On 30/09/2015 12:35 p.m., Marcio Demetrio Bacci wrote: > I have configured a Squid 3 proxy server on Debian 7, integrated with Samba > 4 domain. > > For windows machines integrated in the domain, Squid uses the network user > credential to allow navigation. > > On Linux stations, even in the domain, when is opened the browser, the > user's password is requested. When the user type the correct password in > the first time, access is allowed. However if the user wrong the password, > a new authentication is required. Now is that the problem starts. Even that > user to enter the correct password, appear again a box asking the username > and password. In this point is not more possible authenticate in the proxy. > It is as if the user were wrong the password. To work the user needs logout > and logon again and enter the correct password first time in the browser. > > Does anyone have an idea what can be? > Try: auth_param ntlm keep_alive off Squid has become HTTP/1.1 software with different keep-alive defaults. An annoying amount of software cannot handle real HTTP behaviour when doing NTLM. > This is my squid.conf > > ### Configuracoes Basicas > http_port 3128 > > #hierarchy_stoplist cgi-bin ? > > ### Bloqueia o cache de CGI's > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY > You can remove the above in the current Squid. Your HIT ratio should go up a few %. > maximum_object_size 4096 KB > minimum_object_size 0 KB > maximum_object_size_in_memory 64 KB > cache_mem 60 MB > > #Para não bloquear downloads > quick_abort_min -1 KB > > detect_broken_pconn on > > pipeline_prefetch on > > fqdncache_size 1024 > > ### Parametros de atualizacao da memoria cache > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > ### Parametros de cache em RAM e HD > cache_swap_low 90 > cache_swap_high 95 These are defaults. You can remove these cache_swap_* lines from squid.conf > > ### Localizacao dos logs > cache_access_log /var/log/squid3/access.log The above directive should be called "access_log" since about squid-2.5. > cache_log /var/log/squid3/cache.log > cache_store_log /var/log/squid3/store.log > Unless you are using it for something you can remove the cache_store_log line completely. > > ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai > e subdiretorios > cache_dir aufs /var/spool/squid3 600 16 256 > > #Controle do arquivo de log > logfile_rotate 10 This should be removed on Debian. The logrotate.d service takes care of log maintenance. Edit the /etc/logrotate.d/squid* file to change what it does. > > hosts_file /etc/hosts This is default. You can remove it from squid.conf. > > #Libera acesso ao site da caixa > acl caixa dstdomain .caixa.gov.br > always_direct allow caixa You do not have cache_peer configured. This always_direct does nothing. > cache deny caixa > > > ### Realiza a autenticacao no AD via Winbind > > # NTLM > # para quem esta logado em maquinas windows, aproveita a senha do logon > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 30 > > #auth_param ntlm keep_alive on > > > # para clientes nao windows, user/senha tem de ser solicitado > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm "Acesso Monitorado" > auth_param basic credentialsttl 2 hours > > external_acl_type ad_group ipv4 ttl=600 children-max=35 %LOGIN > /usr/lib/squid3/ext_wbinfo_group_acl > > > ### ACLs > > #acl manager proto cache_object > acl localhost src 192.168.0.1/32 > acl SSL_ports port 22 443 563 # https, snews > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 3001 # imprenssa nacional > > acl purge method PURGE > acl CONNECT method CONNECT > > > ### Regras iniciais do Squid > Best practice is now to place these two lines at the top of the list: > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports That prevents DoS attacks against the mgr interface of Squid. > http_access allow manager localhost > http_access deny manager > http_access allow purge localhost > http_access deny purge > <snip> > > ### Rede Local ##### > acl rede_local src 192.168.0.0/22 > > ### Nega acesso de quem nao esta na rede local > http_access deny !rede_local Followed by "deny all" this rede_local does nothing useful. You can remove it. > > #negando o acesso para todos que nao estiverem nas regras anteriores > http_access deny all > > visible_hostname proxy.empresa.com.br > > > ### Erros em portugues > error_directory /usr/share/squid3/errors/Portuguese > errors/Portuguese no longer exists. Use errors/pt, OR just remove this and Squid will answer users in the language(s) their browser asks for. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
