Search squid archive

AW: ask three times authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



wonder why there are popups at all. or popups at all. NTLM should work without any popups. 
which browser do you use? IE?

could you try to discard the group-check auth?
we are using NTLM but everyone is allowed, after authentication. so we do not use external_acl_type.


we only use

acl auth_user proxy_auth REQUIRED
http_access allow auth_surfer all


> -----Ursprüngliche Nachricht-----
> Von: Usuário do Sistema [mailto:maiconlp@xxxxxxxxx]
> Gesendet: Dienstag, 14. Januar 2014 13:27
> An: Eliezer Croitoru
> Cc: squid-users@xxxxxxxxxxxxxxx
> Betreff: Re:  ask three times authentication
> 
> Thank you,
> 
> From 2.6 to 3.1.10, was there any other change in the system?
> 
>      yes, I have changed my squid from an machine with S.O Red Hat 5.9
> to other machine with S.O CentOS 6.5
> 
> the issue it's seems to be something about authentication
> compatibility between Browse and new squid version 3.1.10
> 
> I have the old machine yet. I have done some test and from a client
> machine when I put the old proxy on browse all it's work.
> but the strange I use the same squid.conf either old proxy machine as
> well as new proxy machine so why the pop-up authentication appear
> three times only at the new proxy squid version 3.1.10 ?
> 
> my question is if there is any problem with squid version 3.1.10 about
> authentication ?
> 
> Follow my squid.conf.
> 
> 
> ############################################################
> #
> # Squid.conf autenticacao AD
> #
> #############################################################
> 
> ## Autenticacao
> 
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-
> ntlmssp
> auth_param ntlm children 50
> auth_param ntlm keep_alive on
> 
> #auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-
> basic
> #auth_param basic children 30
> 
> ## comentadas
> 
> auth_param basic realm Acesso a Internet teste SA
> auth_param basic credentialsttl 2 hours
> 
> authenticate_cache_garbage_interval 1 hour
> authenticate_ttl 120 seconds
> 
> external_acl_type NT_global_group children=50 %LOGIN
> /usr/lib64/squid/squid_unix_group
> 
> ## SQSTAT
> 
> 
> acl ntlm_users proxy_auth REQUIRED
> 
> #cache_store_log none
> #cache_log /var/log/squid/cache.log
> #cache_log none
> #request_entities on
> 
> # debug_options rotate=16 ALL,1
> #debug_options ALL,9
> #debug_options ALL,1 33,2
> #debug_options ALL
> 
> 
> visible_hostname proxy.teste.com
> http_port 8080
> http_port 127.0.0.1:3128
> hierarchy_stoplist cgi-bin ?
> 
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> 
> access_log /var/log/squid/access.log squid
> 
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> 
> ie_refresh on
> 
> max_filedesc 4096
> 
> 
> ###################################
> # Parametros de Cache NAO ALTERAR #
> ###################################
> 
> #cache_dir aufs /var/spool/squid 6000 16 256
> #cache_dir ufs /var/spool/squid 5000 64  1024
> #cache_dir ufs /var/spool/squid 2048 64 64
> 
> diskd_program           /usr/lib64/squid/diskd-daemon
> 
> cache_dir diskd /var/spool/squid/1  1000 16 128 Q1=64 Q2=72
> cache_dir diskd /var/spool/squid/2  1000 16 128 Q1=64 Q2=72
> cache_dir diskd /var/spool/squid/3  1000 16 128 Q1=64 Q2=72
> cache_dir diskd /var/spool/squid/4  1000 16 128 Q1=64 Q2=72
> 
> 
> #This stops squid from holding onto ram that it is no longer actively
> using.
> memory_pools off
> 
> #Buffers the write-out to log files. This can increase performance
> slightly
> buffered_logs on
> 
> cache_mem 1024 MB
> 
> half_closed_clients off
> cache_swap_low 80%
> cache_swap_high 100%
> 
> maximum_object_size 10 MB
> maximum_object_size_in_memory 2048 KB
> 
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap GDSF
> 
> #######################################
> 
> ftp_passive on
> acl ftp_21 port 21
> 
> ############################################################
> #
> # Regras Padrao
> #
> ############################################################
> 
> 
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80         # http
> acl Safe_ports port 21         # ftp
> acl Safe_ports port 20         # ftp
> acl Safe_ports port 443     # https
> acl Safe_ports port 70         # gopher
