Search squid archive

Re: Update from Squid 4 to Squid 5 :

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/11/2022 4:50 am, Bertrand Friconneau wrote:

Hi Everyone,

I've got Squid 4.10 on Ubuntu 20.10 LTS

I try to upgrade my server to Ubuntu 22.04 LTS

But the users couldn't get internet no more.

Here is the log in /var/log/squid/access.log :
1668004454.050      0 172.22.200.1 TCP_DENIED/407 3951 CONNECT drive.google.com:443 - HIER_NONE/- text/html 1668004454.052      0 172.22.200.1 TCP_DENIED/407 3951 CONNECT drive.google.com:443 - HIER_NONE/- text/html 1668004454.057      0 172.22.200.1 TCP_DENIED/407 3951 CONNECT drive.google.com:443 - HIER_NONE/- text/html 1668004454.063      1 172.22.200.1 TCP_DENIED/407 4454 CONNECT drive.google.com:443 - HIER_NONE/- text/html 1668004454.076     10 172.22.200.1 NONE_NONE/500 0 CONNECT drive.google.com:443 infoe HIER_NONE/- - 

And on the client :
ERR_TUNNEL_CONNECTION_FAILED
According to this page : https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm 
The cause is due to challenge-response process of NTLM

How can I solve it ?

Regards

Bertrand Friconneau
------------------------------------------------------------------------------------------------------------------------------------------------------- 
Here is my config file of squid :

dns_v4_first on
visible_hostname squid
Please use an actual FQDN hostname. This is the proxies "visible" hostname - eg sent as the domain name for URLs in error pages etc. 



error_directory /usr/share/squid/errors/French


These days it would be better to use:

  error_default_language fr

or at least
  error_directory /usr/share/squid-langpack/fr
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
auth_param ntlm children 250
auth_param ntlm keep_alive off


...


http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager


or maybe limit manager access to administrationzone


http_access deny manager



custom access policy rules should be down here:


http_access allow sitebypass
http_access deny tor
http_access deny url_exe



http_access allow administrationzone
#http_access allow pedagozone
#http_access allow xibozone


All these below are of the same ACL type and all "allow" actions.
Therefore you can combine them into one ACL definition.


http_access allow informatiquezone
http_access allow secuzone
http_access allow srvzone



http_access allow ntlm


What about invalid logins, missing logins etc?
We highly recommend that the line triggering auth is a "deny" policy to reject all those. 

   http_access deny !ntlm

... then you allow what can be done by logged in accounts.

  http_access allow localnet
or
 http_access allow all
You may see a behaviour difference with this change to how Squid handles the login. After doing it, of the problem continues try to get some debug information from the auth helper to see what it is getting from the client and why that is not being accepted.
PS. Since you have Kerberos available, please consider moving away from NTLM to using Negotiate/Kerberos auth. It has both better security and far better performance for the proxy. 

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux