Search squid archive

Re: Squid - AD kerberos auth and Linux Server proxy access not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/10/2016 7:00 a.m., Nilesh Gavali wrote:
> Hi Amos;
> Ok, we can discussed the issue in Two part  1. For Windows AD 
> Authentication & SSO and 2. Linux server unable to access via squid proxy.
> 
> For First point-
> Requirement to have SSO for accessing internet via squid proxy and based 
> on user's AD group membership allow access to specific sites only. I 
> believe current configuration of squid is working as expected.
> 
> For Second point -
> Point I would like to highlight here is, the Linux server IWCCP01 is not 
> part of domain at all. Hence the below error as squid configured for 
> AD_auth. So how can we allow Linux server or non domain machine to access 
> specific sites?
> 
>> Error 407 is "proxy auth required", so the proxy is expecting 
> authentication 
>> for some reason.
> ====================================
>  > Can you confirm that the hostname vseries-test.bottomline.com is 
> contained in 
>> your site file /etc/squid/sitelist/dbs_allowed_site ?
> 
> YES, we have entry as .bottomline.com , which work fine when access via 
> windows machine having proxy enabled for that user.
> ==============================
>> Can you temporarily change the line "http_access allow IWCCP01 
> allowedsite" to 
>> "http_access allow IWCCP01" and see whether the machine then gets 
> access?
> 
> I made the changes as suggested but still it is giving same Error 407.

Meaning that is the ACL which is broken.


> ========================================
> If that works, please list the output of the command:
>   grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site
> 
> o/p of above command as below -
> 
> [root@Proxy02 ~]# grep "bottomline.com" 
> /etc/squid/sitelist/dbs_allowed_site
> .bottomline.com
> [root@Proxy02 ~]#

Okay great. Your allowedsite has a correct entry to match the test request.


Since IWCCP01 contains exactly one IP address for the server

> acl IWCCP01 src 10.xx.15.103

it means your server is not using that IP address when it contacts Squid.

BUT that IP is what gots logged as the client/src IP.

> 1475518342.279      0 10.xx.15.103 TCP_DENIED/407 3589 CONNECT
vseries-test.bottomline.com:443 - NONE/- text/html

Strange. Unless:

* those 'xx' are different numbers, or

* the line was logged by another Squid process (with different config), or

* the config file you think is being used actually is not.


I notice that this config tells your Squid to listen on port 8080 and
pass all its traffic through a peer at 10.xx.xx.108 which also listens
on port 8080.
Is that log being produced by that other peer?

Is there anything, any non-# lines at all, in your config besides what
your first post contained? even if you dont think its relevant.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux