On 23/10/2015 3:08 a.m., Athos Fiolo wrote: > Hi Amos. > >> Please check if a helper lookup is being performed on each request as well as new nonce generated. > > I guess you are right, but I don't know how to solve it. > cache.log doesn’t show restarts for the heelper, even if only 1/5 helper is started. > The output log of the helper shows no caching of the result (see later). > On the contrary, the external type helper shows the result is cached for 30s (correct). > Okay, that would make it the side effect of the CVE-2014-9749 fix (aka. bug 4066) that was included in the Debian package doing its job overly-well. Its unfortunatey verbose, but should not be a huge problem. > > squid.conf > auth_param digest program /usr/bin/php /etc/squid3/check_user.php > auth_param digest children 5 > auth_param digest realm MySquidProxy > auth_param digest nonce_garbage_interval 5 minutes > auth_param digest nonce_max_duration 2 hours > auth_param digest nonce_max_count 50 > > auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd > auth_param basic children 5 > auth_param basic realm MySquidProxy > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > > external_acl_type reqtype_filter ttl=30 children-max=20 %LOGIN %DST %PORT %METHOD %URI %PATH /usr/bin/php /etc/squid3/check_request.php > > acl auth_users proxy_auth REQUIRED > acl userx_auth proxy_auth userx > acl auth_reqtype external reqtype_filter > acl to_vpn dst 1.2.3.4/16 > > [...] > http_access allow userx_auth to_vpn #maybe better post-pone this line to the following one? > http_access allow auth_reqtype auth_users to_vpn > I would put the "to_vpn" first on those lines. Since the non-to_vpn transactions dont seem to need authenticating. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
