On 6/03/2015 9:49 a.m., Informatico Neurodesarrollo wrote: > Hi list, > I am new in the list and I want to solve a problem with the > authentication process in the factory that I worked some years ago and > in this place I began work with Linux. > They use openSuSE 13.2 (64bits) with squid 3.4.4, the specification are: > - the authentication is local, Unix users > - two groups created :intranet (only can access to domain ".cu" ),internet > > What is the deal?: > > When I try to access, in the surfer arise a windows ask me the user and > password, but when I push Enter key, this windows arise again and I have > to press several times the "ESC" key to can navigate. The client software (browser?) is responsible for locating suitable credentials that teh authenticatio system will accept. The popup window you are seeing is one of several options available to it and most modern browsers use it as a last resort only if the automated alternatives fail. If the proxy is offering multiple types of authentication and the client browser sends the credentials for Type A when they should have been labeled type B, then you can see the popup happen multiple times. There is nothing we (the proxy people) can do about this type of problem in the client browser. It can also keep popping up if your rules say that the provided credentials are not adequate for the access desired, but other credentials might work. Your brower is given a chance to try those other credentials. So lets look at the specific config... > > I attach bellow squid.conf file. > > My best regards. > > PD Apologist my english, but if any body else understand Spanish > language I can explain better. > > > squid.conf: > > # Squid normally listens to port 3128 > http_port 3128 > <snip> > > ######################################################## > #Autenticación > > auth_param basic program /usr/sbin/basic_getpwnam_auth --helper-protocol=squid-2.5-basic > auth_param basic children 20 > auth_param basic realm Servidor Proxy JVR > auth_param basic credentialsttl 1 hours > auth_param basic casesensitive off > NOTE: The basic_getpwnam_auth helper does not take any command line parameter "--helper-protocol=squid-2.5-basic" That should not have been causing any issue though. These settings appear to be fine other than the garbage parameer. > ############ > #Grupos Unix > > external_acl_type groupo_linux %LOGIN /usr/sbin/ext_unix_group_acl -p > > acl nav_nac external groupo_linux intranet > acl nav_int external groupo_linux internet The above two ACls will match the groups. > > acl nav_full proxy_auth nav_int > acl nav_cuba proxy_auth nav_nac The above two ACLs will match the *individual user login* name "nav_int" or "nav_nac". > > acl Auth_jvr proxy_auth REQUIRED > <snip> > cache_log /var/log/squid/cache.log > access_log /var/log/squid/access.log > cache_store_log /var/log/squid/store.log > error_directory /usr/share/squid/errors/es I recommend setting this instead: default_error_language es Your Squid will then report errors your users can read (with Espanol as default), instead of forcing Espanol on all of them. > > acl localnet src 10.44.1.0/24 > acl SSL_ports port 443 > acl Safe_ports port 80 > acl Safe_ports port 21 > acl Safe_ports port 443 > acl Safe_ports port 70 > acl Safe_ports port 210 > acl Safe_ports port 1025-65535 > acl Safe_ports port 280 > acl Safe_ports port 488 > acl Safe_ports port 591 > acl Safe_ports port 777 > acl CONNECT method CONNECT > > acl restricted_sites dstdomain "/etc/squid/listas/blocked_sites.acl" > acl restricted_dst dst "/etc/squid/listas/blocked_src" > acl nacional dstdomain .cu > > # Regla para denegar palabras indebidas > acl palabras url_regex -i "/etc/squid/deneg" > <snip> > > http_access allow localnet !restricted_sites !restricted_dst !palabras > http_access allow Auth_jvr nav_full !nav_nac The above rule will require authentication for the single user name "nav_int" in the group "internet". Otherwise will request new credentials that can pass the tests (the popup). > http_access allow Auth_jvr nav_cuba nacional The above will request authentication, and if it provide and the other check passes will allow the request. Due to the "nacional" ACL being lat it will NOT request different credentials. I suspect your use of individual username ACLs is a mistake. Your policy description only mentioned restricting access by group. Which means your custom ACL tests should be: # allow access *from* LAN machines unless requesting restricted URLs http_access allow localnet !restricted_sites !restricted_dst !palabras # require login for restricted URLs http_access deny !Auth_jvr # group "internet" users can access anywhere http_access allow nav_int all # group "intranet" users can access restricted .cu domains http_access allow nav_cuba nacional Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
