Hello all,
I am currently running squid-2.6.14 on FreeBSD 6-STABLE and Squid is
configured to authenticate users to the Active Directory database via
the NTLM plugin. The problem I'm having is that approximately every
other day or sometimes sooner or sometime longer, users start getting a
popup box asking for auth credentials. Normally this is not the case as
it's handled automatically in the background. I'm forced to restart the
squid proxy server to resolve this. One thing I notice is that every
time it happens the number of squid child processes is greater than the
number listed in squid.conf. Currently I'm set at 'auth_param ntlm
children 150'. I'm not sure what is causing this login popup box but
it's really upsetting my users and I need to figure out a solution. Has
anyone else experienced this? Any have any suggestions?
squid.conf listed below
Kind regards
Elvar
################ Begin squid.conf ################
acl localnet src 192.168.0.0/16
http_port 192.168.0.1:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl all src 0.0.0.0/0.0.0.0
cache_dir ufs /usr/local/squid/cache 500 16 256
access_log /usr/local/squid/logs/access.log squid
#cache_log none
cache_log /usr/local/squid/logs/cache.log
cache_store_log none
emulate_httpd_log off
log_mime_hdrs on
check_hostnames off
auth_param ntlm keep_alive on
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
--require-membership-of=S-1-5-21-2590255907-4225717938-1771017636-2445
auth_param ntlm children 150
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 5 minutes
#auth_param basic program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
#auth_param basic children 5
#auth_param basic realm WT
#auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
### Needed for Windows Update to work ###
acl windowsupdate dstdomain .windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain .download.windowsupdate.com
acl windowsupdate dstdomain .c.microsoft.com
acl windowsupdate dstdomain .download.microsoft.com
http_access allow windowsupdate localnet
##########################################
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl CONNECT method CONNECT
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all AuthorizedUsers
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
visible_hostname example.com
logfile_rotate 20
coredump_dir /usr/local/squid/cache
######################### End squid.conf ########################
Received on Sat Nov 03 2007 - 09:44:31 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:01 MST