> acl Safe_ports port 210     # wais
> acl Safe_ports port 1025-65535     # unregistered ports
> acl Safe_ports port 280     # http-mgmt
> acl Safe_ports port 488     # gss-http
> acl Safe_ports port 591     # filemaker
> acl Safe_ports port 777     # companyling http
> acl Safe_ports port 10080     # Porta http das unidades remotas teste.
> acl Safe_ports port 8181     # Publicacao
> acl Safe_ports port 10082     # DBMessenger
> acl Safe_ports port 9082
> acl ftp proto FTP
> acl CONNECT method CONNECT
> 
> 
> #################################
> # Origens
> #################################
> acl rede_projeto        src 192.168.52.0/22
> acl nelson              src 128.2.20.213
> acl 2m041187            src 128.2.20.171
> acl localhost           src 127.0.0.1/32
> acl LAN_GERAL           src 128.0.0.0/8
> acl LAN_ADM             src 128.2.0.0/16
> acl gilson              src 128.2.20.141/32
> acl LAN_IDU             src 128.4.0.0/16
> acl LAN_JBOCD           src 10.13.0.0/16
> acl LAN_COJ             src 128.1.0.0/16
> acl LAN_COJ_TS          src 10.1.251.0/25
> acl dropbox_liberado    src 128.2.30.201/32
> acl testebo        dst 189.36.1.226/32
> 
> 
> #################################
> # Regras LYNC e Sites sem AUTH
> #################################
> acl MSN_Liberado    external NT_global_group msn_liberado
> acl lync         url_regex  "/etc/squid/acls/lync.txt"
> http_access         allow lync
> 
> acl semauth         url_regex -i "/etc/squid/acls/sites_semauth.txt"
> http_access             allow all semauth all
> http_access             allow CONNECT semauth all
> http_access           allow testebo
> 
> acl semauth_sap         url_regex -i
> "/etc/squid/acls/sites_semauth_sap.txt"
> http_access             allow rede_projeto semauth_sap all
> 
> 
> acl msn.8         url_regex "/etc/squid/acls/msn.txt"
> acl local        url_regex localhost
> 
> http_access         allow local
> http_access         allow semauth 2m041187
> http_access         allow localhost all
> http_access         allow nelson
> http_access         allow MSN_Liberado msn.8
> 
> ############################################################
> #
> # Regras teste
> #
> ############################################################
> 
> acl manager         proto cache_object
> 
> acl semcache        url_regex "/etc/squid/acls/semcache.txt"
> acl SITES_BLOQUEADOS     url_regex -i
> "/etc/squid/acls/sites_bloqueados.txt"
> acl SITES_LIBERADOS     url_regex -i "/etc/squid/acls/sites_liberados.txt"
> acl acesso_mkt_vendas     url_regex -i
> "/etc/squid/acls/acesso_mkt_vendas.txt"
> #acl quiosque         url_regex -i "/etc/squid/acls/quiosque.txt"
> acl mtmon         url_regex -i "/etc/squid/acls/mtmon.txt"
> acl IPS_LIBERADOS     src "/etc/squid/acls/ips_liberados.txt"
> acl IPS_BLOQUEADOS     src "/etc/squid/acls/ips_bloqueados.txt"
> acl PORN         url_regex -i "/etc/squid/acls/porn.txt"
> acl NOPORN         url_regex -i "/etc/squid/acls/noporn.txt"
> acl downloads         url_regex -i "/etc/squid/acls/extensoes.txt"
> 
> 
> acl msn         dstdomain loginnet.passport.com login.live.com
> acl msn.1         dstdomain loginnet.passport.com
> acl msn.2         dstdomain webmessenger.msn.com
> acl msn.3         url_regex -i gateway.dll
> acl msn.4         req_mime_type -i ^application/x-msn-messenger$
> acl msn.5         url_regex -i "/etc/squid/acls/msn.txt"
> acl msn.6         src 65.0.0.0/12
> acl msn.7         url_regex -i gateway.dll?
> acl webmails_liberado     url_regex -i
> "/etc/squid/acls/webmail_liberados.txt"
> acl webmail_bloqueado     url_regex -i
> "/etc/squid/acls/webmail_bloqueado.txt"
> acl bb             browser C:\BancoBrasil\officeIE\index.html
> acl bancos         url_regex -i "/etc/squid/acls/bancos.txt"
> acl bb1         url_regex -i "/etc/squid/acls/bb.txt"
> acl CAIXA        url_regex -i "/etc/squid/acls/caixa.txt"
> acl WINDOWS_UPDATE     url_regex -i "/etc/squid/acls/windows_update.txt"
> acl teste         url_regex -i "/etc/squid/acls/teste.txt"
> acl sites_bloqueados2     url_regex -i
> "/etc/squid/acls/sites_bloqueados2.txt"
> acl sites_mfseguranca     url_regex -i
> "/etc/squid/acls/sites_mfseguranca.txt"
> acl sites_gilson     url_regex -i "/etc/squid/acls/sites_gilson.txt"
