wonder why there are popups at all. or popups at all. NTLM should work without any popups. which browser do you use? IE? could you try to discard the group-check auth? we are using NTLM but everyone is allowed, after authentication. so we do not use external_acl_type. we only use acl auth_user proxy_auth REQUIRED http_access allow auth_surfer all > -----Ursprüngliche Nachricht----- > Von: Usuário do Sistema [mailto:maiconlp@xxxxxxxxx] > Gesendet: Dienstag, 14. Januar 2014 13:27 > An: Eliezer Croitoru > Cc: squid-users@xxxxxxxxxxxxxxx > Betreff: Re: ask three times authentication > > Thank you, > > From 2.6 to 3.1.10, was there any other change in the system? > > yes, I have changed my squid from an machine with S.O Red Hat 5.9 > to other machine with S.O CentOS 6.5 > > the issue it's seems to be something about authentication > compatibility between Browse and new squid version 3.1.10 > > I have the old machine yet. I have done some test and from a client > machine when I put the old proxy on browse all it's work. > but the strange I use the same squid.conf either old proxy machine as > well as new proxy machine so why the pop-up authentication appear > three times only at the new proxy squid version 3.1.10 ? > > my question is if there is any problem with squid version 3.1.10 about > authentication ? > > Follow my squid.conf. > > > ############################################################ > # > # Squid.conf autenticacao AD > # > ############################################################# > > ## Autenticacao > > auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5- > ntlmssp > auth_param ntlm children 50 > auth_param ntlm keep_alive on > > #auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5- > basic > #auth_param basic children 30 > > ## comentadas > > auth_param basic realm Acesso a Internet teste SA > auth_param basic credentialsttl 2 hours > > authenticate_cache_garbage_interval 1 hour > authenticate_ttl 120 seconds > > external_acl_type NT_global_group children=50 %LOGIN > /usr/lib64/squid/squid_unix_group > > ## SQSTAT > > > acl ntlm_users proxy_auth REQUIRED > > #cache_store_log none > #cache_log /var/log/squid/cache.log > #cache_log none > #request_entities on > > # debug_options rotate=16 ALL,1 > #debug_options ALL,9 > #debug_options ALL,1 33,2 > #debug_options ALL > > > visible_hostname proxy.teste.com > http_port 8080 > http_port 127.0.0.1:3128 > hierarchy_stoplist cgi-bin ? > > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY > acl apache rep_header Server ^Apache > > access_log /var/log/squid/access.log squid > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > > ie_refresh on > > max_filedesc 4096 > > > ################################### > # Parametros de Cache NAO ALTERAR # > ################################### > > #cache_dir aufs /var/spool/squid 6000 16 256 > #cache_dir ufs /var/spool/squid 5000 64 1024 > #cache_dir ufs /var/spool/squid 2048 64 64 > > diskd_program /usr/lib64/squid/diskd-daemon > > cache_dir diskd /var/spool/squid/1 1000 16 128 Q1=64 Q2=72 > cache_dir diskd /var/spool/squid/2 1000 16 128 Q1=64 Q2=72 > cache_dir diskd /var/spool/squid/3 1000 16 128 Q1=64 Q2=72 > cache_dir diskd /var/spool/squid/4 1000 16 128 Q1=64 Q2=72 > > > #This stops squid from holding onto ram that it is no longer actively > using. > memory_pools off > > #Buffers the write-out to log files. This can increase performance > slightly > buffered_logs on > > cache_mem 1024 MB > > half_closed_clients off > cache_swap_low 80% > cache_swap_high 100% > > maximum_object_size 10 MB > maximum_object_size_in_memory 2048 KB > > cache_replacement_policy heap LFUDA > memory_replacement_policy heap GDSF > > ####################################### > > ftp_passive on > acl ftp_21 port 21 > > ############################################################ > # > # Regras Padrao > # > ############################################################ > > > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 20 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # companyling http > acl Safe_ports port 10080 # Porta http das unidades remotas teste. > acl Safe_ports port 8181 # Publicacao > acl Safe_ports port 10082 # DBMessenger > acl Safe_ports port 9082 > acl ftp proto FTP > acl CONNECT method CONNECT > > > ################################# > # Origens > ################################# > acl rede_projeto src 192.168.52.0/22 > acl nelson src 128.2.20.213 > acl 2m041187 src 128.2.20.171 > acl localhost src 127.0.0.1/32 > acl LAN_GERAL src 128.0.0.0/8 > acl LAN_ADM src 128.2.0.0/16 > acl gilson src 128.2.20.141/32 > acl LAN_IDU src 128.4.0.0/16 > acl LAN_JBOCD src 10.13.0.0/16 > acl LAN_COJ src 128.1.0.0/16 > acl LAN_COJ_TS src 10.1.251.0/25 > acl dropbox_liberado src 128.2.30.201/32 > acl testebo dst 189.36.1.226/32 > > > ################################# > # Regras LYNC e Sites sem AUTH > ################################# > acl MSN_Liberado external NT_global_group msn_liberado > acl lync url_regex "/etc/squid/acls/lync.txt" > http_access allow lync > > acl semauth url_regex -i "/etc/squid/acls/sites_semauth.txt" > http_access allow all semauth all > http_access allow CONNECT semauth all > http_access allow testebo > > acl semauth_sap url_regex -i > "/etc/squid/acls/sites_semauth_sap.txt" > http_access allow rede_projeto semauth_sap all > > > acl msn.8 url_regex "/etc/squid/acls/msn.txt" > acl local url_regex localhost > > http_access allow local > http_access allow semauth 2m041187 > http_access allow localhost all > http_access allow nelson > http_access allow MSN_Liberado msn.8 > > ############################################################ > # > # Regras teste > # > ############################################################ > > acl manager proto cache_object > > acl semcache url_regex "/etc/squid/acls/semcache.txt" > acl SITES_BLOQUEADOS url_regex -i > "/etc/squid/acls/sites_bloqueados.txt" > acl SITES_LIBERADOS url_regex -i "/etc/squid/acls/sites_liberados.txt" > acl acesso_mkt_vendas url_regex -i > "/etc/squid/acls/acesso_mkt_vendas.txt" > #acl quiosque url_regex -i "/etc/squid/acls/quiosque.txt" > acl mtmon url_regex -i "/etc/squid/acls/mtmon.txt" > acl IPS_LIBERADOS src "/etc/squid/acls/ips_liberados.txt" > acl IPS_BLOQUEADOS src "/etc/squid/acls/ips_bloqueados.txt" > acl PORN url_regex -i "/etc/squid/acls/porn.txt" > acl NOPORN url_regex -i "/etc/squid/acls/noporn.txt" > acl downloads url_regex -i "/etc/squid/acls/extensoes.txt" > > > acl msn dstdomain loginnet.passport.com login.live.com > acl msn.1 dstdomain loginnet.passport.com > acl msn.2 dstdomain webmessenger.msn.com > acl msn.3 url_regex -i gateway.dll > acl msn.4 req_mime_type -i ^application/x-msn-messenger$ > acl msn.5 url_regex -i "/etc/squid/acls/msn.txt" > acl msn.6 src 65.0.0.0/12 > acl msn.7 url_regex -i gateway.dll? > acl webmails_liberado url_regex -i > "/etc/squid/acls/webmail_liberados.txt" > acl webmail_bloqueado url_regex -i > "/etc/squid/acls/webmail_bloqueado.txt" > acl bb browser C:\BancoBrasil\officeIE\index.html > acl bancos url_regex -i "/etc/squid/acls/bancos.txt" > acl bb1 url_regex -i "/etc/squid/acls/bb.txt" > acl CAIXA url_regex -i "/etc/squid/acls/caixa.txt" > acl WINDOWS_UPDATE url_regex -i "/etc/squid/acls/windows_update.txt" > acl teste url_regex -i "/etc/squid/acls/teste.txt" > acl sites_bloqueados2 url_regex -i > "/etc/squid/acls/sites_bloqueados2.txt" > acl sites_mfseguranca url_regex -i > "/etc/squid/acls/sites_mfseguranca.txt" > acl sites_gilson url_regex -i "/etc/squid/acls/sites_gilson.txt" > acl GTALK url_regex -i "/etc/squid/acls/gtalk.txt" > acl SITES_INTERNET_SAP url_regex -i > "/etc/squid/acls/sites_internet_sap.txt" > > > # Fix support.microsoft.com by removing Accept-Encoding header > > acl support.microsoft.com dstdomain support.microsoft.com > acl trendmicro url_regex "/etc/squid/acls/trendmicro.txt" > acl