FW: [squid-users] proxy_auth help

Here is a cleaned up version of my squid.conf

You can see exactly why I am not allowed to view the cache
manager because it is denied from my restricted users
rule. I there a way for me to get around not having to
authenticate for the cache manager? If I remove the rules
below from my squid.conf:

http_access allow restricted_users
restricted_users_websites http_ports my_network
http_access allow unrestricted_users all http_ports
my_network

I am then allowed to go into the cache manager. So it is
something about these rules that is causing the problem.

I have turned the “debug_options ALL,1 28,9” on in
squid.conf to debug my ACLs and I get the following in the
cache.log when I try to access the Cache manager:

2002/11/07 05:15:51| The request GET
http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
is ALLOWED, because it matched 'my_network'

2002/11/07 05:15:52| The reply for GET
http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
is ALLOWED, because it matched 'all'

2002/11/07 05:16:56| The request GET
cache_object://localhost/ is DENIED, because it matched
'restricted_users'

2002/11/07 05:16:56| The reply for GET
cache_object://localhost/ is ALLOWED, because it matched
'all'

So the problem is definetly a ACL prbelm but I for the
life of me can’t figure it out. Thank you so much for your
help so far it has helped me pin point the problem further
but only if I could fix it now . Do you have any
further ideas?

Below i have pasted my entire squid.conf and i have also
attached the file for your convince.

http_port 8080
icp_port 0
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
acl squidserver dst 172.16.1.226/255.255.255.255
no_cache deny QUERY squidserver

maximum_object_size 50 MB

cache_dir ufs /var/spool/squid 5000 16 256

debug_options ALL,1 33,2

auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/lib/squid/wb_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

positive_dns_ttl 2 day

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl http_ports port 80 443 563 10000

acl CONNECT method CONNECT
acl proxy_server dst 172.16.1.226/255.255.255.255
acl restricted_users_websites dstdomain
"/etc/squid/restricted_users_websites.txt"
acl my_network src 172.16.0.0-172.25.0.0/255.255.0.0

acl unrestricted_users proxy_auth
"/etc/squid/unrestricted_users.txt"
acl restricted_users proxy_auth
"/etc/squid/restricted_users.txt"

acl downloads rep_mime_type
"/etc/squid/mime_type_blocked_download.txt"
acl blocked_urls url_regex "/etc/squid/blocked_urls.txt"
acl available_download_websites dstdomain
"/etc/squid/available_download_websites.txt"

http_access deny blocked_urls

http_access allow restricted_users
restricted_users_websites http_ports my_network
http_access allow unrestricted_users all http_ports
my_network
http_access allow proxy_server http_ports my_network

http_access allow manager localhost
miss_access allow all

http_access allow localhost
http_access deny all

http_reply_access allow available_download_websites
http_reply_access deny downloads
http_reply_access allow all

icp_access allow all
cache_mgr
JacobsA@WausauHomes.com;WizaB@WausauHomes.com;TatroC@WausauHomes.com
visible_hostname SQUID
memory_pools off
coredump_dir /var/spool/squid

-----Original Message-----
From: Edward Mann [mailto:edward@arctechnology.com]
Sent: Wednesday, November 06, 2002 5:53 PM
To: Chris Tatro
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] proxy_auth help

Chris,

wb_group you don't need, that was just something out of my
setup.

Can you send me your entire config file. I have re-ordered
things to work the way that i have mine setup.

auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/lib/squid/wb_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl http_ports port 1-65000

#acl CONNECT method CONNECT
acl proxy_server dst 172.16.1.226/255.255.255.255
acl restricted_users_websites dstdomain
"/etc/squid/restricted_users_websites.txt"
acl my_network src 172.16.0.0-172.25.0.0/255.255.0.0

external_acl_type NT_auth %LOGIN /usr/lib/squid/wb_auth
acl FullAccess external NT_auth all

acl unrestricted_users proxy_auth
"/etc/squid/unrestricted_users.txt"
acl restricted_users proxy_auth
"/etc/squid/restricted_users.txt"

acl downloads rep_mime_type
"/etc/squid/mime_type_blocked_download.txt"
acl blocked_urls url_regex "/etc/squid/blocked_urls.txt"
acl available_download_websites dstdomain
"/etc/squid/available_download_websites.txt"

http_access deny blocked_urls
http_access allow restricted_users
restricted_users_websites http_ports my_network
http_access allow unrestricted_users all http_ports
my_network http_access allow proxy_server http_ports
my_network http_access allow FullAccess

http_access allow manager localhost
http_access allow manager FullAccess

Okay this is all i can think of right now. I am in the
middle of re-ip addressing our network, so my brain is a
little scattered. Talk to you later.