> acl GTALK         url_regex -i "/etc/squid/acls/gtalk.txt"
> acl SITES_INTERNET_SAP    url_regex -i
> "/etc/squid/acls/sites_internet_sap.txt"
> 
> 
> # Fix support.microsoft.com by removing Accept-Encoding header
> 
> acl support.microsoft.com     dstdomain support.microsoft.com
> acl trendmicro             url_regex "/etc/squid/acls/trendmicro.txt"
> acl GOV                url_regex -i "/etc/squid/acls/gov.txt"
> acl sites_normas         url_regex -i "/etc/squid/acls/sites_normas.txt"
> acl twitter             url_regex -i "/etc/squid/acls/twitter.txt"
> acl orkut             url_regex -i "/etc/squid/acls/orkut.txt"
> acl ninecon             url_regex -i "/etc/squid/acls/ninecon.txt"
> acl youtube             url_regex -i "/etc/squid/acls/youtube.txt"
> acl facebook             url_regex -i "/etc/squid/acls/facebook.txt"
> 
> ####################################
> # ACL USANDO AUTENTICACAO GRUPOS AD
> ####################################
> 
> acl facebook_liberado         external NT_global_group facebook_liberado
> acl internet_teste        external NT_global_group internet_teste
> acl internet_normal         external NT_global_group internet_normal
> acl internet_liberada         external NT_global_group internet_liberada
> acl internet_bloqueada         external NT_global_group internet_bloqueada
> acl download_liberado         external NT_global_group download_liberado
> acl orkut_liberado         external NT_global_group orkut_liberado
> acl twitter_liberado         external NT_global_group twitter_liberado
> acl youtube_liberado         external NT_global_group youtube_liberado
> acl update_liberado         external NT_global_group update_liberado
> acl webmail_liberado         external NT_global_group webmail_liberado
> acl webmailninecon         external NT_global_group webmailninecon
> acl sites_mkt_vendas         external NT_global_group sites_mkt_vendas
> acl semi_liberado         external NT_global_group semi_liberado
> acl internet_consultores_sap    external NT_global_group
> internet_consultores_sap
> #acl quiosque_liberado     external NT_global_group internet_quiosque
> 
> 
> ###########################################################
> #
> #  BLOQUEIO DO SQUID
> ###########################################################
> 
> http_access allow manager localhost
> http_access allow localhost manager
> http_access allow localhost all
> 
> #http_access allow all
> http_access allow teste all
> http_access allow bancos
> http_access allow bb
> http_access allow bb1
> http_access allow GOV
> http_access allow CAIXA
> http_access allow sites_normas
> http_access allow webmails_liberado
> http_access allow mtmon
> 
> http_access allow internet_liberada all
> 
> http_access allow LAN_ADM sites_mfseguranca
> #http_access allow gilson sites_gilson
> http_access allow gilson
> http_access allow LAN_COJ sites_mfseguranca
> http_access allow dropbox_liberado
> http_access allow ftp
> http_access allow ftp_21
> http_access allow IPS_LIBERADOS
> http_access allow acesso_mkt_vendas sites_mkt_vendas
> http_access allow youtube youtube_liberado
> http_access allow facebook facebook_liberado
> http_access allow WINDOWS_UPDATE update_liberado
> http_access allow webmailninecon ninecon
> http_access allow downloads download_liberado
> http_access deny IPS_BLOQUEADOS
> #http_access allow downloads download_liberado
> #no_cache deny semcache
> cache deny semcache
> http_access allow semcache all
> 
> http_access allow semi_liberado !youtube !facebook !twitter !orkut
> !GTALK !msn !msn.1 !msn.2 !msn.3 !msn.4 !msn.5 !msn.6 !msn.7
> !sites_bloqueados !PORN
> http_access deny sites_bloqueados2
> http_access allow  MSN_Liberado msn msn.1 msn.2 msn.3 msn.4 msn.5 msn.6
> msn.7
> http_access deny MSN_Liberado SITES_BLOQUEADOS
> http_access deny MSN_Liberado ORKUT
> http_access allow internet_teste SITES_LIBERADOS
> http_access allow internet_normal SITES_LIBERADOS
> http_access deny internet_teste SITES_BLOQUEADOS
> http_access deny internet_normal SITES_BLOQUEADOS
> #http_access deny !internet_teste
> http_access deny webmail_bloqueado !webmail_liberado
> http_access allow SITES_LIBERADOS
> http_access deny ORKUT !orkut_liberado
> http_access deny twitter !twitter_liberado all
