On 16/11/2015 7:17 a.m., Marcio Demetrio Bacci wrote: > Hi, > > My problem is as follows: > > The Windows stations in the domain are automatically authenticated on the > proxy, though the Linux stations ask for the password twice, even if the > password is entered correctly the first time. > > Does somebody has an idea? How are you identifying "ask for the password twice" ? two popups? (one for NTLM then one for Basic) or, two 407 responses? (NTLM requirement) Also what Squid version are you using? > > Follow my squid.conf file > > > > ### Configuracoes Basicas > http_port 3128 > > #debug_options ALL,111,2 29,9 84,6 > > hierarchy_stoplist cgi-bin ? > > ### Bloqueia o cache de CGI's > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY If you have a current Squid the above QUERY and hierarchy_stoplist lines are not useful, and may be harming your cache ratios. > > cache_mem 512 MB > cache_swap_low 80 > cache_swap_high 90 > maximum_object_size 512 MB > minimum_object_size 0 KB > maximum_object_size_in_memory 4096 KB > cache_replacement_policy heap LFUDA > memory_replacement_policy heap LFUDA > > #Para não bloquear downloads > quick_abort_min -1 KB > > > #Resolve um problema com conexoes persistentes > detect_broken_pconn on > > #Provoca ganho de performace ao usar conexoe pipeline > pipeline_prefetch on NTLM authentication behaviour does not comply with HTTP specification requirements, one of the side effects is that it breaks HTTP pipelines. > > fqdncache_size 1024 > > ### Parametros de atualizacao da memoria cache > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > ### Localizacao dos logs > access_log /var/log/squid3/access.log > cache_log /var/log/squid3/cache.log > > > ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai > e subdiretorios > cache_dir aufs /var/spool/squid3 600 16 256 > > #Controle do arquivo de log > #logfile_rotate 10 > > #Libera acesso ao site da caixa > acl caixa dstdomain .caixa.gov.br > always_direct allow caixa > cache deny caixa You do not use cache_peer directives. The always_direct is not doing anything. > > > ### Realiza a autenticacao no AD via Winbind > > # NTLM > # para quem esta logado em maquinas windows, aproveita a senha do logon > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 50 > auth_param ntlm keep_alive off > > > # para clientes nao windows, user/senha tem de ser solicitado > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 10 > auth_param basic realm "Autenticacao - CMB - Acesso Monitorado" > auth_param basic credentialsttl 2 hours > > external_acl_type ad_group ipv4 ttl=600 children-max=35 %LOGIN > /usr/lib/squid3/ext_wbinfo_group_acl > > > ### ACLs > > #acl manager proto cache_object > acl localhost src 192.168.100.1/32 > #acl to_localhost dst 192.168.100.1/32 > acl SSL_ports port 22 443 563 10000 # https, snews > acl Safe_ports port 80 8080 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 3001 # imprenssa nacional > > acl purge method PURGE > acl CONNECT method CONNECT > > > ### Regras iniciais do Squid > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow manager localhost > http_access deny manager > http_access allow purge localhost > http_access deny purge > > #acl manager proto cache_object > > acl connect_abertas maxconn 8 > > > # acl ligada a autenticacao > acl grupo_admins external ad_group gg_webadmins > acl grupo_liberado external ad_group gg_webliberados > acl grupo_restrito external ad_group gg_webcontrolados > > > ### Bloqueia extensoes de arquivos > acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas" > > ### Liberar alguns sites > acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos" > > ### Bloqueia sites por URL > acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos" > > ### Realiza o bloqueio por palavras > acl palavras_bloqueadas url_regex -i "/etc/squid3/acls/palavras-proibidas" > > > ### Exige autenticacao > acl autenticados proxy_auth REQUIRED > > ### Incorpora as regras do SquidGuard #### > #redirect_program /usr/bin/squidGuard > #redirect_children 20 > #redirector_bypass on > > #libera o grupo internet > http_access allow grupo_admins grupo_admins requires authentication to be tested. > > #http_access deny extensoes_bloqueadas > http_access allow sites_liberados > http_access deny sites_bloqueados > http_access deny palavras_bloqueadas > > ##### Libera acesso ao grupo de chefes e professores > http_access allow grupo_liberado > > ### Liberando midia social e musica no horario do almoco > acl almoco time 11:30-13:30 > http_access allow almoco Almost unlimited proxy access to *anybody* for two hours each day. This does not seem to be a desireable situation. > > #bloqueia midia social durante o expediente > acl social_proibido url_regex -i "/etc/squid3/acls/media-social" > http_access deny social_proibido > > # Regra para bloqueio de extensoes de radios online / arquivos de streaming: > acl streaming req_mime_type -i "/etc/squid3/acls/mimeaplicativo" > > #acl proibir_musica urlpath_regex -i "/etc/squid3/acls/audioextension" > acl proibir_musica url_regex -i "/etc/squid3/acls/audioextension" > http_access deny proibir_musica > http_reply_access deny streaming "streaming" is checking *request* Content-Type header (uploads only). It is not useful on *reply* access. I think you are intending to use reply mime type (downloads), which is matched by rep_mime_type (note the 'p'). > > ### Controle de banda > ### So existe um pool (1) > delay_pools 1 > ### nr do pool (1) e tipo de classe (2): total da banda disponivel e total > de banda por usuario > delay_class 1 2 > > ### aprox 32Mbps para todos e 500Kbps para cada usuario > delay_parameters 1 4194304/4194304 64000/64000 > delay_access 1 allow grupo_restrito > > http_access allow grupo_restrito > > #liberando acesso a todos os usuarios autenticados > http_access allow autenticados > > ### Rede LAN ##### > acl rede_lan src 192.168.100.0/22 > > ### Nega acesso de quem nao esta na rede local > http_access deny !rede_lan > "deny !rede_lan" does not do anything useful when followed by "deny all". NP: You also allowed unlimited access earlier. > #negando o acesso para todos que nao estiverem nas regras anteriores > http_access deny all Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
