Thanks for yours tips. But I figure out the issue other way. I have done roll back to my old machine what has squid 2.6 version so all it's working 2014/1/15 Rietzler, Markus (RZF, SG 324 / <RIETZLER_SOFTWARE>) <markus.rietzler@xxxxxxxxx>: > wonder why there are popups at all. or popups at all. NTLM should work without any popups. > which browser do you use? IE? > > could you try to discard the group-check auth? > we are using NTLM but everyone is allowed, after authentication. so we do not use external_acl_type. > > > we only use > > acl auth_user proxy_auth REQUIRED > http_access allow auth_surfer all > > >> -----Ursprüngliche Nachricht----- >> Von: Usuário do Sistema [mailto:maiconlp@xxxxxxxxx] >> Gesendet: Dienstag, 14. Januar 2014 13:27 >> An: Eliezer Croitoru >> Cc: squid-users@xxxxxxxxxxxxxxx >> Betreff: Re: ask three times authentication >> >> Thank you, >> >> From 2.6 to 3.1.10, was there any other change in the system? >> >> yes, I have changed my squid from an machine with S.O Red Hat 5.9 >> to other machine with S.O CentOS 6.5 >> >> the issue it's seems to be something about authentication >> compatibility between Browse and new squid version 3.1.10 >> >> I have the old machine yet. I have done some test and from a client >> machine when I put the old proxy on browse all it's work. >> but the strange I use the same squid.conf either old proxy machine as >> well as new proxy machine so why the pop-up authentication appear >> three times only at the new proxy squid version 3.1.10 ? >> >> my question is if there is any problem with squid version 3.1.10 about >> authentication ? >> >> Follow my squid.conf. >> >> >> ############################################################ >> # >> # Squid.conf autenticacao AD >> # >> ############################################################# >> >> ## Autenticacao >> >> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5- >> ntlmssp >> auth_param ntlm children 50 >> auth_param ntlm keep_alive on >> >> #auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5- >> basic >> #auth_param basic children 30 >> >> ## comentadas >> >> auth_param basic realm Acesso a Internet teste SA >> auth_param basic credentialsttl 2 hours >> >> authenticate_cache_garbage_interval 1 hour >> authenticate_ttl 120 seconds >> >> external_acl_type NT_global_group children=50 %LOGIN >> /usr/lib64/squid/squid_unix_group >> >> ## SQSTAT >> >> >> acl ntlm_users proxy_auth REQUIRED >> >> #cache_store_log none >> #cache_log /var/log/squid/cache.log >> #cache_log none >> #request_entities on >> >> # debug_options rotate=16 ALL,1 >> #debug_options ALL,9 >> #debug_options ALL,1 33,2 >> #debug_options ALL >> >> >> visible_hostname proxy.teste.com >> http_port 8080 >> http_port 127.0.0.1:3128 >> hierarchy_stoplist cgi-bin ? >> >> acl QUERY urlpath_regex cgi-bin \? >> cache deny QUERY >> acl apache rep_header Server ^Apache >> >> access_log /var/log/squid/access.log squid >> >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern . 0 20% 4320 >> >> ie_refresh on >> >> max_filedesc 4096 >> >> >> ################################### >> # Parametros de Cache NAO ALTERAR # >> ################################### >> >> #cache_dir aufs /var/spool/squid 6000 16 256 >> #cache_dir ufs /var/spool/squid 5000 64 1024 >> #cache_dir ufs /var/spool/squid 2048 64 64 >> >> diskd_program /usr/lib64/squid/diskd-daemon >> >> cache_dir diskd /var/spool/squid/1 1000 16 128 Q1=64 Q2=72 >> cache_dir diskd /var/spool/squid/2 1000 16 128 Q1=64 Q2=72 >> cache_dir diskd /var/spool/squid/3 1000 16 128 Q1=64 Q2=72 >> cache_dir diskd /var/spool/squid/4 1000 16 128 Q1=64 Q2=72 >> >> >> #This stops squid from holding onto ram that it is no longer actively >> using. >> memory_pools off >> >> #Buffers the write-out to log files. This can increase performance >> slightly >> buffered_logs on >> >> cache_mem 1024 MB >> >> half_closed_clients off >> cache_swap_low 80% >> cache_swap_high 100% >> >> maximum_object_size 10 MB >> maximum_object_size_in_memory 2048 KB >> >> cache_replacement_policy heap LFUDA >> memory_replacement_policy heap GDSF >> >> ####################################### >> >> ftp_passive