Hi Amos
Now, my squid.conf is as follow (very simple):############ START #################
http_port 3128
debug_options 11,2
cache_mem 512 MB
cache_swap_low 80
cache_swap_high 90
maximum_object_size 512 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
fqdncache_size 1024
### Parametros de atualizacao da memoria cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
### Localizacao dos logs
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_dir aufs /var/spool/squid3 600 16 256
visible_hostname proxy
### acls
acl localhost src 192.168.200.7/32
acl to_localhost dst 192.168.200.7/32
acl SSL_ports port 22 443 563 7071 10000
acl Safe_ports port 21 70 80 88 210 280 389 443 488 563 591 777 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny purge
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd
auth_param basic children 5
auth_param basic realm CMS
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
### Exige autenticacao
acl autenticados proxy_auth REQUIRED
http_access deny !autenticados
### Rede do CMS #####
acl lannet src 192.168.200.0/22
### Nega acesso de quem nao esta na rede local do CMS
http_access allow lannet
http_access allow localhost
#negando o acesso para todos que nao estiverem nas regras anteriores
http_access deny all
### Erros em portugues
error_directory /usr/share/squid3/errors/pt-br
#cache_effective_user proxy
coredump_dir /var/spool/squid3
########## END ###########################
1) I open my browser to test the authentication. It seems OK, but when I open new tab in browser the Squid3 ask the user and password again. Is this normal behavior ?
2) Is necessary to declare LOCALHOST acl as "acl localhost src 192.168.200.7/32" ?
3) Isn't necessary MANAGER acl as "acl manager proto cache_object" ?
4) Is correct order of the ACL in my squid.conf ? How do I improve it?
5) In my access.log, I have saw many "TCP_MISS/200". Does mean only the website is not in cache or is a strange behavior?
Sorry, but I'm still learning about Squid!
Regards,
Márcio
2016-09-05 1:17 GMT-03:00 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
Notice how the 407 occur in bunches. 2-3 getting a 407 reject, then manyOn 5/09/2016 10:41 a.m., Marcio Demetrio Bacci wrote:
> I have used debug_options 11,2 in squid.conf file. After I have following
> results in logs files:
>
> /var/log/squid3/access.log
> 1473026084.048 253 192.168.200.85 TCP_MISS_ABORTED/000 0 POST
> http://m.addthis.com/live/red_lojson/100eng.json ? marcio HIER_NONE/- -
> 1473026086.275 0 192.168.200.85 TCP_DENIED/407 3792 CONNECT
> tiles.services.mozilla.com:443 - HIER_NONE/- text/html
> 1473026086.778 0 192.168.200.85 TCP_DENIED/407 3995 GET
> http://start.ubuntu.com/14.04/Google/ ? - HIER_NONE/- text/html
> 1473026088.908 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT
> shavar.services.mozilla.com:443 - HIER_NONE/- text/html
> 1473026091.932 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
> self-repair.mozilla.org:443 - HIER_NONE/- text/html
> 1473026096.418 180 192.168.200.85 TCP_MISS/200 960 POST
> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
> application/ocsp-response
> 1473026096.467 85 192.168.200.85 TCP_MISS/200 960 POST
> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
> application/ocsp-response
> 1473026102.051 525 192.168.200.85 TCP_REFRESH_UNMODIFIED/200 2907 GET
> http://start.ubuntu.com/14.04/Google/ ? marcio HIER_DIRECT/91.189.90.41
> text/html
> 1473026102.091 0 192.168.200.85 TCP_HIT/200 22099 GET
> http://start.ubuntu.com/12.04/sprite.png marcio HIER_NONE/- image/png
> 1473026104.855 0 10.133.85.3 TCP_DENIED/407 3929 GET
> http://ctldl.windowsupdate.com/msdownload/update/v3/ ?static/trustedr/en/ authrootstl.cab
> - HIER_NONE/- text/html
> 1473026146.453 83 192.168.200.85 TCP_MISS/200 960 POST
> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
> application/ocsp-response
> 1473026147.447 83 192.168.200.85 TCP_MISS/200 960 POST
> http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8
> application/ocsp-response
> 1473026148.923 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT
> shavar.services.mozilla.com:443 - HIER_NONE/- text/html
> 1473026157.117 61506 192.168.200.85 TCP_MISS/200 3525 CONNECT
> tiles.services.mozilla.com:443 marcio HIER_DIRECT/52.24.123.95 -
> 1473026157.195 61584 192.168.200.85 TCP_MISS/200 4521 CONNECT
> self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -
> 1473026160.190 63085 192.168.200.85 TCP_MISS/200 5449 CONNECT
> self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 -
> 1473026204.518 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
> safebrowsing.google.com:443 - HIER_NONE/- text/html
> 1473026207.807 62056 192.168.200.85 TCP_MISS/200 3686 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.808 61160 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.809 61160 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.814 61165 192.168.200.85 TCP_MISS/200 390 CONNECT
> incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 -
> 1473026207.866 61052 192.168.200.85 TCP_MISS/200 3821 CONNECT
> aus5.mozilla.org:443 marcio HIER_DIRECT/52.34.235.152 -
> 1473026212.687 116018 192.168.200.85 TCP_MISS/200 61971 CONNECT
> normandy.cdn.mozilla.net:443 marcio HIER_DIRECT/52.84.177.125 -
> 1473026264.532 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT
> safebrowsing.google.com:443 - HIER_NONE/- text/html
> 1473026299.647 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT
> iecvlist.microsoft.com:443 - HIER_NONE/- text/html
> 1473026335.221 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT
> ieonline.microsoft.com:443 - HIER_NONE/- text/html
> 1473026592.061 6624 10.133.85.3 TCP_MISS/200 3582 CONNECT
> forum.zentyal.org:443 marcio HIER_DIRECT/162.13.13.134 -
requests going through with user credentials. Then again some without
any getting a 407.
Those bunches of 407 will be matching some type of credentials timeout
in the browser, or opening of new tabs.
This request below is the only one from 192.168.200.96 so appears to be
the one you provide cache.log trace for...
> 1473026793.073 0 192.168.200.96 TCP_DENIED/407 3780 CONNECT
> safebrowsing.google.com:443 - HIER_NONE/- text/html
>
> /var/log/squid3/cache.log
>
> ----------
> 2016/09/04 19:06:33.073 kid1| client_side.cc(2407) parseHttpRequest: HTTP
> Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1
> 2016/09/04 19:06:33.073 kid1| client_side.cc(2408) parseHttpRequest: HTTP
> Client REQUEST:
> ---------
> CONNECT safebrowsing.google.com:443 HTTP/1.1
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101
> Firefox/35.0
> Proxy-Connection: keep-alive
> Connection: keep-alive
> Host: safebrowsing.google.com:443
Notice the abence of any Proxy-Authorization header containing credentials.
>
>
> ----------
> 2016/09/04 19:06:33.073 kid1| client_side.cc(1459) sendStartOfMessage: HTTP
> Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1
> 2016/09/04 19:06:33.073 kid1| client_side.cc(1460) sendStartOfMessage: HTTP
> Client REPLY:
> ---------
> HTTP/1.1 407 Proxy Authentication Required
> Server: squid/3.4.8
> Mime-Version: 1.0
> Date: Sun, 04 Sep 2016 22:06:33 GMT
> Content-Type: text/html
> Content-Length: 3357
> X-Squid-Error: *ERR_CACHE_ACCESS_DENIED 0*
> Proxy-Authenticate: Basic realm="CMS"
That realm="CMS" does not match the realm value of "AUTENTICACAO" which
your earlier config contained.
Unless you changed your auth_param settings that is a sign that some
other proxy is generating that response message. BUT, your access.log
entry shows no server being contacted.
> X-Cache: MISS from proxy.cms.ensino.br
> X-Cache-Lookup: NONE from proxy.cms.ensino.br:3128
> Via: 1.1 proxy.cms.ensino.br (squid/3.4.8)
> Connection: keep-alive
>
> ----------
>
> Sorry, but I didn't discover the problem!
>
> Anybody have an idea?
If you altered your squid.conf settings as above in the auth details,
did you also remove 192.168.200.7 from the "localhost" ACL ?
Your rule "http_access allow localhost" occurs before anything that
requires authentication. That means these requests coming from
192.168.200.7 to your proxy would not use authentication for the above
CONNECT request. So no reason for your proxy to generate any 407 response.
Amos
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users