Ralf Hildebrandt wrote:
Version:
ii squid3 3.0.STABLE2-1 A full featured Web Proxy cache (HTTP proxy)
The Problem: Digest auth doesn't work anymore
The users aren't even being asked for a username/password. All they
get is a rejection page (access denied). In the log I get:
1205999382.801 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
1205999384.457 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
1205999385.320 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
1205999386.409 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
1205999387.455 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
1205999388.167 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
1205999389.011 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
My config:
------- snip ------
http_port 3128
cache_peer 127.0.0.1 parent 3129 0 no-query default
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_access_log /var/log/squid/access-wlan.log
cache_log none
cache_store_log none
pid_filename /var/run/squid-wlan.pid
hosts_file /etc/hosts
auth_param digest program /usr/lib/squid3/digest_pw_auth /etc/squid/wlan-proxyauth.digest
auth_param digest children 10
auth_param digest realm Hualp!
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50
auth_param digest post_workaround on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl to_internal_networks dst 10.0.0.0/8 141.42.0.0/16 160.45.172.0/255.255.252.0 160.45.176.0/255.255.240.0 160.45.192.0/255.255.240.0 172.16.0.0/255.240.0.0 192.168.0.0/16 193.175.64.0/255.255.248.0
acl to_dmz dst 193.175.72.0/24 193.175.74.0/24 141.42.4.0/26 141.42.4.64/26 141.42.4.128/26 141.42.4.192/26
acl to_webmail dst webmail.charite.de
acl to_zugang dst zugang.charite.de
http_access allow to_webmail
http_access allow CONNECT to_webmail
http_access allow to_zugang
http_access allow CONNECT to_zugang
http_access deny to_internal_networks
http_access deny CONNECT to_internal_networks
acl digestauthentifizierung proxy_auth REQUIRED
http_access allow digestauthentifizierung
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname wlan-proxy.charite.de
always_direct allow CONNECT SSL_ports
never_direct allow all
error_directory /usr/share/squid3/errors/German
snmp_port 0
coredump_dir /var/spool/squid
------- snip ------
/etc/squid/wlan-proxyauth.digest contains:
st51:CVK
Testing the authenticator:
# su - proxy
$ /usr/lib/squid3/digest_pw_auth /etc/squid/wlan-proxyauth.digest
"st51":"CVK"
6247d0eea64cfb87a71ab2d65de99a6d
"st51":"bullshit"
483cffce047c51d30070337fea523369
(What does that H(A1) value tell me??)
Sounds like bug 2206. Has the temporary fix patch for that been applied?
http://www.squid-cache.org/bugs/show_bug.cgi?id=2206
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.