on >> acl ftp_21 port 21 >> >> ############################################################ >> # >> # Regras Padrao >> # >> ############################################################ >> >> >> acl to_localhost dst 127.0.0.0/8 >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 20 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # companyling http >> acl Safe_ports port 10080 # Porta http das unidades remotas teste. >> acl Safe_ports port 8181 # Publicacao >> acl Safe_ports port 10082 # DBMessenger >> acl Safe_ports port 9082 >> acl ftp proto FTP >> acl CONNECT method CONNECT >> >> >> ################################# >> # Origens >> ################################# >> acl rede_projeto src 192.168.52.0/22 >> acl nelson src 128.2.20.213 >> acl 2m041187 src 128.2.20.171 >> acl localhost src 127.0.0.1/32 >> acl LAN_GERAL src 128.0.0.0/8 >> acl LAN_ADM src 128.2.0.0/16 >> acl gilson src 128.2.20.141/32 >> acl LAN_IDU src 128.4.0.0/16 >> acl LAN_JBOCD src 10.13.0.0/16 >> acl LAN_COJ src 128.1.0.0/16 >> acl LAN_COJ_TS src 10.1.251.0/25 >> acl dropbox_liberado src 128.2.30.201/32 >> acl testebo dst 189.36.1.226/32 >> >> >> ################################# >> # Regras LYNC e Sites sem AUTH >> ################################# >> acl MSN_Liberado external NT_global_group msn_liberado >> acl lync url_regex "/etc/squid/acls/lync.txt" >> http_access allow lync >> >> acl semauth url_regex -i "/etc/squid/acls/sites_semauth.txt" >> http_access allow all semauth all >> http_access allow CONNECT semauth all >> http_access allow testebo >> >> acl semauth_sap url_regex -i >> "/etc/squid/acls/sites_semauth_sap.txt" >> http_access allow rede_projeto semauth_sap all >> >> >> acl msn.8 url_regex "/etc/squid/acls/msn.txt" >> acl local url_regex localhost >> >> http_access allow local >> http_access allow semauth 2m041187 >> http_access allow localhost all >> http_access allow nelson >> http_access allow MSN_Liberado msn.8 >> >> ############################################################ >> # >> # Regras teste >> # >> ############################################################ >> >> acl manager proto cache_object >> >> acl semcache url_regex "/etc/squid/acls/semcache.txt" >> acl SITES_BLOQUEADOS url_regex -i >> "/etc/squid/acls/sites_bloqueados.txt" >> acl SITES_LIBERADOS url_regex -i "/etc/squid/acls/sites_liberados.txt" >> acl acesso_mkt_vendas url_regex -i >> "/etc/squid/acls/acesso_mkt_vendas.txt" >> #acl quiosque url_regex -i "/etc/squid/acls/quiosque.txt" >> acl mtmon url_regex -i "/etc/squid/acls/mtmon.txt" >> acl IPS_LIBERADOS src "/etc/squid/acls/ips_liberados.txt" >> acl IPS_BLOQUEADOS src "/etc/squid/acls/ips_bloqueados.txt" >> acl PORN url_regex -i "/etc/squid/acls/porn.txt" >> acl NOPORN url_regex -i "/etc/squid/acls/noporn.txt" >> acl downloads url_regex -i "/etc/squid/acls/extensoes.txt" >> >> >> acl msn dstdomain loginnet.passport.com login.live.com >> acl msn.1 dstdomain loginnet.passport.com >> acl msn.2 dstdomain webmessenger.msn.com >> acl msn.3 url_regex -i gateway.dll >> acl msn.4 req_mime_type -i ^application/x-msn-messenger$ >> acl msn.5 url_regex -i "/etc/squid/acls/msn.txt" >> acl msn.6 src 65.0.0.0/12 >> acl msn.7 url_regex -i gateway.dll? >> acl webmails_liberado url_regex -i >> "/etc/squid/acls/webmail_liberados.txt" >> acl webmail_bloqueado url_regex -i >> "/etc/squid/acls/webmail_bloqueado.txt" >> acl bb browser C:\BancoBrasil\officeIE\index.html >> acl bancos url_regex -i "/etc/squid/acls/bancos.txt" >> acl bb1 url_regex -i "/etc/squid/acls/bb.txt" >> acl CAIXA url_regex -i "/etc/squid/acls/caixa.txt" >> acl WINDOWS_UPDATE url_regex -i "/etc/squid/acls/windows_update.txt" >> acl teste url_regex -i "/etc/squid/acls/teste.txt" >> acl sites_bloqueados2 url_regex -i >> "/etc/squid/acls/sites_bloqueados2.txt" >> acl sites_mfseguranca url_regex -i >> "/etc/squid/acls/sites_mfseguranca.txt" >> acl sites_gilson url_regex -i "/etc/squid/acls/sites_gilson.txt" >> acl GTALK url_regex -i "/etc/squid/acls/gtalk.txt" >> acl SITES_INTERNET_SAP url_regex -i >> "/etc/squid/acls/sites_internet_sap.txt" >> >> >> # Fix support.microsoft.com by removing Accept-Encoding header >> >> acl support.microsoft.com dstdomain support.microsoft.com >> acl trendmicro url_regex "/etc/squid/acls/trendmicro.txt" >> acl GOV url_regex -i "/etc/squid/acls/gov.txt" >> acl sites_normas url_regex -i "/etc/squid/acls/sites_normas.txt" >> acl twitter url_regex -i "/etc/squid/acls/twitter.txt" >> acl orkut url_regex -i "/etc/squid/acls/orkut.txt" >> acl ninecon url_regex -i "/etc/squid/acls/ninecon.txt" >> acl youtube url_regex -i "/etc/squid/acls/youtube.txt" >> acl facebook url_regex -i "/etc/squid/acls/facebook.txt" >> >> #################################### >> # ACL USANDO AUTENTICACAO GRUPOS AD >> #################################### >> >> acl facebook_liberado external NT_global_group facebook_liberado >> acl internet_teste external NT_global_group internet_teste >> acl internet_normal external NT_global_group internet_normal >> acl internet_liberada external NT_global_group internet_liberada >> acl internet_bloqueada external NT_global_group internet_bloqueada >> acl download_liberado external NT_global_group download_liberado >> acl orkut_liberado external NT_global_group orkut_liberado >> acl twitter_liberado external NT_global_group twitter_liberado >> acl youtube_liberado external NT_global_group youtube_liberado >> acl update_liberado external NT_global_group update_liberado >> acl webmail_liberado external NT_global_group webmail_liberado >> acl webmailninecon external NT_global_group webmailninecon >> acl sites_mkt_vendas external NT_global_group sites_mkt_vendas >> acl semi_liberado external NT_global_group semi_liberado >> acl internet_consultores_sap external NT_global_group >> internet_consultores_sap >> #acl quiosque_liberado external NT_global_group internet_quiosque >> >> >> ########################################################### >> # >> # BLOQUEIO DO SQUID >> ########################################################### >> >> http_access allow manager localhost >> http_access allow localhost manager >> http_access allow localhost all >> >> #http_access allow all >> http_access allow teste all >> http_access allow bancos >> http_access allow bb >> http_access allow bb1 >> http_access allow GOV >> http_access allow CAIXA >> http_access allow sites_normas >> http_access allow webmails_liberado >> http_access allow mtmon >> >> http_access allow internet_liberada all >> >> http_access allow LAN_ADM sites_mfseguranca >> #http_access allow gilson sites_gilson >> http_access allow gilson >> http_access allow LAN_COJ sites_mfseguranca >> http_access allow dropbox_liberado >> http_access allow ftp >> http_access allow ftp_21 >> http_access allow IPS_LIBERADOS >> http_access allow acesso_mkt_vendas sites_mkt_vendas >> http_access allow youtube youtube_liberado >> http_access allow facebook facebook_liberado >> http_access allow WINDOWS_UPDATE update_liberado >> http_access allow webmailninecon ninecon >> http_access allow downloads download_liberado >> http_access deny IPS_BLOQUEADOS >> #http_access allow downloads download_liberado >> #no_cache deny semcache >> cache deny semcache >> http_access allow semcache all >> >> http_access allow semi_liberado !youtube !facebook !twitter !orkut >> !GTALK !msn !msn.1 !msn.2 !msn.3 !msn.4 !msn.5 !msn.6 !msn.7 >> !sites_bloqueados !PORN >> http_access deny sites_bloqueados2 >> http_access allow MSN_Liberado msn msn.1 msn.2 msn.3 msn.4 msn.5 msn.6 >> msn.7 >> http_access deny MSN_Liberado SITES_BLOQUEADOS >> http_access deny MSN_Liberado ORKUT >> http_access allow internet_teste SITES_LIBERADOS >> http_access allow internet_normal SITES_LIBERADOS >> http_access deny internet_teste SITES_BLOQUEADOS >> http_access deny internet_normal SITES_BLOQUEADOS >> #http_access deny !internet_teste >> http_access deny webmail_bloqueado !webmail_liberado >> http_access allow SITES_LIBERADOS >> http_access deny ORKUT !orkut_liberado >> http_access deny twitter !twitter_liberado all >> http_access deny ORKUT >> http_access deny internet_bloqueada all >> http_access allow sites_normas >> #http_access allow WINDOWS_UPDATE update_liberado >> http_access deny WINDOWS_UPDATE >> http_access allow all SSL_ports >> http_access deny msn >> http_access deny msn.1 >> http_access deny msn.2 >> http_access deny msn.3 >> http_access deny msn.4 >> http_access deny msn.5 >> http_access deny GTALK >> http_access deny PORN !NOPORN all >> http_access deny SITES_BLOQUEADOS >> ##http_access allow downloads download_liberado >> http_access deny downloads >> >> >> acl BLOQUEIO_SAP url_regex >> "/etc/squid/acls/sites_internet_sap_bloqueio.txt" >> http_access deny rede_projeto BLOQUEIO_SAP >> >> http_access allow ntlm_users rede_projeto >> >> http_access allow internet_consultores_sap SITES_INTERNET_SAP >> http_access allow internet_consultores_sap SITES_LIBERADOS >> http_access allow internet_consultores_sap semauth_sap >> http_access allow rede_projeto SITES_INTERNET_SAP >> http_access allow rede_projeto SITES_LIBERADOS >> http_access deny internet_consultores_sap all >> http_access deny rede_projeto all >> >> >> # nelson http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow ntlm_users >> http_access allow LAN_ADM >> http_access allow rede_projeto >> http_access allow LAN_IDU >> http_access allow LAN_JBOCD >> http_access allow LAN_COJ >> http_access allow LAN_COJ_TS >> >> http_access deny all >> http_reply_access allow all >> icp_access allow all >> >> cache_mgr suporte@xxxxxxxxx >> #cachemgr_passwd companytTask all >> error_directory /usr/share/squid/errors/pt-br >> coredump_dir /pacotes/squid/core >> >> >> Thanks >> >> >> >> >> >> >> >> >> >> >> >> 2014/1/13 Eliezer Croitoru <eliezer@xxxxxxxxxxxx>: >> > Hey, >> > >> > I would like to try and understand the issue but it seems like more >> complex >> > to me to understand what happens yet. >> > You use NTLM auth but I do not understand the authentication settings >> yet. >> > From 2.6 to 3.1.10, was there any other change in the system? >> > As I understand it's an internal proxy it seems a bit weird. >> > I do not assume that the issue is in the config file but a basic >> description >> > of the environment can help to understand more about the subject. >> > >> > If you can share the basic squid.conf it would help but note to remove >> any >> > personal details or at least change them to make sure that the >> environment >> > can be understood properly. >> > >> > All The Bests, >> > Eliezer >> > >> > >> > On 13/01/14 16:13, Usuário do Sistema wrote: >> >> >> >> Hello everyone, >> >> >> >> >> >> I have done upgrade in the my squid from Version 2.6.STABLE21 to >> Version >> >> 3.1.10 >> >> >> >> After that it always pop-up authentication three times before allow >> >> that url. follow a example for www.bol.com.br url >> >> >> >> >> >> 1389621501.201 1 192.168.53.31 TCP_DENIED/407 3849 GET >> >> http://www.bol.com.br/ - NONE/- text/html >> >> 1389621501.213 2 192.168.53.31 TCP_DENIED/407 4148 GET >> >> http://www.bol.com.br/ - NONE/- text/html >> >> 1389621501.226 4 192.168.53.31 TCP_DENIED/407 4135 GET >> >> http://www.bol.com.br/ - NONE/- text/html >> >> 1389621532.660 2 192.168.53.31 TCP_DENIED/407 3947 GET >> >> http://www.bol.com.br/ - NONE/- text/html >> >> 1389621534.117 0 192.168.53.31 TCP_DENIED/407 3947 GET >> >> http://www.bol.com.br/ - NONE/- text/html >> >> 1389621535.165 98 192.168.53.31 TCP_DENIED/407 4148 GET >> >> http://www.bol.com.br/ - NONE/- text/html >> >> 1389621535.397 143 192.168.53.31 TCP_MISS/302 577 GET >> >> http://www.bol.com.br/ sa_mtmon DIRECT/200.147.35.224 text/html >> >> 1389621535.542 88 192.168.53.31 TCP_DENIED/407 4187 GET >> >> http://www.bol.uol.com.br/ - NONE/- text/html >> >> 1389621535.829 256 192.168.53.31 TCP_DENIED/407 4486 GET >> >> http://www.bol.uol.com.br/ - NONE/- text/html >> >> 1389621536.969 1129 192.168.53.31 TCP_MISS/200 35705 GET >> >> http://www.bol.uol.com.br/ sa_mtmon DIRECT/200.147.68.9 text/html >> >> >> >> >> >> I released with upgrade changed NTLM version too. before >> >> 3.6.6-0.136.el5 and now 3.6.9-167.el6_5 >> >> >> >> >> >> how to can I figure out that problem the pop-up authentication three >> >> times ? before upgrade it ask only one pop-up authentication. >> >> >> >> >> >> thanks >> >> >> >
