On 11/10/2016 7:01 a.m., Joe O wrote: > > > I have an issue with my browser and squid where they both seem to be stuck in an infinite loop of denied requests. > I have a a helper script that authenticates the user. The script works. Here is an example of the output of authentication > being successful and not successful. > > [root@1 ~]# /etc/squid/authenticate.php > test1 test1 > OK > test1 test2 > ERR login failure > So, I am sending the right info back to squid. When I authenticate successfully then squid and my browser play nice and there is no power struggle. > If the authentication fails then I get this: > > 1476120287.143 24 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html > 1476120287.143 25 45.63.40.55 TCP_DENIED/407 4253 CONNECT www.facebook.com:443 test HIER_NONE/- text/html > 1476120287.143 25 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html > 1476120287.216 18 45.63.40.55 TCP_DENIED/407 4293 CONNECT www.facebook.com:443 test HIER_NONE/- text/html > 1476120287.216 9 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html > 1476120287.216 15 45.63.40.55 TCP_DENIED/407 4253 CONNECT www.facebook.com:443 test HIER_NONE/- text/html > 1476120287.216 15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html > 1476120287.216 15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html > 1476120287.216 15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html > 1476120287.216 15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html > > Here is my squid config: <snip defaults> > > http_access allow localnet > http_access allow localhost > Okay if you want LAN traffic and things going from the Squid machine not to be authenticated. Otherwise these two lines should go below the auth checks. > auth_param basic program /usr/bin/php /etc/squid/authenticate.php > auth_param basic children 5 > auth_param basic realm Web-Proxy > auth_param basic credentialsttl 1 minute > auth_param basic casesensitive off > > acl db-auth proxy_auth REQUIRED > http_access allow db-auth > http_access allow localhost localhost is already permitted on a line above the auth stuff. This one will just waste CPU cycles checking an impossible requirement. > http_access deny all > <snip defaults> > > > Everything I’ve read and tried always left me with the same result > which was an infinite loop rather than squid returning an > unauthorized result page. Firstly; The 407 you see in access.log *is* the unauthorized being returned by the proxy. That is accompanied by a error "page" from Squid. Note that all these are parallel transactions (same ending timestamp, different durations). Browsers open quite a few connections to proxies. If it was trying the same bad credentials for all these you can expect them to fail of course. Secondly; Browsers refuse to display anything a proxy returns in response to CONNECT method. That is a browser internal problem we cannot do anything about. What you should see next is not a page, but a popup from the browser trying to get working credentials since these ones failed. Thirdly; If the popup is not appearing you may need to explicitly tell Squid what to do when credentials are present but invalid. You do that with a "deny" rule like this: http_access deny !db-auth http_access allow db-auth Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
