Re: Re: Configuration to allow users to connect via user-pass

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

ciokan@xxxxxxxxx wrote:
> I'm having a big issue trying to configure squid to allow users to
> connect only via user/pass. I have 8 ip's on my server and I want each
> user to be able to connect to a single ip using their credentials but
> all I get when I try in firefox is this message: "The proxy server is
> refusing connections" so I must have done something wrong. I'm new to
> squid. I'm willing to pay for assistance so please contact me if
> interested. Anyhow, the help is much appreciated.

Firstly. Why the complexity with IPs?



> Here's my squid config:
>
>
> http_port 8888
> visible_hostname weezie
> auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid-passwd
> auth_param basic childred 5

 "children"

> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> acl ncsa_users proxy_auth REQUIRED
> http_access allow ncsa_users

 http_access deny !ncsa_users
 http_access allow ncsa_users

Also check that the /etc/squid/squid-passwd has the right user/pass 
details inside. It should be created in the format NCSA uses.

 NP: Squid may need to be reconfigured (squid -k reconfigure) for the 
helper to pick up changes in this password file.

> header_access Allow allow all
> header_access Authorization allow all
> header_access WWW-Authenticate allow all
> header_access Proxy-Authorization allow all
> header_access Proxy-Authenticate allow all
> header_access Cache-Control allow all
> header_access Content-Encoding allow all
> header_access Content-Length allow all
> header_access Content-Type allow all
> header_access Date allow all
> header_access Expires allow all
> header_access Host allow all
> header_access If-Modified-Since allow all
> header_access Last-Modified allow all
> header_access Location allow all
> header_access Pragma allow all
> header_access Accept allow all
> header_access Accept-Charset allow all
> header_access Accept-Encoding allow all
> header_access Accept-Language allow all
> header_access Content-Language allow all
> header_access Mime-Version allow all
> header_access Retry-After allow all
> header_access Title allow all
> header_access Connection allow all
> header_access Proxy-Connection allow all
> header_access User-Agent allow all
> header_access Cookie allow all
> header_access All deny all

"Why for love of the Internet? why!!!?"  /sigh.

Try and get it working without this violation of HTTP standards killing 
potentially useful information.

> acl ip1 myip x.x.x.x
>
> tcp_outgoing_address x.x.x.x ip1
>
> acl user1 proxy_auth manilodisan
>
>
> acl all src 0.0.0.0/0.0.0.0

acl all src all

> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255

acl localhost src 127.0.0.1

> acl to_localhost dst 127.0.0.0/8

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

> acl SSL_ports port 443        # https
> acl SSL_ports port 563        # snews
> acl SSL_ports port 873        # rsync
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl Safe_ports port 631        # cups
> acl Safe_ports port 873        # rsync
> acl Safe_ports port 901        # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

The above http_access lines are what we consider to be the basic safety 
net for HTTP.

Please move your custom login http_access below them. Right now anyone 
who can login has unlimited access to do anything nasty to your network 
and the rest of the Internet both.

> http_access allow localhost

Stick your alterations to http_access in right here.

> http_access deny all
> icp_access allow all

An open ICP port. Yay, anyone can cache scan you for content :)

> http_port 3128

Open port 3128 and 8888 ? why not just one?

> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

You want to remove those QUERY bits.

> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440

Missing:
  refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

> refresh_pattern .        0    20%    4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache

> extension_methods REPORT MERGE MKACTIVITY CHECKOUT

Strange to be allowing Microsoft WebDAV requests through, but stripping 
the headers they require to work... oh well.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
  Current Beta Squid 3.1.0.16