On Wed, 2002-11-06 at 13:43, Chris Tatro wrote:
> Below I have pasted my acls, http_access and auth_param lines. I tried
> what you suggested Edward but I am still not having any luck. Do I
> need to type some kind of password and user name in to get at the
> Cache Manger through Webmin? Before I turned proxy_auth on I never had
> to type in a password and user name to get at the Cache
> manager I simply changed the port and number to 8080. I
> know it has to be something simple I am doing wrong but I
> for the life of me can¢t figure it out.
> Also Edward I do not have a wb_group module I have a
> wb_auth module I am running samba 2.2.6. Am I suppose to
> have a wb_group module?
>
> Thanks for the help so far it is very appreciated.
>
>
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl http_ports port 1-65000
>
> acl CONNECT method CONNECT
> acl proxy_server dst 172.16.1.226/255.255.255.255
> acl restricted_users_websites dstdomain
> "/etc/squid/restricted_users_websites.txt"
> acl my_network src 172.16.0.0-172.25.0.0/255.255.0.0
>
> external_acl_type NT_auth %LOGIN /usr/lib/squid/wb_auth
> acl FullAccess external NT_auth all
>
> acl unrestricted_users proxy_auth "/etc/squid/unrestricted_users.txt"
> acl restricted_users proxy_auth
> "/etc/squid/restricted_users.txt"
>
> acl downloads rep_mime_type
> "/etc/squid/mime_type_blocked_download.txt"
> acl blocked_urls url_regex "/etc/squid/blocked_urls.txt"
> acl available_download_websites dstdomain
> "/etc/squid/available_download_websites.txt"
>
>
>
>
> http_access deny blocked_urls
> http_access allow restricted_users
> restricted_users_websites http_ports my_network
> http_access allow unrestricted_users all http_ports my_network
> http_access allow proxy_server http_ports my_network
> http_access allow FullAccess
>
> http_access allow manager localhost
> http_access allow manager FullAccess
>
> auth_param ntlm program /usr/lib/squid/wb_ntlmauth
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> auth_param basic program /usr/lib/squid/wb_auth
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server auth_param basic
> credentialsttl 2 hours
>
>
>
>
> On 06 Nov 2002 08:58:38 -0600
> Edward Mann <edward@arctechnology.com> wrote:
> >ACL run in order. Using the ip address, something like
> >this should do
> >the trick.
> >
> >acl nopasswd src 10.251.0.38/255.255.0.0 10.251.0.39/255.255.0.0
> >
> >external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
> >acl FullAccess external NT_global_group internet
> >
> >
> >http_access allow nopasswd
> >http_access allow FullAccess
> >
> >
> >See if that works.
> >
> >On Wed, 2002-11-06 at 05:48, Chris Tatro wrote:
> >> I have all the users authenticating through the NT
> >>domain
> >> controller via winbind from samba. How do I write a ACL with
> >>proxy_auth to allow 2 computer to get through without
> >> authenticating?
> >> Is this possible?
> >>
> >> Thanks
> >>
> >> >PS I found this post which says what I need to do to
> >>get my cachemgr.cgi working.
> >>
> >>
> >> >You need to allow the host where cachemgr.cgi runs
> >>access without
> >> >proxy_auth.
> >>
> >> >I have a small patch to cachemgr.cgi to allow it to be
> >>used in
> >> >proxy_auth environments.
> >>
> >> ---
> >> >Henrik Nordstrom
> >> >Spare time Squid hacker
> >>
> >> >Alex Pikus wrote:
> >
>
> <TEXTAREA NAME="Signature" ROWS="4" COLS="60"><TEXTAREA
> NAME="Signature" ROWS="4" COLS="60">

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.408 / Virus Database: 230 - Release Date: 
10/24/2002
failure
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.408 / Virus Database: 230 - Release Date: 
10/24/2002
You can see exactly why I am not allowed to view the cache 
manager because it is denied from my restricted users 
rule. I there a way for me to get around not having to 
authenticate for the cache manager? If I remove the rules 
below from my squid.conf:
http_access allow restricted_users 
restricted_users_websites http_ports my_network
http_access allow unrestricted_users all http_ports 
my_network
I am then allowed to go into the cache manager. So it is 
something about these rules that is causing the problem.
I have turned the “debug_options ALL,1 28,9” on in 
squid.conf to debug my ACLs and I get the following in the 
cache.log when I try to access the Cache manager: 
2002/11/07 05:15:51| The request GET 
http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1 
is ALLOWED, because it matched 'my_network'
2002/11/07 05:15:52| The reply for GET 
http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1 
is ALLOWED, because it matched 'all'
2002/11/07 05:16:56| The request GET 
cache_object://localhost/ is DENIED, because it matched 
'restricted_users'
2002/11/07 05:16:56| The reply for GET 
cache_object://localhost/ is ALLOWED, because it matched 
'all'
So the problem is definetly a ACL prbelm but I for the 
life of me can’t figure it out. Thank you so much for your 
help so far it has helped me pin point the problem further 
but only if I could fix it now . Do you have any 
further ideas?