Re: [squid-users] Not Authorizing ---> nsca_auth from Waitman C. Gobble, II on 2002-12-13 (squid-users)

From: Waitman C. Gobble, II <waitman@dont-contact.us>
Date: 13 Dec 2002 07:38:04 -0800

On Fri, 2002-12-13 at 11:21, Mahesh Kudva wrote:
> First: My cache is asking for authentification but if i give a valid user name
> and password it does not accept.
> I have pointed it to my system user list.
> Setup is running on Redhat 7.3, Squid 2.5s1.

Hello,

It looks like you have the ncsa module installed and configured. If you
built from source, did you do a

./configure --enable-basic-auth-helpers="NCSA"

1) Did you set up a password file using htpasswd?

htpasswd -c /path/to/myfile thefirstuser
htpasswd /path/to/myfile theseconduser

2) Did you tell squid about the file in squid.conf?

ex:

authenticate_program /usr/bin/ncsa_auth /usr/etc/passwd

3) Check the permissions on the file, they are probably set 600 by
htpasswd, so it could be that squid can't read it. Either make the squid
user the owner of the password file, or change the permissions so that
the squid user can read it.

[root@r1 squid-2.5.STABLE1]# htpasswd -c test test
New password: test
Re-type new password: test
Adding password for user test
[root@r1 squid-2.5.STABLE1]# ls -l test
-rw------- 1 root root 19 Dec 13 07:33 test

> Second: Squid propmts me for authentification only if I use browser proxy. How
> can i overcome this ????? I want authentification even if the browser proxy isd
> not put .....
>

You can do a couple of things. You could block port 80 (well probably
all) access to your clients, or you could set up a transparent proxy in
between your clients and the outside. Normally forwarding is done with a
router at the gateway.

If you block outside access, you will likely have trouble with third
party software, like instant messengers, automatic updates, etc.
Especially if they don't support a proxy. You will likely want to set up
a socks proxy somewhere to handle non-http service.

If you use a transparent proxy without changing the client settings,
then I believe name resolution is performed on the client so you would
have to allow access to port 53 tcp/udp through your firewall if the DNS
server is remote. However I think I would just run DNS on the squid
machine, or another local machine.

Take care,

-- 
Waitman Gobble         EMK Design     Buena Park, California
http://emkdesign.com   +1.7145222528   waitman@emkdesign.com
Public Key                          http://pgp.emkdesign.com
Find an example                    http://freakinexample.com

application/pgp-signature attachment: This is a digitally signed message part

Received on Fri Dec 13 2002 - 08:36:21 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:04 MST