I have used debug_options 11,2 in squid.conf file. After I have following results in logs files:
/var/log/squid3/access.log
1473026084.048 253 192.168.200.85 TCP_MISS_ABORTED/000 0 POST http://m.addthis.com/live/red_lojson/100eng.json? marcio HIER_NONE/- -
1473026086.275 0 192.168.200.85 TCP_DENIED/407 3792 CONNECT tiles.services.mozilla.com:443 - HIER_NONE/- text/html
1473026086.778 0 192.168.200.85 TCP_DENIED/407 3995 GET http://start.ubuntu.com/14.04/Google/? - HIER_NONE/- text/html
1473026088.908 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT shavar.services.mozilla.com:443 - HIER_NONE/- text/html
1473026091.932 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT self-repair.mozilla.org:443 - HIER_NONE/- text/html
1473026096.418 180 192.168.200.85 TCP_MISS/200 960 POST http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8 application/ocsp-response
1473026096.467 85 192.168.200.85 TCP_MISS/200 960 POST http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8 application/ocsp-response
1473026102.051 525 192.168.200.85 TCP_REFRESH_UNMODIFIED/200 2907 GET http://start.ubuntu.com/14.04/Google/? marcio HIER_DIRECT/91.189.90.41 text/html
1473026102.091 0 192.168.200.85 TCP_HIT/200 22099 GET http://start.ubuntu.com/12.04/sprite.png marcio HIER_NONE/- image/png
1473026104.855 0 10.133.85.3 TCP_DENIED/407 3929 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - HIER_NONE/- text/html
1473026146.453 83 192.168.200.85 TCP_MISS/200 960 POST http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8 application/ocsp-response
1473026147.447 83 192.168.200.85 TCP_MISS/200 960 POST http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8 application/ocsp-response
1473026148.923 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT shavar.services.mozilla.com:443 - HIER_NONE/- text/html
1473026157.117 61506 192.168.200.85 TCP_MISS/200 3525 CONNECT tiles.services.mozilla.com:443 marcio HIER_DIRECT/52.24.123.95 -
1473026157.195 61584 192.168.200.85 TCP_MISS/200 4521 CONNECT self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -
1473026160.190 63085 192.168.200.85 TCP_MISS/200 5449 CONNECT self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -
1473026204.518 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT safebrowsing.google.com:443 - HIER_NONE/- text/html
1473026207.807 62056 192.168.200.85 TCP_MISS/200 3686 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.808 61160 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.809 61160 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.814 61165 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.866 61052 192.168.200.85 TCP_MISS/200 3821 CONNECT aus5.mozilla.org:443 marcio HIER_DIRECT/52.34.235.152 -
1473026212.687 116018 192.168.200.85 TCP_MISS/200 61971 CONNECT normandy.cdn.mozilla.net:443 marcio HIER_DIRECT/52.84.177.125 -
1473026264.532 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT safebrowsing.google.com:443 - HIER_NONE/- text/html
1473026299.647 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT iecvlist.microsoft.com:443 - HIER_NONE/- text/html
1473026335.221 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT ieonline.microsoft.com:443 - HIER_NONE/- text/html
1473026592.061 6624 10.133.85.3 TCP_MISS/200 3582 CONNECT forum.zentyal.org:443 marcio HIER_DIRECT/162.13.13.134 -
1473026793.073 0 192.168.200.96 TCP_DENIED/407 3780 CONNECT safebrowsing.google.com:443 - HIER_NONE/- text/html
/var/log/squid3/cache.log
----------
2016/09/04 19:06:33.073 kid1| client_side.cc(2407) parseHttpRequest: HTTP Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1
2016/09/04 19:06:33.073 kid1| client_side.cc(2408) parseHttpRequest: HTTP Client REQUEST:
---------
CONNECT safebrowsing.google.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: safebrowsing.google.com:443
----------
2016/09/04 19:06:33.073 kid1| client_side.cc(1459) sendStartOfMessage: HTTP Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1
2016/09/04 19:06:33.073 kid1| client_side.cc(1460) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.4.8
Mime-Version: 1.0
Date: Sun, 04 Sep 2016 22:06:33 GMT
Content-Type: text/html
Content-Length: 3357
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: Basic realm="CMS"
X-Cache: MISS from proxy.cms.ensino.br
X-Cache-Lookup: NONE from proxy.cms.ensino.br:3128
Via: 1.1 proxy.cms.ensino.br (squid/3.4.8)
Connection: keep-alive
----------
Sorry, but I didn't discover the problem!
Anybody have an idea?
