[squid-users] reverse proxy + authentication

From: Alberto Dondana <alberto.dondana@dont-contact.us>
Date: Tue, 6 Mar 2007 16:44:26 +0100

dear all,

my reverse proxy for OWA with squid2.6stable9 on RH ES4.U1 works fine.

Now I'm trying to add an authentication but I see an unusual behaviour
For that I'm using squid3 (daily auto-generated released last friday)

My squid.conf:

cache_effective_user squid

cache_effective_group squid

https_port 10.10.145.1:443 accel cert=/usr/local/squid/etc/wmail.crt
key=/usr/local/squid/etc/wmail.key defaultsite=dondy.tc-express.it
cache_peer egd-srv-1.tc-express.it parent 443 0 front-end-https=on ssl
sslcert=/usr/local/squid/etc/host.crt
sslkey=/usr/local/squid/etc/host.key sslflags=DONT_VERIFY_PEER no-query
originserver login=PASS visible_hostname dondy.tc-express.it

auth_param basic program /usr/local/squid/libexec/ncsa_auth
/usr/local/squid/etc/passwd #auth_param basic program
/usr/local/squid/libexec/pam_auth auth_param basic children 2 auth_param
basic realm ReverseProxy_ncsa #auth_param basic realm ReverseProxy_pam
auth_param basic credentialsttl 15 minutes

acl pippo proxy_auth REQUIRED

acl allowed_hosts src 0.0.0.0/0.0.0.0

acl all src 0.0.0.0/0.0.0.0

#http_access allow allowed_hosts

http_access allow allowed_hosts pippo

icp_port 0

redirect_rewrites_host_header off

emulate_httpd_log on

log_fqdn on

logfile_rotate 4

access_log /usr/local/squid/var/logs/access.log

cache_log /usr/local/squid/var/logs/cache.log

cache_store_log /usr/local/squid/var/logs/store.log

never_direct allow all

 

I'm using 'tce' as local squid authentication and alberto.dondana as OWA
basic authentication.

What happens: two authentication level seems working fine, but
immediately my reverse proxy start sending OWA one packet with right
user 'alberto.dondana', the second with wrong user 'tce', then 'right
user again and so on... as seen in access.log below:

10.10.145.1 - alberto.dondana [06/Mar/2007:16:14:02 +0100] "GET
https://dondy.tc-express.it/exchange
<https://dondy.tc-express.it/exchange> HTTP/1.1" 401 2805
TCP_DENIED:NONE

10.10.145.1 - tce [06/Mar/2007:16:14:02 +0100] "GET
https://dondy.tc-express.it/exchange
<https://dondy.tc-express.it/exchange> HTTP/1.1" 401 412
TCP_MISS:FIRST_UP_PARENT

10.10.145.1 - alberto.dondana [06/Mar/2007:16:14:02 +0100] "GET
https://dondy.tc-express.it/exchange
<https://dondy.tc-express.it/exchange> HTTP/1.1" 401 2805
TCP_DENIED:NONE

10.10.145.1 - tce [06/Mar/2007:16:14:02 +0100] "GET
https://dondy.tc-express.it/exchange
<https://dondy.tc-express.it/exchange> HTTP/1.1" 401 412
TCP_MISS:FIRST_UP_PARENT

10.10.145.1 - alberto.dondana [06/Mar/2007:16:14:02 +0100] "GET
https://dondy.tc-express.it/exchange
<https://dondy.tc-express.it/exchange> HTTP/1.1" 401 2805
TCP_DENIED:NONE

10.10.145.1 - tce [06/Mar/2007:16:14:02 +0100] "GET
https://dondy.tc-express.it/exchange
<https://dondy.tc-express.it/exchange> HTTP/1.1" 401 412
TCP_MISS:FIRST_UP_PARENT

10.10.145.1 - alberto.dondana [06/Mar/2007:16:14:02 +0100] "GET
https://dondy.tc-express.it/exchange
<https://dondy.tc-express.it/exchange> HTTP/1.1" 401 2805
TCP_DENIED:NONE

10.10.145.1 - tce [06/Mar/2007:16:14:02 +0100] "GET
https://dondy.tc-express.it/exchange
<https://dondy.tc-express.it/exchange> HTTP/1.1" 401 412
TCP_MISS:FIRST_UP_PARENT

10.10.145.1 - alberto.dondana [06/Mar/2007:16:14:02 +0100] "GET
https://dondy.tc-express.it/exchange
<https://dondy.tc-express.it/exchange> HTTP/1.1" 401 2805
TCP_DENIED:NONE

10.10.145.1 - tce [06/Mar/2007:16:14:02 +0100] "GET
https://dondy.tc-express.it/exchange
<https://dondy.tc-express.it/exchange> HTTP/1.1" 401 412
TCP_MISS:FIRST_UP_PARENT

10.10.145.1 - alberto.dondana [06/Mar/2007:16:14:02 +0100] "GET
https://dondy.tc-express.it/exchange
<https://dondy.tc-express.it/exchange> HTTP/1.1" 401 2805
TCP_DENIED:NONE

10.10.145.1 - tce [06/Mar/2007:16:14:02 +0100] "GET
https://dondy.tc-express.it/exchange
<https://dondy.tc-express.it/exchange> HTTP/1.1" 401 412
TCP_MISS:FIRST_UP_PARENT

I emulated the same behaviour in my pc (Fedora C5)

If I'm using pam and locally in squid server I added a user with same
credentials of OWA one (but I use a different user for first squid
authentication) every works well..

Any ideas?

 

Thanks

Alberto
Received on Tue Mar 06 2007 - 08:45:55 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 31 2007 - 13:00:01 MDT