On Wed, 3 Feb 2010 13:26:52 -0000, "Chris Boczko" <Christopher.Boczko@xxxxxxxxxxxxx> wrote: > Hi Amos, > > The squid box on 2.5 has the same regex (infact the config is more or > less the same), and it works fine on the old box, and doesn't work on > the 2.7 box. > > As soon as i make a request to the box (any request), i get a 407 - auth > required, for any url, i've even tried adding single domain regex, and > it does the same, and adding an http_access allow as the first rule, and > it still asks for auth. > > On the old box, if its in the allowed sites file, it will allow me out > without asking for any auth. > > I'm pretty sure, whatever im requesting its asking for auth BEFORE it > checks the acl's > > Kind Regards, > Christopher Boczko Then you will need to add "debug_options 28,6" to your config and watch what happens in the ACLs for a test request. It could be you are using the auth ACL in some other access control that has been made async since 2.5. Amos > > > -----Original Message----- > From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Sent: 03 February 2010 12:46 > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: squid ntlm issues > > Chris Boczko wrote: >> Hello list, >> >> I'm having problems with my new squid box (i've finally upgraded to > 2.7 >> :)), but i'm having problems making my ruleset work quiet right. >> >> I have some apps that can use a proxy, but don't provide any >> authentication whatsoever, this wasn't a problem with the old box >> (2.5Stable), i just allowed the sites before the auth required >> statements, but on the new 2.7, it seems to just respond with 407 - > auth >> required. >> >> I'm authenticating users against AD with >> >> # NTLM Auth Parameters >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 10 >> auth_param ntlm keep_alive off >> >> >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic >> auth_param basic children 10 >> auth_param basic realm "Chemdry UK Ltd - Internet Access - >> Authentication Required" >> auth_param basic credentialsttl 2 hours >> auth_param basic casesensitive off >> # Enable group lookup >> >> external_acl_type ntgroup %LOGIN >> /usr/lib/squid/wbinfo_group.pl >> >> # Define ACL's >> >> acl admingroup external ntgroup "/etc/squid/inetadmin" >> acl xweball external ntgroup "/etc/squid/xweball" >> acl scotlandusers external ntgroup "/etc/squid/xwebscott" >> acl Authenticated proxy_auth REQUIRED >> >> pulling in my acl with >> >> acl allowedsites url_regex -i "/etc/squid/allowedsites" >> >> then allowing access with >> >> # allow allowedsite >> http_access allow allowedsites >> >> >> # Allow internet pc to access blacklisted sites >> http_access allow internetpc allsites >> >> # deny if you havent authd >> >> http_access deny !Authenticated >> http_access deny !Safe_ports >> http_access deny CONNECT !Safe_ports >> >> http_access allow xweball all >> >> Authenticated users can access the internet just fine, but whenever >> these apps try to access the internet they are getting a 407 - auth >> required, and dying. >> >> Does anyone have any ideas? >> > > Nothing in the ACL logic has changed. > It has to be something about the GNU regex patterns. > > Amos
