Amos,
The squid version is 3.1.19. The network is set up with a 192.168.0.X network on the lan side, and a 192.168.1.x network on the internet side. Both ports 3120 and 4120 require authentication, but port 4120 is meant to be restricted to only the whitelisted sites which are in a separate file. Port 3120 allows access to any site. The browser causing trouble is configured for port 3120, not 4120. Here is my squid.conf file:
http_port 3120
http_port 4120 intercept
cache_dir ufs /var/spool/squid3 500 16 256
The squid version is 3.1.19. The network is set up with a 192.168.0.X network on the lan side, and a 192.168.1.x network on the internet side. Both ports 3120 and 4120 require authentication, but port 4120 is meant to be restricted to only the whitelisted sites which are in a separate file. Port 3120 allows access to any site. The browser causing trouble is configured for port 3120, not 4120. Here is my squid.conf file:
http_port 3120
http_port 4120 intercept
cache_dir ufs /var/spool/squid3 500 16 256
#not sure what this block is for
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl whitelist dstdomain "/etc/squid3/whitelist.conf"
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
auth_param basic children 6
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 4 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl whitelist dstdomain "/etc/squid3/whitelist.conf"
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
auth_param basic children 6
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 4 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
#not sure what this line does
acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
#acl http proto http
acl SSL_ports port 443
acl port_80 port 80
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
#list of computers that have access by ip address
acl allowed_clients src 192.168.0.9-192.168.0.45 192.168.0.53 192.168.0.65 192.168.0.83 192.168.0.90 192.168.0.91 192.168.0.179 192.168.0.186 192.168.0.220 192.168.0.221 192.168.0.244
acl portX myportname 4120
http_access allow portX whitelist
http_access deny portX
acl deny_websites dstdomain "/etc/squid3/deny_websites.conf"
acl CONNECT method CONNECT
#acl wuCONNECT dstdomain "/etc/squid3/whitelist.conf"
#acl wuCONNECT dstdomain sls.microsoft.com
#rule allowing nonauthenticated users
#http_access allow http port_80 whitelist
http_access allow CONNECT SSL_ports whitelist
#other access rules
#http_access deny !ncsa_users
http_access allow CONNECT localnet
http_access deny deny_websites
http_access allow allowed_clients ncsa_users
http_access deny !allowed_clients
#http_access allow ncsa_users
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost
#http_access allow localnet
http_access deny all
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
#acl http proto http
acl SSL_ports port 443
acl port_80 port 80
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
#list of computers that have access by ip address
acl allowed_clients src 192.168.0.9-192.168.0.45 192.168.0.53 192.168.0.65 192.168.0.83 192.168.0.90 192.168.0.91 192.168.0.179 192.168.0.186 192.168.0.220 192.168.0.221 192.168.0.244
acl portX myportname 4120
http_access allow portX whitelist
http_access deny portX
acl deny_websites dstdomain "/etc/squid3/deny_websites.
acl CONNECT method CONNECT
#acl wuCONNECT dstdomain "/etc/squid3/whitelist.conf"
#acl wuCONNECT dstdomain sls.microsoft.com
#rule allowing nonauthenticated users
#http_access allow http port_80 whitelist
http_access allow CONNECT SSL_ports whitelist
#other access rules
#http_access deny !ncsa_users
http_access allow CONNECT localnet
http_access deny deny_websites
http_access allow allowed_clients ncsa_users
http_access deny !allowed_clients
#http_access allow ncsa_users
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost
#http_access allow localnet
http_access deny all
If
the conf file is a mess, or has some problems, feel free to say so, as I
don't know what all of the directives in it are for. I marked a couple
of lines I don't understand. I would be happy for it to be optimized
more if anyone has ideas.
Thanks,
PHOn Mon, Dec 11, 2017 at 7:16 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 12/12/17 11:04, Paul Hackmann wrote:
Has anyone had the instance where the proxy will ask the user to authenticate several times as they are browsing the web? I have been seeing this as a random occurrence for some of the users on the server. It will pop up a login prompt in the browser repeatedly for a minute or two. Then it will settle down and be fine for hours. I'm trying to track it down, but I can't find anything amiss. The access logs haven't shown anything unusual. I am using basic authentication with the proxy settings set in firefox. Is this something that a spike in traffic on the server could cause? Anybody have any suggestions? The server is linux based.
What version of Squid?
What ACLs and http_access configuration?
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
