Rakesh Jha wrote:
Hi,
I want to run squid in acceleration mode for a internal site. The ISS
site prompts window for authentication. When I connect to the site I get
window prompt for entering username and password. But after entering
domain username and password, I get access denied to the site.
ISS (or did you mean IIS?) is the software doing the reject.
I've done an audit below, with a lot of things you can fix up. They need
doing first, but by themselves will likely not resolve the auth issue
until the server is also fixed not to reject.
I have compiled squid 3 with following option -
/sbin/squid -v
Squid Cache: Version 3.1.0.17
configure options: '--enable-ssl' '--enable-ntlm-auth'
'--enable-basic-auth'
Those two options are not valid in Squid's configure script.
For 3.1 series it should be: --enable-auth="basic ntlm"
As well as --enable-basic-auth-helpers="PAM" to build the PAM helper you
are using.
Also, ... 3.1 is in stable cycle now. Please try 3.1.3.
--with-squid=/tmp/squid-3.1.0.17
--enable-ltdl-convenience
My squid.conf is
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl bd_host dst 10.10.3.41/32
acl all src 0.0.0.0/0.0.0.0
"all" ACL needs to be remove for 3.1+. It's now built in and defined
automatically.
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
The above lines are all forward proxy configuration.
Reverse-proxy http_access configuration must be above them to work properly.
For a pure reverse-proxy you can erase the forward-proxy configuration
http_access lines.
http_access allow bd_host
In a reverse proxy clients are never expected to be asking for the
hidden master server. This will only work with split-DNS.
I think you really want to define this as a dstdomain type ACL listing
the internal domain(s) being serviced.
With that done Squid can handle all the attack rejections and save your
server from potential DoS overloads.
http_access allow all
More forward-proxy config?
icp_access deny all
htcp_access deny all
https_port 10.1.1.97:443 defaultsite=tpaspp01 protocol=http
cert=/usr/local/cert/cert.crt key=/usr/local/cert/private.key version=3
options=NO_SSLv2
ssl_unclean_shutdown on
cache_peer tpaspp01 parent 80 0 no-query proxy-only login=PASS
front-end-https=on
Since this is a master peer you could also add the "default" option here.
If that is a web server (IIS? or ISS?) then it also needs the
"originserver" option to pass on the credentials properly.
That said, Squid is not doing any auth anyway (see below).
hierarchy_stoplist cgi-bin ?
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
That line should now be:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
visible_hostname bdproxy
icp_port 3130
auth_param basic program /usr/local/squid/pam_auth
auth_param basic children 5
auth_param basic realm Adzapping Squid
auth_param basic credentialsttl 1 week
acl password proxy_auth REQUIRED
http_access allow password
Your Squid is not doing the auth challenge. There is a "http_access
allow all" above here which prevents this auth from happening.
Also, it's not clear whether you want authenticated requests to go
through OR requests to the bd_host.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.3
