[squid-users] [2] Authentication problem from Viacheslav E.Voytovich on 2001-05-21 (squid-users)

From: Viacheslav E.Voytovich <slava@dont-contact.us>
Date: Mon, 21 May 2001 15:33:54 +0800

Hi !

I am using Squid 2.3 STABLE4 and while tuning authentication I got such
problem.
I have such configuration of auth:

Auth program is ncsa_auth
authenticate_children 5
authenticate_ttl 1800
authenticate_ip_ttl 1800

acl SiatUsers src 192.168.1.0/255.255.255.0 192.168.10.0/255.255.255.0
192.168.11.0/255.255.255.0 195.239.171.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl Dejur src 192.168.1.7/255.255.255.255
acl BlackList src 192.168.1.107/255.255.255.255
195.239.171.18/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl Password proxy_auth REQUIRED

acl Downloading urlpath_regex -i -nocase "/path/to/file/files.deny"
acl SexSites url_regex -i -nocase "/path/to/file/sites.deny"

acl manager proto cache_object
acl HTTPProtocol proto HTTP

acl DejurTime0 time 00:00-09:00
acl DejurTime1 time 18:30-23:59
acl DejurTime2 time SA

acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT

http_access deny Downloading
http_access deny SexSites
http_access deny BlackList
http_access deny !Password
http_access deny Dejur DejurTime0
http_access deny Dejur DejurTime1
http_access deny Dejur DejurTime2
http_access allow SiatUsers HTTPProtocol
http_access deny SiatUsers !HTTPProtocol
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

There is a such problem.
I send requests from PC with IP, for example, 192.168.1.10 and
192.168.1.11 and authenticate myself with same user/pass at both PCs.
All requests are sent in authenticate_ttl window.
If I send first request from 192.168.1.10 proxy pass one through. But
now all requests from 192.168.1.10 pass through without any auth
questions from proxy, and proxy require authenticate requests from
192.168.1.11 for user/pass. Besides proxy requires authentication only
after any requests to be sent from 192.168.1.10.

In documentation about authenticate_ip_ttl:
"With this option you control how long a proxy authentication will be
bound to a specific IP address. If a request using the same user name is
received during this time then access will be denied and both users are
required to reauthenticate themselves."

Why does squid require the authentication for 192.168.1.11 and don't
require for 192.168.1.10 when I use same user name at both these PCs.

I want to reauthenticate user when user send the requests from other PC
then before.

Where is the problem?

With best regards
Viacheslav Voytovich
Received on Mon May 21 2001 - 01:33:38 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:12 MST