GOV url_regex -i "/etc/squid/acls/gov.txt" > acl sites_normas url_regex -i "/etc/squid/acls/sites_normas.txt" > acl twitter url_regex -i "/etc/squid/acls/twitter.txt" > acl orkut url_regex -i "/etc/squid/acls/orkut.txt" > acl ninecon url_regex -i "/etc/squid/acls/ninecon.txt" > acl youtube url_regex -i "/etc/squid/acls/youtube.txt" > acl facebook url_regex -i "/etc/squid/acls/facebook.txt" > > #################################### > # ACL USANDO AUTENTICACAO GRUPOS AD > #################################### > > acl facebook_liberado external NT_global_group facebook_liberado > acl internet_teste external NT_global_group internet_teste > acl internet_normal external NT_global_group internet_normal > acl internet_liberada external NT_global_group internet_liberada > acl internet_bloqueada external NT_global_group internet_bloqueada > acl download_liberado external NT_global_group download_liberado > acl orkut_liberado external NT_global_group orkut_liberado > acl twitter_liberado external NT_global_group twitter_liberado > acl youtube_liberado external NT_global_group youtube_liberado > acl update_liberado external NT_global_group update_liberado > acl webmail_liberado external NT_global_group webmail_liberado > acl webmailninecon external NT_global_group webmailninecon > acl sites_mkt_vendas external NT_global_group sites_mkt_vendas > acl semi_liberado external NT_global_group semi_liberado > acl internet_consultores_sap external NT_global_group > internet_consultores_sap > #acl quiosque_liberado external NT_global_group internet_quiosque > > > ########################################################### > # > # BLOQUEIO DO SQUID > ########################################################### > > http_access allow manager localhost > http_access allow localhost manager > http_access allow localhost all > > #http_access allow all > http_access allow teste all > http_access allow bancos > http_access allow bb > http_access allow bb1 > http_access allow GOV > http_access allow CAIXA > http_access allow sites_normas > http_access allow webmails_liberado > http_access allow mtmon > > http_access allow internet_liberada all > > http_access allow LAN_ADM sites_mfseguranca > #http_access allow gilson sites_gilson > http_access allow gilson > http_access allow LAN_COJ sites_mfseguranca > http_access allow dropbox_liberado > http_access allow ftp > http_access allow ftp_21 > http_access allow IPS_LIBERADOS > http_access allow acesso_mkt_vendas sites_mkt_vendas > http_access allow youtube youtube_liberado > http_access allow facebook facebook_liberado > http_access allow WINDOWS_UPDATE update_liberado > http_access allow webmailninecon ninecon > http_access allow downloads download_liberado > http_access deny IPS_BLOQUEADOS > #http_access allow downloads download_liberado > #no_cache deny semcache > cache deny semcache > http_access allow semcache all > > http_access allow semi_liberado !youtube !facebook !twitter !orkut > !GTALK !msn !msn.1 !msn.2 !msn.3 !msn.4 !msn.5 !msn.6 !msn.7 > !sites_bloqueados !PORN > http_access deny sites_bloqueados2 > http_access allow MSN_Liberado msn msn.1 msn.2 msn.3 msn.4 msn.5 msn.6 > msn.7 > http_access deny MSN_Liberado SITES_BLOQUEADOS > http_access deny MSN_Liberado ORKUT > http_access allow internet_teste SITES_LIBERADOS > http_access allow internet_normal SITES_LIBERADOS > http_access deny internet_teste SITES_BLOQUEADOS > http_access deny internet_normal SITES_BLOQUEADOS > #http_access deny !internet_teste > http_access deny webmail_bloqueado !webmail_liberado > http_access allow SITES_LIBERADOS > http_access deny ORKUT !orkut_liberado > http_access deny twitter !twitter_liberado all > http_access deny ORKUT > http_access deny internet_bloqueada all > http_access allow sites_normas > #http_access allow WINDOWS_UPDATE update_liberado > http_access deny WINDOWS_UPDATE > http_access allow all SSL_ports > http_access deny msn > http_access deny msn.1 > http_access deny msn.2 > http_access deny msn.3 > http_access deny msn.4 > http_access deny msn.5 > http_access deny GTALK > http_access deny PORN !NOPORN all > http_access deny SITES_BLOQUEADOS > ##http_access allow downloads download_liberado > http_access deny downloads > > > acl BLOQUEIO_SAP url_regex > "/etc/squid/acls/sites_internet_sap_bloqueio.txt" > http_access deny rede_projeto BLOQUEIO_SAP > > http_access allow ntlm_users rede_projeto > > http_access allow internet_consultores_sap SITES_INTERNET_SAP > http_access allow internet_consultores_sap SITES_LIBERADOS > http_access allow internet_consultores_sap semauth_sap > http_access allow rede_projeto SITES_INTERNET_SAP > http_access allow rede_projeto SITES_LIBERADOS > http_access deny internet_consultores_sap all > http_access deny rede_projeto all > > > # nelson http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow ntlm_users > http_access allow LAN_ADM > http_access allow rede_projeto > http_access allow LAN_IDU > http_access allow LAN_JBOCD > http_access allow LAN_COJ > http_access allow LAN_COJ_TS > > http_access deny all > http_reply_access allow all > icp_access allow all > > cache_mgr suporte@xxxxxxxxx > #cachemgr_passwd companytTask all > error_directory /usr/share/squid/errors/pt-br > coredump_dir /pacotes/squid/core > > > Thanks > > > > > > > > > > > > 2014/1/13 Eliezer Croitoru <eliezer@xxxxxxxxxxxx>: > > Hey, > > > > I would like to try and understand the issue but it seems like more > complex > > to me to understand what happens yet. > > You use NTLM auth but I do not understand the authentication settings > yet. > > From 2.6 to 3.1.10, was there any other change in the system? > > As I understand it's an internal proxy it seems a bit weird. > > I do not assume that the issue is in the config file but a basic > description > > of the environment can help to understand more about the subject. > > > > If you can share the basic squid.conf it would help but note to remove > any > > personal details or at least change them to make sure that the > environment > > can be understood properly. > > > > All The Bests, > > Eliezer > > > > > > On 13/01/14 16:13, Usuário do Sistema wrote: > >> > >> Hello everyone, > >> > >> > >> I have done upgrade in the my squid from Version 2.6.STABLE21 to > Version > >> 3.1.10 > >> > >> After that it always pop-up authentication three times before allow > >> that url. follow a example for www.bol.com.br url > >> > >> > >> 1389621501.201 1 192.168.53.31 TCP_DENIED/407 3849 GET > >> http://www.bol.com.br/ - NONE/- text/html > >> 1389621501.213 2 192.168.53.31 TCP_DENIED/407 4148 GET > >> http://www.bol.com.br/ - NONE/- text/html > >> 1389621501.226 4 192.168.53.31 TCP_DENIED/407 4135 GET > >> http://www.bol.com.br/ - NONE/- text/html > >> 1389621532.660 2 192.168.53.31 TCP_DENIED/407 3947 GET > >> http://www.bol.com.br/ - NONE/- text/html > >> 1389621534.117 0 192.168.53.31 TCP_DENIED/407 3947 GET > >> http://www.bol.com.br/ - NONE/- text/html > >> 1389621535.165 98 192.168.53.31 TCP_DENIED/407 4148 GET > >> http://www.bol.com.br/ - NONE/- text/html > >> 1389621535.397 143 192.168.53.31 TCP_MISS/302 577 GET > >> http://www.bol.com.br/ sa_mtmon DIRECT/200.147.35.224 text/html > >> 1389621535.542 88 192.168.53.31 TCP_DENIED/407 4187 GET > >> http://www.bol.uol.com.br/ - NONE/- text/html > >> 1389621535.829 256 192.168.53.31 TCP_DENIED/407 4486 GET > >> http://www.bol.uol.com.br/ - NONE/- text/html > >> 1389621536.969 1129 192.168.53.31 TCP_MISS/200 35705 GET > >> http://www.bol.uol.com.br/ sa_mtmon DIRECT/200.147.68.9 text/html > >> > >> > >> I released with upgrade changed NTLM version too. before > >> 3.6.6-0.136.el5 and now 3.6.9-167.el6_5 > >> > >> > >> how to can I figure out that problem the pop-up authentication three > >> times ? before upgrade it ask only one pop-up authentication. > >> > >> > >> thanks > >> > >
