ufs e:/squid/var/cache 3000 16 256
> access_log e:/squid/var/logs/access.log common
> cache_log e:/squid/var/logs/cache.log
> cache_store_log e:/squid/var/logs/store.log
> pid_filename e:/squid/var/logs/squid.pid
> debug_options ALL,1 33,2
> unlinkd_program e:/squid/libexec/unlinkd.exe
> refresh_pattern ^http://.*\.gif$ 1440 50% 20160 reload-into-ims
> refresh_pattern ^http://.*\.asis$ 1440 50% 20160
> refresh_pattern -i \.png$ 10080 150% 40320 reload-into-ims
> refresh_pattern -i \.jpg$ 10080 150% 40320 reload-into-ims
> refresh_pattern -i \.bmp$ 10080 150% 40320 reload-into-ims
> refresh_pattern -i \.gif$ 10080 300% 40320 reload-into-ims
> refresh_pattern -i \.ico$ 10080 300% 40320 reload-into-ims
> refresh_pattern -i \.swf$ 10080 300% 40320 reload-into-ims
> refresh_pattern -i \.flv$ 10080 300% 40320 reload-into-ims
> refresh_pattern -i \.rar$ 10080 150% 40320
> refresh_pattern -i \.ram$ 10080 150% 40320
> refresh_pattern -i \.txt$ 1440 100% 20160 reload-into-ims override-lastmod
> refresh_pattern -i \.css$ 1440 60% 20160
> refresh_pattern ^http:// 1 100% 20160 reload-into-ims ignore-reload
> refresh_pattern ^ftp:// 240 50% 20160
> refresh_pattern ^gopher:// 240 40% 20160
> refresh_pattern /cgi-bin/ 0 0% 30
> refresh_pattern . 0 100% 20160 reload-into-ims
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> icp_port 3130
> htcp_port 4827
> icon_directory e:/squid/share/icons
> error_directory e:/squid/share/errors/English
> coredump_dir e:/squid/var/cache

> Eric Young
> Senior Network Engineer
> Tully's Coffee Corporation
> 206.695.6504
>   

As for the RSS and WebDav errors, check your cache_log 
(e:\squid\var\logs\cache.log) to see if it gives a reason.

Chris