Regards,/var/log/squid3/access.log
1473026084.048 253 192.168.200.85 TCP_MISS_ABORTED/000 0 POST http://m.addthis.com/live/red_lojson/100eng.json? marcio HIER_NONE/- -
1473026086.275 0 192.168.200.85 TCP_DENIED/407 3792 CONNECT tiles.services.mozilla.com:443 - HIER_NONE/- text/html
1473026086.778 0 192.168.200.85 TCP_DENIED/407 3995 GET http://start.ubuntu.com/14.04/Google/? - HIER_NONE/- text/html
1473026088.908 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT shavar.services.mozilla.com:443 - HIER_NONE/- text/html
1473026091.932 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT self-repair.mozilla.org:443 - HIER_NONE/- text/html
1473026096.418 180 192.168.200.85 TCP_MISS/200 960 POST http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8 application/ocsp-response
1473026096.467 85 192.168.200.85 TCP_MISS/200 960 POST http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8 application/ocsp-response
1473026102.051 525 192.168.200.85 TCP_REFRESH_UNMODIFIED/200 2907 GET http://start.ubuntu.com/14.04/Google/? marcio HIER_DIRECT/91.189.90.41 text/html
1473026102.091 0 192.168.200.85 TCP_HIT/200 22099 GET http://start.ubuntu.com/12.04/sprite.png marcio HIER_NONE/- image/png
1473026104.855 0 10.133.85.3 TCP_DENIED/407 3929 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - HIER_NONE/- text/html
1473026146.453 83 192.168.200.85 TCP_MISS/200 960 POST http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8 application/ocsp-response
1473026147.447 83 192.168.200.85 TCP_MISS/200 960 POST http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8 application/ocsp-response
1473026148.923 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT shavar.services.mozilla.com:443 - HIER_NONE/- text/html
1473026157.117 61506 192.168.200.85 TCP_MISS/200 3525 CONNECT tiles.services.mozilla.com:443 marcio HIER_DIRECT/52.24.123.95 -
1473026157.195 61584 192.168.200.85 TCP_MISS/200 4521 CONNECT self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -
1473026160.190 63085 192.168.200.85 TCP_MISS/200 5449 CONNECT self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -
1473026204.518 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT safebrowsing.google.com:443 - HIER_NONE/- text/html
1473026207.807 62056 192.168.200.85 TCP_MISS/200 3686 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.808 61160 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.809 61160 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.814 61165 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
1473026207.866 61052 192.168.200.85 TCP_MISS/200 3821 CONNECT aus5.mozilla.org:443 marcio HIER_DIRECT/52.34.235.152 -
1473026212.687 116018 192.168.200.85 TCP_MISS/200 61971 CONNECT normandy.cdn.mozilla.net:443 marcio HIER_DIRECT/52.84.177.125 -
1473026264.532 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT safebrowsing.google.com:443 - HIER_NONE/- text/html
1473026299.647 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT iecvlist.microsoft.com:443 - HIER_NONE/- text/html
1473026335.221 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT ieonline.microsoft.com:443 - HIER_NONE/- text/html
1473026592.061 6624 10.133.85.3 TCP_MISS/200 3582 CONNECT forum.zentyal.org:443 marcio HIER_DIRECT/162.13.13.134 -
1473026793.073 0 192.168.200.96 TCP_DENIED/407 3780 CONNECT safebrowsing.google.com:443 - HIER_NONE/- text/html
/var/log/squid3/cache.log
----------
2016/09/04 19:06:33.073 kid1| client_side.cc(2407) parseHttpRequest: HTTP Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1
2016/09/04 19:06:33.073 kid1| client_side.cc(2408) parseHttpRequest: HTTP Client REQUEST:
---------
CONNECT safebrowsing.google.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: safebrowsing.google.com:443
----------
2016/09/04 19:06:33.073 kid1| client_side.cc(1459) sendStartOfMessage: HTTP Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1
2016/09/04 19:06:33.073 kid1| client_side.cc(1460) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.4.8
Mime-Version: 1.0
Date: Sun, 04 Sep 2016 22:06:33 GMT
Content-Type: text/html
Content-Length: 3357
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: Basic realm="CMS"
X-Cache: MISS from proxy.cms.ensino.br
X-Cache-Lookup: NONE from proxy.cms.ensino.br:3128
Via: 1.1 proxy.cms.ensino.br (squid/3.4.8)
Connection: keep-alive
----------
Sorry, but I didn't discover the problem!
Anybody have an idea?
2016-09-02 11:10 GMT-03:00 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 2/09/2016 3:21 p.m., Marcio Demetrio Bacci wrote:
> In my Windows workstations the authentication works correctly, however in
> Ubuntu 14.04 the user and password are asked twice.
>
> I am using the basic_ncsa_auth with Squid 3.4.8
>
> Is there any setting that I do in Squid?
>
> Bellow is my squid.conf
>
...
>
> auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd ...
> auth_param basic children 5
> auth_param basic realm AUTENTICACAO
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
>
> ### Regras iniciais do Squid
> http_access allow localhost
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
Please re-order the above security rules to be:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny purge
>
> ### Exige autenticacao
> acl autenticados proxy_auth REQUIRED
> http_access allow autenticados
>
> ### Bloqueia extensoes de arquivos
> acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas" ...
>
> ### Liberar alguns sites
> acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"
>
> ### Bloqueia sites por URL
> acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"
>
> #bloqueios basicos
> http_access allow sites_liberados
> http_access deny extensoes_bloqueadas
> http_access deny sites_bloqueados
>
> ### LAN #####
> acl rede_lan src 192.168.200.0/22
>
> ### Nega acesso de quem nao esta na rede local do CMB
> http_access allow rede_lan
>
> #negando o acesso para todos que nao estiverem nas regras anteriores
> http_access deny all
>
With your config Squid will only challenge the browser to send some if
they are completely missing. It will not deny access when invalid
credentials are sent.
That means the browser probably does not have access to any Basic auth
credentials it can send.
The two popups are probably from two TCP connections being made with no
credentials (maybe the result of the "Happy Eyeballs" algorithm doing
its thing). You can check for that with "debug_options 11,2" and seeing
what HTTP messages are happening with what IP:port details.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users