> http_access deny ORKUT
> http_access deny internet_bloqueada all
> http_access allow sites_normas
> #http_access allow WINDOWS_UPDATE update_liberado
> http_access deny WINDOWS_UPDATE
> http_access allow all SSL_ports
> http_access deny msn
> http_access deny msn.1
> http_access deny msn.2
> http_access deny msn.3
> http_access deny msn.4
> http_access deny msn.5
> http_access deny GTALK
> http_access deny PORN !NOPORN all
> http_access deny SITES_BLOQUEADOS
> ##http_access allow downloads download_liberado
> http_access deny downloads
> 
> 
> acl BLOQUEIO_SAP        url_regex
> "/etc/squid/acls/sites_internet_sap_bloqueio.txt"
> http_access             deny rede_projeto BLOQUEIO_SAP
> 
> http_access allow ntlm_users rede_projeto
> 
> http_access allow internet_consultores_sap SITES_INTERNET_SAP
> http_access allow internet_consultores_sap SITES_LIBERADOS
> http_access allow internet_consultores_sap semauth_sap
> http_access allow rede_projeto SITES_INTERNET_SAP
> http_access allow rede_projeto SITES_LIBERADOS
> http_access deny internet_consultores_sap all
> http_access deny rede_projeto all
> 
> 
> # nelson http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow ntlm_users
> http_access allow LAN_ADM
> http_access allow rede_projeto
> http_access allow LAN_IDU
> http_access allow LAN_JBOCD
> http_access allow LAN_COJ
> http_access allow LAN_COJ_TS
> 
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> 
> cache_mgr suporte@xxxxxxxxx
> #cachemgr_passwd companytTask all
> error_directory /usr/share/squid/errors/pt-br
> coredump_dir /pacotes/squid/core
> 
> 
> Thanks
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 2014/1/13 Eliezer Croitoru <eliezer@xxxxxxxxxxxx>:
> > Hey,
> >
> > I would like to try and understand the issue but it seems like more
> complex
> > to me to understand what happens yet.
> > You use NTLM auth but I do not understand the authentication settings
> yet.
> > From 2.6 to 3.1.10, was there any other change in the system?
> > As I understand it's an internal proxy it seems a bit weird.
> > I do not assume that the issue is in the config file but a basic
> description
> > of the environment can help to understand more about the subject.
> >
> > If you can share the basic squid.conf it would help but note to remove
> any
> > personal details or at least change them to make sure that the
> environment
> > can be understood properly.
> >
> > All The Bests,
> > Eliezer
> >
> >
> > On 13/01/14 16:13, Usuário do Sistema wrote:
> >>
> >> Hello everyone,
> >>
> >>
> >> I have done upgrade in the my squid from Version 2.6.STABLE21 to
> Version
> >> 3.1.10
> >>
> >> After that it always pop-up authentication three times before allow
> >> that url. follow a example for www.bol.com.br url
> >>
> >>
> >> 1389621501.201      1 192.168.53.31 TCP_DENIED/407 3849 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621501.213      2 192.168.53.31 TCP_DENIED/407 4148 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621501.226      4 192.168.53.31 TCP_DENIED/407 4135 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621532.660      2 192.168.53.31 TCP_DENIED/407 3947 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621534.117      0 192.168.53.31 TCP_DENIED/407 3947 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621535.165     98 192.168.53.31 TCP_DENIED/407 4148 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621535.397    143 192.168.53.31 TCP_MISS/302 577 GET
> >> http://www.bol.com.br/ sa_mtmon DIRECT/200.147.35.224 text/html
> >> 1389621535.542     88 192.168.53.31 TCP_DENIED/407 4187 GET
> >> http://www.bol.uol.com.br/ - NONE/- text/html
> >> 1389621535.829    256 192.168.53.31 TCP_DENIED/407 4486 GET
> >> http://www.bol.uol.com.br/ - NONE/- text/html
> >> 1389621536.969   1129 192.168.53.31 TCP_MISS/200 35705 GET
> >> http://www.bol.uol.com.br/ sa_mtmon DIRECT/200.147.68.9 text/html
> >>
> >>
> >> I released with upgrade changed NTLM version too. before
> >> 3.6.6-0.136.el5 and now 3.6.9-167.el6_5
> >>
> >>
> >> how to can I figure out that problem the pop-up authentication three
> >> times ?  before upgrade it ask only one pop-up authentication.
> >>
> >>
> >> thanks
> >>
> >





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux