[squid-users] ncsa_auth problem

From: Shortridge, Mark <mark.shortridge@dont-contact.us>
Date: Mon, 13 Jun 2005 10:01:57 -0500

I have SquidNT (squid/2.5.STABLE3-NT-CVS) installed on a Windows 2003
server. It works fine with no authentication. I want to use the
ncsa_auth.exe authentication helper that came with squid, but have not been
successful. I can see in the cache.log that squid starts the ncsa_auth
helper, I'm not sure if I am writing the password file correctly.

Cache.log

2005/06/13 08:40:03| Squid Cache (Version 2.5.STABLE3-NT-CVS): Exiting
normally.
2005/06/13 08:40:12| Starting Squid Cache version 2.5.STABLE3-NT-CVS for
i686-pc-winnt...
2005/06/13 08:40:12| Running as Squid_Proxy Windows System Service on
Windows Server 2003
2005/06/13 08:40:12| Service command line is:
2005/06/13 08:40:12| Process ID 860
2005/06/13 08:40:12| With 2048 file descriptors available
2005/06/13 08:40:12| With 2048 CRT stdio descriptors available
2005/06/13 08:40:12| Windows sockets initialized
2005/06/13 08:40:12| Performing DNS Tests...
2005/06/13 08:40:12| Successful DNS name lookup tests...
2005/06/13 08:40:12| DNS Socket created at 0.0.0.0, port 1821, FD 4
2005/06/13 08:40:12| Adding nameserver 204.65.1.194 from Registry
2005/06/13 08:40:12| Adding nameserver 67.67.199.122 from Registry
2005/06/13 08:40:12| Adding nameserver 204.65.1.194 from Registry
2005/06/13 08:40:12| Adding nameserver 67.67.199.122 from Registry
2005/06/13 08:40:12| helperOpenServers: Starting 10 'ncsa_auth.exe'
processes
2005/06/13 08:40:12| User-Agent logging is disabled.
2005/06/13 08:40:12| Referer logging is disabled.
2005/06/13 08:40:12| pinger: ICMP socket opened
2005/06/13 08:40:13| pinger: Squid socket opened
2005/06/13 08:40:12| Pinger socket opened on FD 47
2005/06/13 08:40:12| Unlinkd pipe opened on FD 50
2005/06/13 08:40:12| Swap maxSize 102400 KB, estimated 7876 objects
2005/06/13 08:40:12| Target number of buckets: 393
2005/06/13 08:40:12| Using 8192 Store buckets
2005/06/13 08:40:12| Max Mem size: 8192 KB
2005/06/13 08:40:12| Max Swap size: 102400 KB
2005/06/13 08:40:12| Rebuilding storage in D:\Squid/cache (CLEAN)
2005/06/13 08:40:12| Using Least Load store dir selection
2005/06/13 08:40:12| Set Current Directory to D:\Squid/cache
2005/06/13 08:40:12| Loaded Icons.
2005/06/13 08:40:12| Accepting HTTP connections at 0.0.0.0, port 80, FD 59.
2005/06/13 08:40:12| Accepting ICP messages at 0.0.0.0, port 3130, FD 60.
2005/06/13 08:40:12| Accepting HTCP messages on port 4827, FD 61.
2005/06/13 08:40:12| Accepting SNMP messages on port 3401, FD 62.
2005/06/13 08:40:13| NETDB state reloaded; 166 entries, 94 msec
2005/06/13 08:40:13| Ready to serve requests.
2005/06/13 08:40:13| Configuring Parent icupub.twc.state.tx.us/80/0
2005/06/13 08:40:13| Store rebuilding is 97.2% complete
2005/06/13 08:40:13| Done reading D:\Squid/cache swaplog (4212 entries)
2005/06/13 08:40:13| Finished rebuilding storage from disk.
2005/06/13 08:40:13| 4212 Entries scanned
2005/06/13 08:40:13| 0 Invalid entries.
2005/06/13 08:40:13| 0 With invalid flags.
2005/06/13 08:40:13| 4212 Objects loaded.
2005/06/13 08:40:13| 0 Objects expired.
2005/06/13 08:40:13| 0 Objects cancelled.
2005/06/13 08:40:13| 0 Duplicate URLs purged.
2005/06/13 08:40:13| 0 Swapfile clashes avoided.
2005/06/13 08:40:13| Took 0.1 seconds (29872.3 objects/sec).
2005/06/13 08:40:13| Beginning Validation Procedure
2005/06/13 08:40:13| Completed Validation Procedure
2005/06/13 08:40:13| Validated 4212 Entries
2005/06/13 08:40:13| store_swap_size = 37236k
2005/06/13 08:40:13| storeLateRelease: released 0 objects

For the password file, I have a file called password.txt, and I have a
username and a password separated by a colon: username:password. Is this
correct?
 test:test
 shortma1:5t43tv

Conf.cmd

echo auth_param basic program D:/Squid/libexec/ncsa_auth.exe
D:/Squid/pwd/password.txt >> %CONFFILE%
echo auth_param basic children 10 >> %CONFFILE%
echo auth_param basic realm SquidNT >> %CONFFILE%
echo auth_param basic credentialsttl 30 minutes >> %CONFFILE%

echo acl all src 0.0.0.0/0.0.0.0 >> %CONFFILE%
echo acl manager proto cache_object >> %CONFFILE%
echo acl localhost src 127.0.0.1/255.255.255.255 >> %CONFFILE%
echo acl to_localhost dst 127.0.0.0/8 >> %CONFFILE%
echo acl SSL_ports port 443 563 >> %CONFFILE%
echo acl Safe_ports port 80 # http >> %CONFFILE%
echo acl Safe_ports port 21 # ftp >> %CONFFILE%
echo acl Safe_ports port 443 563 # https, snews >> %CONFFILE%
echo acl Safe_ports port 70 # gopher >> %CONFFILE%
echo acl Safe_ports port 210 # wais >> %CONFFILE%
echo acl Safe_ports port 1025-65535 # unregistered ports >> %CONFFILE%
echo acl Safe_ports port 280 # http-mgmt >> %CONFFILE%
echo acl Safe_ports port 488 # gss-http >> %CONFFILE%
echo acl Safe_ports port 591 # filemaker >> %CONFFILE%
echo acl Safe_ports port 777 # multiling http >> %CONFFILE%
echo acl CONNECT method CONNECT >> %CONFFILE%
echo acl MYLAN src %IP1%-%IP2%/%NETMASK% >> %CONFFILE%
echo acl TWC url_regex -i ^.twc.state.tx.us >> %CONFFILE%
echo acl TWC2 url_regex -i .twc.state.tx.us$ >> %CONFFILE%
echo acl users proxy_auth REQUIRED >> %CONFFILE%
echo # acl BadSites url_regex -i "D:/blacklists/warez/badsites.txt" >>
%CONFFILE%
echo acl PornSites url_regex -i "D:/blacklists/porn/domain.txt" >>
%CONFFILE%
echo acl Porn_Urls url_regex -i "D:/blacklists/porn/Porn_Urls.txt" >>
%CONFFILE%
echo # acl warez url_regex -i "D:/blacklists/warez/domains.txt" >>
%CONFFILE%
echo # TAG: http_access >> %CONFFILE%
echo # Allowing or Denying access based on defined access lists >>
%CONFFILE%
echo # >> %CONFFILE%
echo # Access to the HTTP port: >> %CONFFILE%
echo # http_access allow//deny [!]aclname ... >> %CONFFILE%
echo # >> %CONFFILE%
echo # NOTE on default values: >> %CONFFILE%
echo # >> %CONFFILE%
echo # If there are no "access" lines present, the default is to deny >>
%CONFFILE%
echo # the request. >> %CONFFILE%
echo # >> %CONFFILE%
echo # If none of the "access" lines cause a match, the default is the >>
%CONFFILE%
echo # opposite of the last line in the list. If the last line was >>
%CONFFILE%
echo # deny, then the default is allow. Conversely, if the last line >>
%CONFFILE%
echo # is allow, the default will be deny. For these reasons, it is a >>
%CONFFILE%
echo # good idea to have an "deny all" or "allow all" entry at the end >>
%CONFFILE%
echo # of your access lists to avoid potential confusion. >> %CONFFILE%
echo # >> %CONFFILE%
echo # Default: >> %CONFFILE%
echo # http_access allow all >> %CONFFILE%
echo # >> %CONFFILE%
echo # Recommended minimum configuration: >> %CONFFILE%
echo # >> %CONFFILE%
echo # Only allow cachemgr access from localhost >> %CONFFILE%
echo http_access allow manager localhost >> %CONFFILE%
echo #http_access deny manager >> %CONFFILE%
echo http_access allow users >> %CONFFILE%
echo http_access deny !users >> %CONFFILE%
echo # Deny requests to unknown ports >> %CONFFILE%
echo http_access deny !Safe_ports >> %CONFFILE%
echo # Deny CONNECT to other than SSL ports >> %CONFFILE%
echo http_access deny CONNECT !SSL_ports >> %CONFFILE%
echo # >> %CONFFILE%
echo # We strongly recommend to uncomment the following to protect innocent
>> %CONFFILE%
echo # web applications running on the proxy server who think that the only
>> %CONFFILE%
echo # one who can access services on "localhost" is a local user >>
%CONFFILE%
echo # http_access deny to_localhost >> %CONFFILE%
echo # >> %CONFFILE%
echo # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS >>
%CONFFILE%
echo # Exampe rule allowing access from your local networks. Adapt >>
%CONFFILE%
echo # to list your (internal) IP networks from where browsing should >>
%CONFFILE%
echo # be allowed >> %CONFFILE%
echo # acl our_networks src 192.168.1.0/24 192.168.2.0/24 >> %CONFFILE%
echo # http_access allow our_networks >> %CONFFILE%
echo # And finally deny all other access to this proxy >> %CONFFILE%
echo http_access allow TWC >> %CONFFILE%
echo http_access allow TWC2 >> %CONFFILE%
echo # http_access deny BadSites >> %CONFFILE%
echo http_access deny PornSites >> %CONFFILE%
echo http_access deny Porn_Urls >> %CONFFILE%
echo # http_access deny warez >> %CONFFILE%
echo http_access allow MYLAN >> %CONFFILE%
echo http_access deny all >> %CONFFILE%

The web browser comes up and prompts for a username and password but will
not let me get to the internet. I just get the prompt again.

Acess.log

1118669439.698 0 10.7.6.30 TCP_DENIED/407 1867 GET
http://toolbar.netcraft.com/updates/localblock.dat - NONE/- text/html
1118669440.291 0 10.7.6.30 TCP_DENIED/407 1885 GET
http://toolbar.netcraft.com/check_url/http://www.msn.com - NONE/- text/html
1118669440.291 0 10.7.6.30 TCP_DENIED/407 1885 GET
http://toolbar.netcraft.com/check_url/http://www.msn.com - NONE/- text/html
1118669440.526 0 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
- NONE/- text/html
1118669440.526 0 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
- NONE/- text/html
1118669663.088 31 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
- NONE/- text/html
1118669663.698 0 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
test NONE/- text/html
1118669669.119 31 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
- NONE/- text/html
1118669669.307 31 10.7.6.30 TCP_DENIED/407 1832 GET
http://toolbarqueries.google.com/search? - NONE/- text/html
1118669669.338 31 10.7.6.30 TCP_DENIED/407 1832 GET
http://toolbarqueries.google.com/search? - NONE/- text/html
1118669922.526 32 10.7.6.30 TCP_DENIED/407 1885 GET
http://toolbar.netcraft.com/check_url/http://www.msn.com - NONE/- text/html
1118669922.557 31 10.7.6.30 TCP_DENIED/407 1885 GET
http://toolbar.netcraft.com/check_url/http://www.msn.com - NONE/- text/html
1118669926.635 31 10.7.6.30 TCP_DENIED/407 1885 GET
http://toolbar.netcraft.com/check_url/http://www.msn.com - NONE/- text/html
1118669932.057 31 10.7.6.30 TCP_DENIED/407 1885 GET
http://toolbar.netcraft.com/check_url/http://www.msn.com - NONE/- text/html
1118669933.682 0 10.7.6.30 TCP_DENIED/407 1885 GET
http://toolbar.netcraft.com/check_url/http://www.msn.com shortma1 NONE/-
text/html
1118669934.463 0 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
shortma1 NONE/- text/html
1118669934.463 0 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
shortma1 NONE/- text/html
1118669935.869 0 10.7.6.30 TCP_DENIED/407 1832 GET
http://toolbarqueries.google.com/search? shortma1 NONE/- text/html
1118669935.869 0 10.7.6.30 TCP_DENIED/407 1832 GET
http://toolbarqueries.google.com/search? shortma1 NONE/- text/html

Any help or suggestions are very much appreciated.

====================================
Mark Shortridge
i-Net+, Network+
Computer Support Specialist
North East Texas Workforce Development Board
903-794-9490 ext. 106
903-794-4884 fax
====================================
 
 "This e-mail and any files transmitted with it are the property of the
North East Texas Workforce Development Board and/or its affiliates, are
confidential, and are intended solely for the use of the individual or
entity to whom this e-mail is addressed. If you are not one of the named
recipient(s) or otherwise have reason or believe that you have received this
message in error, please notify the Board at 903-794-9490 ext 106 and delete
this message immediately from your computer. Any other use, retention,
dissemination, forwarding, printing or copying of this email is strictly
prohibited".
Received on Mon Jun 13 2005 - 09:02:06 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT