Search squid archive

Re: squid 3.4.1 , basic auth and timeout

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/12/2013 11:02 p.m., Dmitry Melekhov wrote:
> Hello!
> 
> Just tried to install 3.4.1 to production.
> Users complain that need to do reauth after some timeout.
> 
> Parts of config:
> 
> external_acl_type LdapGroup children-max=30 children-startup=10
> concurrency=0 ttl=600 negative_ttl=10 grace=0 protocol=2.5 %LOGIN
> /usr/sbin/sq
> uid_ldap_group -v 3 -h 127.0.0.1 -b "o=company,c=RU" -B
> "org=company,ou=People,o=company,c=RU" -f "(&(cn=%g)(memberUid=%u))" -F
> "(&(objectClass=acc
> ount)(uid=%s))" -s sub
> 
> 
> and
> 
> auth_param basic program /usr/sbin/squid_ldapauth
> auth_param basic credentialsttl 600 seconds
> auth_param basic children 10
> auth_param basic realm Squid proxy-caching web server
> #auth_param basic casesensitive on
> auth_param basic casesensitive off
> 
> I see following in my logs, firefox doesn't ask me for auth info though:
> 1386754087.151      2 192.168.22.229 TCP_DENIED/407 6701 GET
> http://www.rbc.ru/? dm HIER_NONE/- text/html
> 1386754810.393      2 192.168.22.229 TCP_DENIED/407 6702 GET
> http://www.rbc.ru/? dm HIER_NONE/- text/html
> 1386755534.579      2 192.168.22.229 TCP_DENIED/407 6702 GET
> http://www.rbc.ru/? dm HIER_NONE/- text/html
> 
> 
> as far as I remember, there was such problem in 3.2, or something like
> this, so I installed 3.3 before it was released- this was acl problem.
> 
> Some changes were introduced in 3.4 ? Or I need to reconfigure something?

Try setting grace period to a value larger than 0. The grace period is a
short time before the credentials TTL expires when they can be looked up
at the helper for validity without needing to block the client request
or send an immediate pass/fail result to the access control.
 ** there was a bug in this for some 3.2-3.3 releases.


If you are using the auth check in a fast-type access control the TTL
expiry will cause a fail result after the credentials have expired even
if the helper lookup will some time later produce a valid/success
result. Grace allows that lookup to be started before the TTL is over
and hopefully the credentials next TTL can be assigned before the old
one expires.

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux