shacky wrote:
Hi.
I installed and configured Squid version 3.0.STABLE8 on my Debian
Lenny system with NTLM authentication:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_ttl 1 hour
authenticate_cache_garbage_interval 10 minutes
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
It works, clients are able to surf on the web using the Proxy and
usernames are correctly logged.
The problem is that sometimes it happens that the browser asks
username and password to the user, and it is not accepted even if they
are correctly typed in.
After some attempts the browser show a "Cache Access Denied" error and
I don't see any errors in access.log, cache.log or store.log
This problem happens especially with already visited websites.
These are my ACLs and rules:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.33.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access deny all
icp_access deny all
htcp_access deny all
Could you help me to solve this problem, please?
Thank you very much!
Bye.
There is nothing visibly wrong with that configuration. Check for other
things going on. Like any issues withe the helpers checking the
authentication.
Your access line:
http_access allow all AuthorizedUsers
is a bit weird the "all" in the middle is useless.
If you meant to prevent non-authenticated users being challenged for
their credentials the all should be at the end of the line.
But, I think you don't want it anywhere on that line.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
Current Beta Squid 3.1.0.9
