Search squid archive

Re: squid 3.3.3 : deny_info with NTLM - remove popup auth -

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 4/07/2013 6:47 a.m., David Touzeau wrote:


Dear,

i would like squid to not display authentication popup
Authentication FAQ #4 - http://wiki.squid-cache.org/Features/Authentication#How_do_I_prevent_Login_Popups.3F 

****** Squid does NOT display anything.

There are *exactly* two ways to avoid popups:
1) ensure the browser has credentials already known to it which can satisfy the 401/407 authentication requirements without user interaction. 

2) not use authentication.



if the client is not authenticated trough NTLM
For this i have understood that if deny_info is set then Squid redirect the error to the specified url.
In a roundabout way only. deny_info does not suppress login specifically. Although its side effect of replacing the normal response status with a redirect may result in a 3XX response with authentication challenge headers (which the browser would then ignore instead of using a popup). 




I have set this:
auth_param ntlm program /usr/bin/ntlm_auth --domain=ABC.LAB --helper-protocol=squid-2.5-ntlmssp 
auth_param ntlm children 20 startup=1 idle=1
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic 
auth_param basic children 3 startup=1 idle=1
auth_param basic realm Basic Identification
auth_param basic credentialsttl 2 hours


acl AUTHENTICATED proxy_auth REQUIRED
acl AllowedUrisTemplates dstdomain .domain.tld

http_access  allow AllowedUrisTemplates
http_access deny !AUTHENTICATED all
deny_info http://proxy-error.domain.tld AUTHENTICATED
http_access deny all
But it seems that squid did not care about the deny_info defined for AUTHENTICATED acl and force to use the ERR_CACHE_ACCESS_DENIED template. 

Why ?


"AUTHENTICATED" is not the last ACL on the line. "all" is.
I suggest you define a custom version of "all" and link the deny_info action to that. Like so: 

  acl authFailed src all
  http_access deny !AUTHENTICATED authFailed
  deny_info http://proxy-error.domain.tld authFailed
What this does is the use of a non-auth ACL last on the line suppressed authentication challenge (not the deny_info). Then deny_info changes the 403 ACCESS_DENIED with authentication error message into a redirect response for the http://proxy-error.domain.tld URL. 
BTW the URL needs '/' at the end to parse properly.

<snip>
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert: %%h --> 'squid32-64.localhost.localdomain' 

Er. This is a really weird domain name you have.

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux