Re: Issues with authentication

[Joe O <notjoe@xxxxxxxxx>]

Thanks for the reply Amos! I started following another thread in which you were helping some one else with showing pages to / redirecting unauthenticated users

but still haven’t been able to get that to work either. The thread was this one http://squid-web-proxy-cache.1019090.n4.nabble.com/redirecting-unauthenticated-users-td1038146.html

I think this approach would work well for what I am doing if I could get it working :)

error_directory /usr/share/squid/errors/en

cache deny all

debug_options ALL,1 11,3 20,3

acl whitelist dstdomain .whitelist.com 127.0.0.1

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 127.0.0.1      # RFC1918 possible internal network

acl localnet src 10.0.0.0/8

acl localhost src 127.0.0.1/32 ::1

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet

http_access allow localhost

http_port 3128

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

auth_param basic program /usr/bin/php /etc/squid/authenticate.php

auth_param basic children 5

auth_param basic realm Web-Proxy

auth_param basic credentialsttl 1 minute

auth_param basic casesensitive off

acl noAuth src all

acl AuthUsers proxy_auth REQUIRED

http_access allow whitelist

http_access allow AuthUsers

deny_info ERR_ACCESS_DENIED noAuth

http_access deny !AuthUsers noAuth

http_access deny all

On Oct 11, 2016, at 3:02 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:

On 11/10/2016 7:01 a.m., Joe O wrote:

I have an issue with my browser and squid where they both seem to be stuck in an infinite loop of denied requests.
I have a a helper script that authenticates the user. The script works. Here is an example of the output of authentication 
being successful and not successful.

[root@1 ~]# /etc/squid/authenticate.php
test1 test1
OK
test1 test2
ERR login failure
So, I am sending the right info back to squid. When I authenticate successfully then squid and my browser play nice and there is no power struggle.
If the authentication fails then I get this:

1476120287.143     24 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
1476120287.143     25 45.63.40.55 TCP_DENIED/407 4253 CONNECT www.facebook.com:443 test HIER_NONE/- text/html
1476120287.143     25 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
1476120287.216     18 45.63.40.55 TCP_DENIED/407 4293 CONNECT www.facebook.com:443 test HIER_NONE/- text/html
1476120287.216      9 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
1476120287.216     15 45.63.40.55 TCP_DENIED/407 4253 CONNECT www.facebook.com:443 test HIER_NONE/- text/html
1476120287.216     15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
1476120287.216     15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
1476120287.216     15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html
1476120287.216     15 45.63.40.55 TCP_DENIED/407 4245 CONNECT www.google.com:443 test HIER_NONE/- text/html

Here is my squid config:

<snip defaults>

http_access allow localnet
http_access allow localhost

Okay if you want LAN traffic and things going from the Squid machine not
to be authenticated. Otherwise these two lines should go below the auth
checks.

auth_param basic program /usr/bin/php /etc/squid/authenticate.php
auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off

acl db-auth proxy_auth REQUIRED
http_access allow db-auth
http_access allow localhost

localhost is already permitted on a line above the auth stuff. This one
will just waste CPU cycles checking an impossible requirement.

http_access deny all

<snip defaults>

Everything I’ve read and tried always left me with the same result
which was an infinite loop rather than squid returning an
unauthorized result page.

Firstly; The 407 you see in access.log *is* the unauthorized being
returned by the proxy. That is accompanied by a error "page" from Squid.

Note that all these are parallel transactions (same ending timestamp,
different durations). Browsers open quite a few connections to proxies.
If it was trying the same bad credentials for all these you can expect
them to fail of course.


Secondly; Browsers refuse to display anything a proxy returns in
response to CONNECT method. That is a browser internal problem we cannot
do anything about. What you should see next is not a page, but a popup
from the browser trying to get working credentials since these ones failed.


Thirdly; If the popup is not appearing you may need to explicitly tell
Squid what to do when credentials are present but invalid.

You do that with a "deny" rule like this:

http_access deny !db-auth
http_access allow db-auth

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users