Search squid archive

Re: Repeated auth challenges, credentialsttl 8 hour

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 28/01/11 07:22, Jim Moseby wrote:


On 1/27/2011 at 11:40 AM, in
message<4D41A000.6010204@xxxxxxxxxxxxx>, Amos
Jeffries<squid3@xxxxxxxxxxxxx>  wrote:
On 28/01/11 04:26, Jim Moseby wrote:
Some of my users are getting repeated auth challenges, even
though I have "auth_param basic credentialsttl 8 hour" in
squid.conf.  What triggers the auth challenge, and how can I
configure so my users will only be challenged once per 8 hour
workday?


Triggers when the browser has no credentials stored to send to the
proxy. Or if the credentials it sent were rejected by your ACLs.

The common cause of ACLs triggering popups after good auth has been
in use is group access checks on the end of a deny line. Place
"all" at the end of such lines to prevent existing credentials
being re-challenged.

A less common cause if its just a few out of many users may be
strange characters in their login or password. Or UTF binary coding
being sent by their browser.


The only way to prevent popups for all day with Basic is to keep
the browser open at all times. Otherwise normally they can expect
one initial popup when they open a new browser.

Amos

Hi Amos,

Thanks for that quick and helpful reply.

I have verified that each 'deny' line has 'all' at the end.

The behavior I want is exactly as you describe.  They should be
challenged when they first open their browser, and not again until
they close and reopen it, or 8 hours has passed.

I am also seeing challenges from other triggers.  For instance, if
they receive an email with an external reference (images, etc), or
office applications (Excel, Word, etc) checking for updates.  Since
these are not really browser initiated, should they be causing their
own challenges?

What do you think fetches the embeded binary content for those email displays?

They are in fact full web pages which are pushed via the email system instead of pulled via HTTP request. Email viewers which are capable of displaying them are just another web browser. With all the same auth requirements when fetching the data. Some like Outlook share credentials with IE to hide this detail. Others don't.

The software updaters are in the same boat, they use HTTP to fetch their updates. Most should have proxy settings and/or the login configured somewhere. The good ones can use a system credentials mechanism to prevent popups and even auto-detect the proxy for use.

> Can I white list known update sites so that they do
> not cause auth challenges?

Yes.

For microsot products there is a list here:
 http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
this is built from the list I and a few other ISP types use for our clients. So its fairly complete, but may be missing things for the less common or newer MS software.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.10
  Beta testers wanted for 3.2.0.4


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux