Search squid archive

Re: ask three times authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you,

>From 2.6 to 3.1.10, was there any other change in the system?

     yes, I have changed my squid from an machine with S.O Red Hat 5.9
to other machine with S.O CentOS 6.5

the issue it's seems to be something about authentication
compatibility between Browse and new squid version 3.1.10

I have the old machine yet. I have done some test and from a client
machine when I put the old proxy on browse all it's work.
but the strange I use the same squid.conf either old proxy machine as
well as new proxy machine so why the pop-up authentication appear
three times only at the new proxy squid version 3.1.10 ?

my question is if there is any problem with squid version 3.1.10 about
authentication ?

Follow my squid.conf.


############################################################
#
# Squid.conf autenticacao AD
#
#############################################################

## Autenticacao

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on

#auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param basic children 30

## comentadas

auth_param basic realm Acesso a Internet teste SA
auth_param basic credentialsttl 2 hours

authenticate_cache_garbage_interval 1 hour
authenticate_ttl 120 seconds

external_acl_type NT_global_group children=50 %LOGIN
/usr/lib64/squid/squid_unix_group

## SQSTAT


acl ntlm_users proxy_auth REQUIRED

#cache_store_log none
#cache_log /var/log/squid/cache.log
#cache_log none
#request_entities on

# debug_options rotate=16 ALL,1
#debug_options ALL,9
#debug_options ALL,1 33,2
#debug_options ALL


visible_hostname proxy.teste.com
http_port 8080
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

ie_refresh on

max_filedesc 4096


###################################
# Parametros de Cache NAO ALTERAR #
###################################

#cache_dir aufs /var/spool/squid 6000 16 256
#cache_dir ufs /var/spool/squid 5000 64  1024
#cache_dir ufs /var/spool/squid 2048 64 64

diskd_program           /usr/lib64/squid/diskd-daemon

cache_dir diskd /var/spool/squid/1  1000 16 128 Q1=64 Q2=72
cache_dir diskd /var/spool/squid/2  1000 16 128 Q1=64 Q2=72
cache_dir diskd /var/spool/squid/3  1000 16 128 Q1=64 Q2=72
cache_dir diskd /var/spool/squid/4  1000 16 128 Q1=64 Q2=72


#This stops squid from holding onto ram that it is no longer actively using.
memory_pools off

#Buffers the write-out to log files. This can increase performance slightly
buffered_logs on

cache_mem 1024 MB

half_closed_clients off
cache_swap_low 80%
cache_swap_high 100%

maximum_object_size 10 MB
maximum_object_size_in_memory 2048 KB

cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

#######################################

ftp_passive on
acl ftp_21 port 21

############################################################
#
# Regras Padrao
#
############################################################


acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80         # http
acl Safe_ports port 21         # ftp
acl Safe_ports port 20         # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70         # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535     # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # companyling http
acl Safe_ports port 10080     # Porta http das unidades remotas teste.
acl Safe_ports port 8181     # Publicacao
acl Safe_ports port 10082     # DBMessenger
acl Safe_ports port 9082
acl ftp proto FTP
acl CONNECT method CONNECT


#################################
# Origens
#################################
acl rede_projeto        src 192.168.52.0/22
acl nelson              src 128.2.20.213
acl 2m041187            src 128.2.20.171
acl localhost           src 127.0.0.1/32
acl LAN_GERAL           src 128.0.0.0/8
acl LAN_ADM             src 128.2.0.0/16
acl gilson              src 128.2.20.141/32
acl LAN_IDU             src 128.4.0.0/16
acl LAN_JBOCD           src 10.13.0.0/16
acl LAN_COJ             src 128.1.0.0/16
acl LAN_COJ_TS          src 10.1.251.0/25
acl dropbox_liberado    src 128.2.30.201/32
acl testebo        dst 189.36.1.226/32


#################################
# Regras LYNC e Sites sem AUTH
#################################
acl MSN_Liberado    external NT_global_group msn_liberado
acl lync         url_regex  "/etc/squid/acls/lync.txt"
http_access         allow lync

acl semauth         url_regex -i "/etc/squid/acls/sites_semauth.txt"
http_access             allow all semauth all
http_access             allow CONNECT semauth all
http_access           allow testebo

acl semauth_sap         url_regex -i "/etc/squid/acls/sites_semauth_sap.txt"
http_access             allow rede_projeto semauth_sap all


acl msn.8         url_regex "/etc/squid/acls/msn.txt"
acl local        url_regex localhost

http_access         allow local
http_access         allow semauth 2m041187
http_access         allow localhost all
http_access         allow nelson
http_access         allow MSN_Liberado msn.8

############################################################
#
# Regras teste
#
############################################################

acl manager         proto cache_object

acl semcache        url_regex "/etc/squid/acls/semcache.txt"
acl SITES_BLOQUEADOS     url_regex -i "/etc/squid/acls/sites_bloqueados.txt"
acl SITES_LIBERADOS     url_regex -i "/etc/squid/acls/sites_liberados.txt"
acl acesso_mkt_vendas     url_regex -i "/etc/squid/acls/acesso_mkt_vendas.txt"
#acl quiosque         url_regex -i "/etc/squid/acls/quiosque.txt"
acl mtmon         url_regex -i "/etc/squid/acls/mtmon.txt"
acl IPS_LIBERADOS     src "/etc/squid/acls/ips_liberados.txt"
acl IPS_BLOQUEADOS     src "/etc/squid/acls/ips_bloqueados.txt"
acl PORN         url_regex -i "/etc/squid/acls/porn.txt"
acl NOPORN         url_regex -i "/etc/squid/acls/noporn.txt"
acl downloads         url_regex -i "/etc/squid/acls/extensoes.txt"


acl msn         dstdomain loginnet.passport.com login.live.com
acl msn.1         dstdomain loginnet.passport.com
acl msn.2         dstdomain webmessenger.msn.com
acl msn.3         url_regex -i gateway.dll
acl msn.4         req_mime_type -i ^application/x-msn-messenger$
acl msn.5         url_regex -i "/etc/squid/acls/msn.txt"
acl msn.6         src 65.0.0.0/12
acl msn.7         url_regex -i gateway.dll?
acl webmails_liberado     url_regex -i "/etc/squid/acls/webmail_liberados.txt"
acl webmail_bloqueado     url_regex -i "/etc/squid/acls/webmail_bloqueado.txt"
acl bb             browser C:\BancoBrasil\officeIE\index.html
acl bancos         url_regex -i "/etc/squid/acls/bancos.txt"
acl bb1         url_regex -i "/etc/squid/acls/bb.txt"
acl CAIXA        url_regex -i "/etc/squid/acls/caixa.txt"
acl WINDOWS_UPDATE     url_regex -i "/etc/squid/acls/windows_update.txt"
acl teste         url_regex -i "/etc/squid/acls/teste.txt"
acl sites_bloqueados2     url_regex -i "/etc/squid/acls/sites_bloqueados2.txt"
acl sites_mfseguranca     url_regex -i "/etc/squid/acls/sites_mfseguranca.txt"
acl sites_gilson     url_regex -i "/etc/squid/acls/sites_gilson.txt"
acl GTALK         url_regex -i "/etc/squid/acls/gtalk.txt"
acl SITES_INTERNET_SAP    url_regex -i "/etc/squid/acls/sites_internet_sap.txt"


# Fix support.microsoft.com by removing Accept-Encoding header

acl support.microsoft.com     dstdomain support.microsoft.com
acl trendmicro             url_regex "/etc/squid/acls/trendmicro.txt"
acl GOV                url_regex -i "/etc/squid/acls/gov.txt"
acl sites_normas         url_regex -i "/etc/squid/acls/sites_normas.txt"
acl twitter             url_regex -i "/etc/squid/acls/twitter.txt"
acl orkut             url_regex -i "/etc/squid/acls/orkut.txt"
acl ninecon             url_regex -i "/etc/squid/acls/ninecon.txt"
acl youtube             url_regex -i "/etc/squid/acls/youtube.txt"
acl facebook             url_regex -i "/etc/squid/acls/facebook.txt"

####################################
# ACL USANDO AUTENTICACAO GRUPOS AD
####################################

acl facebook_liberado         external NT_global_group facebook_liberado
acl internet_teste        external NT_global_group internet_teste
acl internet_normal         external NT_global_group internet_normal
acl internet_liberada         external NT_global_group internet_liberada
acl internet_bloqueada         external NT_global_group internet_bloqueada
acl download_liberado         external NT_global_group download_liberado
acl orkut_liberado         external NT_global_group orkut_liberado
acl twitter_liberado         external NT_global_group twitter_liberado
acl youtube_liberado         external NT_global_group youtube_liberado
acl update_liberado         external NT_global_group update_liberado
acl webmail_liberado         external NT_global_group webmail_liberado
acl webmailninecon         external NT_global_group webmailninecon
acl sites_mkt_vendas         external NT_global_group sites_mkt_vendas
acl semi_liberado         external NT_global_group semi_liberado
acl internet_consultores_sap    external NT_global_group
internet_consultores_sap
#acl quiosque_liberado     external NT_global_group internet_quiosque


###########################################################
#
#  BLOQUEIO DO SQUID
###########################################################

http_access allow manager localhost
http_access allow localhost manager
http_access allow localhost all

#http_access allow all
http_access allow teste all
http_access allow bancos
http_access allow bb
http_access allow bb1
http_access allow GOV
http_access allow CAIXA
http_access allow sites_normas
http_access allow webmails_liberado
http_access allow mtmon

http_access allow internet_liberada all

http_access allow LAN_ADM sites_mfseguranca
#http_access allow gilson sites_gilson
http_access allow gilson
http_access allow LAN_COJ sites_mfseguranca
http_access allow dropbox_liberado
http_access allow ftp
http_access allow ftp_21
http_access allow IPS_LIBERADOS
http_access allow acesso_mkt_vendas sites_mkt_vendas
http_access allow youtube youtube_liberado
http_access allow facebook facebook_liberado
http_access allow WINDOWS_UPDATE update_liberado
http_access allow webmailninecon ninecon
http_access allow downloads download_liberado
http_access deny IPS_BLOQUEADOS
#http_access allow downloads download_liberado
#no_cache deny semcache
cache deny semcache
http_access allow semcache all

http_access allow semi_liberado !youtube !facebook !twitter !orkut
!GTALK !msn !msn.1 !msn.2 !msn.3 !msn.4 !msn.5 !msn.6 !msn.7
!sites_bloqueados !PORN
http_access deny sites_bloqueados2
http_access allow  MSN_Liberado msn msn.1 msn.2 msn.3 msn.4 msn.5 msn.6 msn.7
http_access deny MSN_Liberado SITES_BLOQUEADOS
http_access deny MSN_Liberado ORKUT
http_access allow internet_teste SITES_LIBERADOS
http_access allow internet_normal SITES_LIBERADOS
http_access deny internet_teste SITES_BLOQUEADOS
http_access deny internet_normal SITES_BLOQUEADOS
#http_access deny !internet_teste
http_access deny webmail_bloqueado !webmail_liberado
http_access allow SITES_LIBERADOS
http_access deny ORKUT !orkut_liberado
http_access deny twitter !twitter_liberado all
http_access deny ORKUT
http_access deny internet_bloqueada all
http_access allow sites_normas
#http_access allow WINDOWS_UPDATE update_liberado
http_access deny WINDOWS_UPDATE
http_access allow all SSL_ports
http_access deny msn
http_access deny msn.1
http_access deny msn.2
http_access deny msn.3
http_access deny msn.4
http_access deny msn.5
http_access deny GTALK
http_access deny PORN !NOPORN all
http_access deny SITES_BLOQUEADOS
##http_access allow downloads download_liberado
http_access deny downloads


acl BLOQUEIO_SAP        url_regex
"/etc/squid/acls/sites_internet_sap_bloqueio.txt"
http_access             deny rede_projeto BLOQUEIO_SAP

http_access allow ntlm_users rede_projeto

http_access allow internet_consultores_sap SITES_INTERNET_SAP
http_access allow internet_consultores_sap SITES_LIBERADOS
http_access allow internet_consultores_sap semauth_sap
http_access allow rede_projeto SITES_INTERNET_SAP
http_access allow rede_projeto SITES_LIBERADOS
http_access deny internet_consultores_sap all
http_access deny rede_projeto all


# nelson http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow ntlm_users
http_access allow LAN_ADM
http_access allow rede_projeto
http_access allow LAN_IDU
http_access allow LAN_JBOCD
http_access allow LAN_COJ
http_access allow LAN_COJ_TS

http_access deny all
http_reply_access allow all
icp_access allow all

cache_mgr suporte@xxxxxxxxx
#cachemgr_passwd companytTask all
error_directory /usr/share/squid/errors/pt-br
coredump_dir /pacotes/squid/core


Thanks











2014/1/13 Eliezer Croitoru <eliezer@xxxxxxxxxxxx>:
> Hey,
>
> I would like to try and understand the issue but it seems like more complex
> to me to understand what happens yet.
> You use NTLM auth but I do not understand the authentication settings yet.
> From 2.6 to 3.1.10, was there any other change in the system?
> As I understand it's an internal proxy it seems a bit weird.
> I do not assume that the issue is in the config file but a basic description
> of the environment can help to understand more about the subject.
>
> If you can share the basic squid.conf it would help but note to remove any
> personal details or at least change them to make sure that the environment
> can be understood properly.
>
> All The Bests,
> Eliezer
>
>
> On 13/01/14 16:13, Usuário do Sistema wrote:
>>
>> Hello everyone,
>>
>>
>> I have done upgrade in the my squid from Version 2.6.STABLE21 to Version
>> 3.1.10
>>
>> After that it always pop-up authentication three times before allow
>> that url. follow a example for www.bol.com.br url
>>
>>
>> 1389621501.201      1 192.168.53.31 TCP_DENIED/407 3849 GET
>> http://www.bol.com.br/ - NONE/- text/html
>> 1389621501.213      2 192.168.53.31 TCP_DENIED/407 4148 GET
>> http://www.bol.com.br/ - NONE/- text/html
>> 1389621501.226      4 192.168.53.31 TCP_DENIED/407 4135 GET
>> http://www.bol.com.br/ - NONE/- text/html
>> 1389621532.660      2 192.168.53.31 TCP_DENIED/407 3947 GET
>> http://www.bol.com.br/ - NONE/- text/html
>> 1389621534.117      0 192.168.53.31 TCP_DENIED/407 3947 GET
>> http://www.bol.com.br/ - NONE/- text/html
>> 1389621535.165     98 192.168.53.31 TCP_DENIED/407 4148 GET
>> http://www.bol.com.br/ - NONE/- text/html
>> 1389621535.397    143 192.168.53.31 TCP_MISS/302 577 GET
>> http://www.bol.com.br/ sa_mtmon DIRECT/200.147.35.224 text/html
>> 1389621535.542     88 192.168.53.31 TCP_DENIED/407 4187 GET
>> http://www.bol.uol.com.br/ - NONE/- text/html
>> 1389621535.829    256 192.168.53.31 TCP_DENIED/407 4486 GET
>> http://www.bol.uol.com.br/ - NONE/- text/html
>> 1389621536.969   1129 192.168.53.31 TCP_MISS/200 35705 GET
>> http://www.bol.uol.com.br/ sa_mtmon DIRECT/200.147.68.9 text/html
>>
>>
>> I released with upgrade changed NTLM version too. before
>> 3.6.6-0.136.el5 and now 3.6.9-167.el6_5
>>
>>
>> how to can I figure out that problem the pop-up authentication three
>> times ?  before upgrade it ask only one pop-up authentication.
>>
>>
>> thanks
>>
>





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux