Search squid archive

Re: squid 2.7 on windows 2008 and ntlm authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Bob_P wrote:

I have installed squid 2.7 on windows 2008 r2 server.  any time I try to
access an external site I get a credentials log in box and I'm unable to get
past it.  Eventually it errors out with "Cache Access Denied. Sorry, you are
not currently allowed to request."  Below is my squid.conf.  If anyone can
tell me what I'm doing wrong I would greatly appreciate it.

Thanks
Bob
Your squid.conf is very mucked up. Below are some changes you need to make to correct it. 



#	WELCOME TO SQUID 2.7.STABLE8
#	----------------------------

#Recommended minimum configuration:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 5

acl localnet proxy_auth REQUIRED src 10.0.0.0/8
The above line means that the usernames "src" and "10.0.0.0/8" are permitted to login. As long as they present valid NTLM tokens accepted by your mswin_ntlm_auth.exe. 


What you are trying to do is this:

  acl authenticated proxy_auth REQUIRED
  acl localnet src 10.0.0.0/8

  http_access allow localnet authenticated
That should also all be down further in the config underneath the security rule about preventing unsafe CONNECT tunnels. 




http_access allow localnet



The above line needs to be remove now.


acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow localnet

#http_access deny all
Uncomment this again. It's there to make an explicit ban on non-LAN users accessing your proxy.
After making those changes if you still are stuck on the login box you will need to check up on the persistent connections. NTLM requires them to be on. 

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.5
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux