I have configured a Squid 3 proxy server on Debian 7, integrated with Samba 4 domain.
For windows machines integrated in the domain, Squid uses the network user credential to allow navigation.
On Linux stations, even in the domain, when is opened the browser, the user's password is requested. When the user type the correct password in the first time, access is allowed. However if the user wrong the password, a new authentication is required. Now is that the problem starts. Even that user to enter the correct password, appear again a box asking the username and password. In this point is not more possible authenticate in the proxy. It is as if the user were wrong the password. To work the user needs logout and logon again and enter the correct password first time in the browser.
Does anyone have an idea what can be?
This is my squid.conf
### Configuracoes Basicas
http_port 3128
#hierarchy_stoplist cgi-bin ?
### Bloqueia o cache de CGI's
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 64 KB
cache_mem 60 MB
#Para não bloquear downloads
quick_abort_min -1 KB
detect_broken_pconn on
pipeline_prefetch on
fqdncache_size 1024
### Parametros de atualizacao da memoria cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
### Parametros de cache em RAM e HD
cache_swap_low 90
cache_swap_high 95
### Localizacao dos logs
cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e subdiretorios
cache_dir aufs /var/spool/squid3 600 16 256
#Controle do arquivo de log
logfile_rotate 10
hosts_file /etc/hosts
#Libera acesso ao site da caixa
acl caixa dstdomain .caixa.gov.br
always_direct allow caixa
cache deny caixa
### Realiza a autenticacao no AD via Winbind
# NTLM
# para quem esta logado em maquinas windows, aproveita a senha do logon
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
#auth_param ntlm keep_alive on
# para clientes nao windows, user/senha tem de ser solicitado
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm "Acesso Monitorado"
auth_param basic credentialsttl 2 hours
external_acl_type ad_group ipv4 ttl=600 children-max=35 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl
### ACLs
#acl manager proto cache_object
acl localhost src 192.168.0.1/32
acl SSL_ports port 22 443 563 # https, snews
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3001 # imprenssa nacional
acl purge method PURGE
acl CONNECT method CONNECT
### Regras iniciais do Squid
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#acl manager proto cache_object
acl connect_abertas maxconn 8
# acl ligada a autenticacao
acl grupo_admins external ad_group gg_webadmins
acl grupo_liberado external ad_group gg_webliberados
acl grupo_restrito external ad_group gg_webcontrolados
### Bloqueia extensoes de arquivos
acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"
### Liberar alguns sites
acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"
### Bloqueia sites por URL
acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"
### Realiza o bloqueio por palavras
acl palavras_bloqueadas url_regex -i "/etc/squid3/acls/palavras-proibidas"
### Exige autenticacao
acl autenticados proxy_auth REQUIRED
#libera o grupo internet
http_access allow grupo_admins
http_access deny extensoes_bloqueadas
http_access allow sites_liberados
http_access deny sites_bloqueados
http_access deny palavras_bloqueadas
##### Libera acesso ao grupo de chefes
http_access allow grupo_liberado
### Liberando midia social e musica no horario do almoco
acl almoco time 11:30-13:30
http_access allow almoco
#bloqueia midia social durante o expediente
acl social_proibido url_regex -i "/etc/squid3/acls/media-social"
http_access deny social_proibido
# Regra para bloqueio de extensoes de radios online / arquivos de streaming:
acl streaming req_mime_type -i "/etc/squid3/acls/mimeaplicativo"
#acl proibir_musica urlpath_regex -i "/etc/squid3/acls/audioextension"
acl proibir_musica url_regex -i "/etc/squid3/acls/audioextension"
http_access deny proibir_musica
http_reply_access deny streaming
### Controle de banda
### So existe um pool (1)
delay_pools 1
### nr do pool (1) e tipo de classe (2): total da banda disponivel e total de banda por usuario
delay_class 1 2
### aprox 32Mbps para todos e 500Kbps para cada usuario
delay_parameters 1 4194304/4194304 64000/64000
delay_access 1 allow grupo_restrito
http_access allow grupo_restrito
#liberando acesso a todos os usuarios autenticados
#http_access deny !autenticados
http_access allow autenticados
### Rede Local #####
acl rede_local src 192.168.0.0/22
### Nega acesso de quem nao esta na rede local
http_access deny !rede_local
#negando o acesso para todos que nao estiverem nas regras anteriores
http_access deny all
visible_hostname proxy.empresa.com.br
### Erros em portugues
error_directory /usr/share/squid3/errors/Portuguese
#cache_effective_user proxy
coredump_dir /var/spool/squid3
For windows machines integrated in the domain, Squid uses the network user credential to allow navigation.
On Linux stations, even in the domain, when is opened the browser, the user's password is requested. When the user type the correct password in the first time, access is allowed. However if the user wrong the password, a new authentication is required. Now is that the problem starts. Even that user to enter the correct password, appear again a box asking the username and password. In this point is not more possible authenticate in the proxy. It is as if the user were wrong the password. To work the user needs logout and logon again and enter the correct password first time in the browser.
Does anyone have an idea what can be?
This is my squid.conf
### Configuracoes Basicas
http_port 3128
#hierarchy_stoplist cgi-bin ?
### Bloqueia o cache de CGI's
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 64 KB
cache_mem 60 MB
#Para não bloquear downloads
quick_abort_min -1 KB
detect_broken_pconn on
pipeline_prefetch on
fqdncache_size 1024
### Parametros de atualizacao da memoria cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
### Parametros de cache em RAM e HD
cache_swap_low 90
cache_swap_high 95
### Localizacao dos logs
cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e subdiretorios
cache_dir aufs /var/spool/squid3 600 16 256
#Controle do arquivo de log
logfile_rotate 10
hosts_file /etc/hosts
#Libera acesso ao site da caixa
acl caixa dstdomain .caixa.gov.br
always_direct allow caixa
cache deny caixa
### Realiza a autenticacao no AD via Winbind
# NTLM
# para quem esta logado em maquinas windows, aproveita a senha do logon
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
#auth_param ntlm keep_alive on
# para clientes nao windows, user/senha tem de ser solicitado
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm "Acesso Monitorado"
auth_param basic credentialsttl 2 hours
external_acl_type ad_group ipv4 ttl=600 children-max=35 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl
### ACLs
#acl manager proto cache_object
acl localhost src 192.168.0.1/32
acl SSL_ports port 22 443 563 # https, snews
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3001 # imprenssa nacional
acl purge method PURGE
acl CONNECT method CONNECT
### Regras iniciais do Squid
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#acl manager proto cache_object
acl connect_abertas maxconn 8
# acl ligada a autenticacao
acl grupo_admins external ad_group gg_webadmins
acl grupo_liberado external ad_group gg_webliberados
acl grupo_restrito external ad_group gg_webcontrolados
### Bloqueia extensoes de arquivos
acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"
### Liberar alguns sites
acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"
### Bloqueia sites por URL
acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"
### Realiza o bloqueio por palavras
acl palavras_bloqueadas url_regex -i "/etc/squid3/acls/palavras-proibidas"
### Exige autenticacao
acl autenticados proxy_auth REQUIRED
#libera o grupo internet
http_access allow grupo_admins
http_access deny extensoes_bloqueadas
http_access allow sites_liberados
http_access deny sites_bloqueados
http_access deny palavras_bloqueadas
##### Libera acesso ao grupo de chefes
http_access allow grupo_liberado
### Liberando midia social e musica no horario do almoco
acl almoco time 11:30-13:30
http_access allow almoco
#bloqueia midia social durante o expediente
acl social_proibido url_regex -i "/etc/squid3/acls/media-social"
http_access deny social_proibido
# Regra para bloqueio de extensoes de radios online / arquivos de streaming:
acl streaming req_mime_type -i "/etc/squid3/acls/mimeaplicativo"
#acl proibir_musica urlpath_regex -i "/etc/squid3/acls/audioextension"
acl proibir_musica url_regex -i "/etc/squid3/acls/audioextension"
http_access deny proibir_musica
http_reply_access deny streaming
### Controle de banda
### So existe um pool (1)
delay_pools 1
### nr do pool (1) e tipo de classe (2): total da banda disponivel e total de banda por usuario
delay_class 1 2
### aprox 32Mbps para todos e 500Kbps para cada usuario
delay_parameters 1 4194304/4194304 64000/64000
delay_access 1 allow grupo_restrito
http_access allow grupo_restrito
#liberando acesso a todos os usuarios autenticados
#http_access deny !autenticados
http_access allow autenticados
### Rede Local #####
acl rede_local src 192.168.0.0/22
### Nega acesso de quem nao esta na rede local
http_access deny !rede_local
#negando o acesso para todos que nao estiverem nas regras anteriores
http_access deny all
visible_hostname proxy.empresa.com.br
### Erros em portugues
error_directory /usr/share/squid3/errors/Portuguese
#cache_effective_user proxy
coredump_dir /var/spool/squid3
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
