Thanks for all the help. I just checked the /etc/squid/passwords file, turns out I mistakenly used htpasswd -c when saving the last username, password and all the previous ones got overwritten.
After fixing that, the config file I wrote earlier worked fine.
With regards,
Sonya Roy
On Tue, Jun 20, 2017 at 4:18 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
Sounds to me like the auth_param helper is not accepting the credentials you are testing with. The %LOGIN parameter needs auth to be completed successfully before the ACL helper is called with the resulting username.
On 20/06/17 10:50, Sonya Roy wrote:
Hi,
Thanks for the links. So I tried what you suggested and for testing, I
was using this simple config:-
http_port 8080
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
external_acl_type checkclient children-max=20 %MYADDR %LOGIN
/usr/local/squidauth.py
acl authenticated external checkclient
http_access allow authenticated
cache deny all
forwarded_for delete
request_header_access Via deny all
I made sure that the squidauth.py file was executable and when
debugging, I found that the helper processes were running. But nothing
was getting passed to the helper processes. In the python code, I was
running a loop which reads lines from the stdin and parses them and
writes output to the stdout. I checked and it wasn't getting anything
from stdin. (I added a line which reads the input line from stdin and
sends it to another server through a http request to make sure if it was
getting anything from stdin at all)
But, when I tried to use the proxy(and of course I was using a username
and password that was stored in /etc/squid/passwords), I kept getting
the error that authentication required, i.e. the server was sending back
the header Proxy-Authenticate: Basic realm="proxy". I am not sure what I
am doing wrong here.
Note that the NCSA helper uses a database file (/etc/squid/passwords) of hashes encoded by the Apache htpasswd tool. It is not a plain-text nor Unix passwd file, that difference catches some people out.
To simplify what is going on I would use the following config sequence:
acl login proxy_auth REQUIRED
http_access deny !login
acl userip_check external checkclient
http_access allow userip_check
http_access deny all
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
