On 03.10.2012 01:42, Leonardo Bacha Abrantes wrote:
Hi Guys,
I'm facing problems with one specific site which run java. The site
open a window of java requesting to enter the credentials of proxy
continuously.
How can I ignore the authentication for an specific site ?
Like Kinkie already said, you will find an example in the wiki.
there are a few strange things in your config which need fixing.
Comments inline below...
Squid Cache: Version 3.1.10
my squid.conf:
http_port xxx.xxx.xxx.xxx:3128
append_domain .contoso.local
cache_effective_user squid
cache_mem 4 GB
cache_effective_group squid
forwarded_for off
httpd_suppress_version_string on
visible_hostname myserver.contoso.local
hierarchy_stoplist cgi-bin ?
You can remove hierarchy_stoplist from squid-3.1+. It has no purpose
without cache_peer entries and in those cases the default regex patterns
are not useful nowdays anyway.
retry_on_error on
pipeline_prefetch on
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=contoso
auth_param ntlm children 25
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --domain=contoso
auth_param basic children 15
auth_param basic realm Para prosseguir e necessario digitar seu login
de rede.
auth_param basic credentialsttl 1 hours
acl localnetwork src 192.168.10.0/25
acl AuthorizedUsers proxy_auth -i "/etc/squid/default_access.acl"
acl unlimitedBandwidth src "/etc/squid/unlimited_bandwidth"
acl localhost src 127.0.0.1
acl java browser Java/1.4 Java/1.5 Java/1.6
http_access allow java
cache_dir ufs /var/spool/squid 6144 16 256
coredump_dir /var/spool/squid
maximum_object_size_in_memory 1 MB
maximum_object_size 64 MB
minimum_object_size 0 KB
acl manager proto cache_object
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1025-65535 # unregistered ports
acl purge method PURGE
acl CONNECT method CONNECT
delay_pools 2
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow unlimitedBandwidth localhost
delay_access 1 deny all
You can remove this pool entirely. It does nothing but waste CPU
calculating bandwidth usage by the matched transactions.
delay_class 2 2
delay_parameters 2 -1/-1 65536/65536
delay_access 2 allow localnetwork !unlimitedBandwidth !localhost
delay_access 2 deny all
Um, so limit people from the localnetwork who are not in unlimited
Bandawidth AND not going to localhost?
Meaning anyone outside the unlimitedBandwidth contacting the localhost
has unlimited speed.
The earlier pool seems to be acting as a complicated replacement for
"delay_access 2 deny unlimitedBandwidth localhost". So, I suspect you
actually want:
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 65536/65536
delay_access 1 deny unlimitedBandwidth localhost
delay_access 1 allow localnetwork
delay_access 1 deny all
http_reply_access allow AuthorizedUsers
Remove the above http_reply_access line.
It is FAR too late to bother with starting authentication. The remote
server has already been passed the request and is sending or sent the
reply back before the http_reply_access ever gets checked.
You also have "http_access allow java" above, and several lines below
which bypasses authentication on requests. Doing auth on reply for those
requests will cause the client requests to happen, then present an auth
page as the response instead of whatever the server actually produced.
logformat combined [%tl] %un %>a %rm %Ss %Hs %ru
access_log /var/log/squid/access.log squid
access_log /var/log/squid/gerencia.log combined
cache_store_log /var/log/squid/store.log
redirect_program /etc/squidGuard/bin/squidGuard -c
/usr/local/squidGuard/squidGuard.conf
redirect_children 30
http_access allow localhost unlimitedBandwidth SSL_ports
http_access allow unlimitedBandwidth
NP: unlimitedBandwidth also has sub-meaning of "unlimited access
permissions". So allowing them access to localhost SSL ports specially
as well as "anywhere" is not useful and wastes CPU.
http_access allow AuthorizedUsers
http_access deny CONNECT !SSL_ports
http_access deny all
A series of deny lines ending with "deny all" is almost meaningless.
The only way they could be useful is if it were testing some external
ACL lookup which had side effects on the transaction (user credentials
assignment, transaction tagging, deny_info redirect, etc).
The "deny CONNECT !SSL_ports" is also a basic security measure to
prevent clients performing blind TCP tunnels (CONNECT requests) over the
proxy to any port they choose. Your "allow java" and "allow
unlimitedBandwidth" being above this are opening massive security holes
through your proxy.
In summary, I recommend changing your http_access lines to:
http_access deny CONNECT !SSL_ports
http_access allow unlimitedBandwidth
http_access allow java
http_access allow AuthorizedUsers
http_access deny all
cache_swap_low 90
cache_swap_high 95
dns_nameservers 192.168.10.2 192.168.10.3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i exe$ 0 50% 259200
refresh_pattern -i zip$ 0 50% 259200
refresh_pattern -i rar$ 0 50% 259200
refresh_pattern -i tar\.gz$ 0 50% 259200
The above can compact down to:
refresh_pattern -i (zip|rar|tar\.gz|exe)$ 0 50% 259200
Although I rather think you mean it to be:
refresh_pattern -i \.(zip|rar|tar\.gz|exe)$ 0 50% 259200
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
request_header_access All allow all
NP: permitting transaction request headers through the proxy is
default. You can remove the above request_header_access line.
HTH
Amos
