Hi!
I have a problem with authentiation.If this users try to open https sites: all works good, they have not any type of errors.
So we have errors only with unencrypted connections.
I have this error on two servers:
debian8, squid3.4 (from repository)
CentOS7, squid3.3.8 (from repository).
squid servers are domain joined.
System Time on client PC is correct.
Sorry for my bad English.
Thank you, for your help.
Configuration files are in attachment.
--
С уважением, Дмитрий Ермаков.
# Uncomment and adjust the following to add a disk cache directory. cache_dir aufs /var/spool/squid3/ 10000 32 256 http_port 127.0.0.1:4001 cache_mem 1024 MB visible_hostname it-gw-b.vod.local http_access allow localhost access_log /var/log/squid3/access.backend.log cache_log /var/log/squid3/cache.backend.log
#Memoty Cache size cache_mem 256 MB maximum_object_size_in_memory 1024 KB cache_peer 127.0.0.1 parent 4001 0 default name=it-squid-b.vod.local never_direct allow all visible_hostname it-gw-f.vod.local ######AUTHENTICATION BLOCK############# #Authentication Programs auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 100 startup=5 idle=5 auth_param ntlm keep_alive on #authenticate_ttl 1 hour #authenticate_cache_garbage_interval 1 hour auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic credentialsttl 600 second auth_param basic children 60 startup=5 idle=5 #Need Auth acl AuthorizedUsers proxy_auth REQUIRED #Unlim speed users acl unlim_group src "/etc/squid/acl/unlim_group" #Check group membership external_acl_type testforGroup children-max=30 children-startup=5 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl acl internet_G external testforGroup Internet_group acl internet_SG external testforGroup Internet_super_group ########## END AUTHENTICATION BLOCK ######### ####### Speed Limits Block ########### delay_pools 3 #Limit for internet super group delay_class 1 4 #Limit for internet group delay_class 2 4 # No Speed Limit - unlim delay_class 3 4 delay_parameters 1 -1/-1 -1/-1 -1/-1 -1/-1 delay_parameters 2 -1/-1 -1/-1 -1/-1 125000/125000 delay_parameters 3 -1/-1 -1/-1 -1/-1 64000/64000 delay_access 1 allow unlim_group #delay_access 1 allow unlim_domains delay_access 1 deny all delay_access 2 allow internet_SG delay_access 2 deny all delay_access 3 allow internet_G delay_access 3 deny all ############ End Speed Limits Block ###########3 #################### ACL Control Block ################## # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed ####http_access allow localnet http_access allow unlim_group http_access allow internet_SG http_access allow internet_G #http_access allow unlim_group # And finally deny all other access to this proxy http_access allow localhost http_access deny all #####################3 End ACL Control Block ############## # Squid normally listens to port 3128 http_port 8080 ##https_port 8080 access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log
Attachment:
http-site.png
Description: PNG image
#
# Recommended minimum configuration:
#
####SNMP
#if ${process_number} = 2
## snmp_port 3401
#endif
acl zabbix src 192.168.4.19/32
acl snmppublic snmp_community public
snmp_access allow snmppublic zabbix
snmp_access allow snmppublic localhost
snmp_access deny all
####### END SNMP
pid_filename /var/run/squid3/squid.pid
### Set local DNS as DNS for squid
dns_nameservers 127.0.0.1 192.168.4.23 192.168.4.1 192.168.4.2
#DNS V4
dns_v4_first on
#### SMP support
###workers 4
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/18 # RFC1918 possible internal network
acl localnet src 192.168.4.0/23 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443 #https
acl SSL_ports port 8445 #it-smtp.vod.local
acl SSL_ports port 8443 #it-ubiquiti.vod.local
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 93 # Teh-Ekspert
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
# Deny CONNECT to other than secure SSL ports
# Only allow cachemgr access from localhost
acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
####acl localhost src 127.0.0.1/32 ::1/128
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
###http_access allow localhost manager
acl sqstat src 192.168.4.19/32
http_access allow manager localhost
http_access allow manager sqstat
http_access deny manager
#cachemgr_passwd dm3ZcN7kDI12 all
#snmp_port 3401
cpu_affinity_map process_numbers=1,2,3,4,5,6 cores=1,2,3,4,5,6
workers 5
if ${process_number} = 1
include /etc/squid3/backend.conf
snmp_port 3401
else
include /etc/squid3/frontend.conf
endif
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
