[squid-users] TCP_DENIED/407

From: Luis Enrique <enrique_at_banmet.cu>
Date: Thu, 7 Aug 2008 18:02:28 -0500

hello list
I am using squid/2.6.STABLE5 on debian etch and when and I authenticate to
navigate through of my proxy receipt an error TCP_DENIED/407.
when I remove [-c] of auth_param digest program
/usr/lib/squid/digest_pw_auth -c /etc/apache2/passwd and i put
username:passwd format in the passwd file I authenticate myself and I
navigate without problems.

before making that I made sure of creating the passwds in the correct format
using my realm (Linux-Squid-Proxy-Server ) for example htdigest /
etc/apache2/passwd Linux-Squid-Proxy-Server username
the user and the passwd stay correctly in the passwd file :
username:Linux-Squid-Proxy-Server:17ef92113012ce22813780e16d9fb7f1

which is the difference among storing the keys in format
username:realm:password and username:password???
I don't finish understanding this so simple
somebody could help me to heal this error I am using the script user_manage
thanks to Henriknordstorm who recommended it to me and after many intent it
is able to make it work to my way, but then I meet with this error
TCP_DENIED/407
excuse my English

http_port 192.168.157.92:3128
#ssl_unclean_shutdown off
icp_port 3130
htcp_port 4827
udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255
# -----------------------------------------------------------------------------
hierarchy_stoplist cgi-bin ?
# objetos que no seran almacenados en la cache.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
# -----------------------------------------------------------------------------
# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------------------------------------------------
# TAG: cache_mem (bytes)
cache_mem 20 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 20 KB
# -----------------------------------------------------------------------------
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy lru
memory_replacement_policy lru
# -----------------------------------------------------------------------------
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log off
log_ip_on_direct on
mime_table /usr/share/squid/mime.conf
pid_filename /var/run/squid.pid
debug_options ALL,1
log_fqdn off
client_netmask 255.255.255.255
# -----------------------------------------------------------------------------
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# -----------------------------------------------------------------------------
ftp_user enrique_at_banmet.cu
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol off
#------------------------------------------------------------------------------
# PROGRAMAS DE AUTENTICACION
#------------------------------------------------------------------------------
# direcciones ip de los servidores dns INFOCOM
dns_nameservers 169.158.128.136 169.158.128.156

auth_param digest program /usr/lib/squid/digest_pw_auth -c
/etc/apache2/passwd
auth_param digest children 20
auth_param digest realm Linux-Squid-Proxy-Server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50

#
# -----------------------------------------------------------------------------
#***********************OPTIONS FOR TUNING THE
CACHE***************************
# -----------------------------------------------------------------------------
request_header_max_size 20 KB
request_body_max_size 0 KB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95

negative_ttl 5 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 1 minute
range_offset_limit 0 KB
forward_timeout 4 minutes
connect_timeout 1 minute
peer_connect_timeout 30 seconds
read_timeout 15 minutes
request_timeout 1 minutes
persistent_request_timeout 1 minute
client_lifetime 3 hours
half_closed_clients on
pconn_timeout 120 seconds
ident_timeout 10 seconds
shutdown_lifetime 30 seconds

acl all src 0.0.0.0/0.0.0.0
acl Autenticados proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
# Definicion de los puertos Seguros
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # Puertos no registrados
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
# Denegar acceso a puertos desconocidos
http_access deny !Safe_ports
# Denegar Metodo CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
icp_access allow all
miss_access allow all

#-------------------------------------------------------------------------------------
# INSERTAR MIS PROPIAS REGLA(S) AQUI PARA PERMITIR EL ACCESO DE
LOS USUARIOS
#-------------------------------------------------------------------------------------

acl red_metro src 192.168.157.0/24 192.168.156.0/24 192.168.154.0/24
192.168.155.0/24 192.168.130.0/24
acl denegar urlpath_regex -i \.avi$ \.mov$ \.mpeg$ \.mpg$ \.wav$ \.mp3$
\.midi$ \.iso$ \.rm$ \.exe$ \.nrg$ \.afx$ \.asf$ \.asx$ \.au$ \.divx$ \.m3u$
\.mp2$ \.qt$ \.ra$ \.ram$ \.rm$ \.viv$ \.vivo$ \.vob$ \.vqf$ \.wav$ \.wma$
\.wmv$ \.wma$ \.wmv$ \.vbs$ \.shs$ \.pif$

acl IPForHostname dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$

# CONEXIONES MAXIMAS POR USUARIOS
acl OverConnLimit maxconn 4
# CONEXIONES DE USUARIOS POR DIRECCIONES IPs
acl ip_max max_user_ip 2

# Bloquear streaming video y audio
acl useragent browser -i ^application/NSPlayer$
acl useragent browser -i ^application/Windows-Media-Player$
#acl useragent browser Mozilla

# DEFINICION DE RESPUESTAS CON MIME INDECEABLES.
acl webRadioRep rep_mime_type -i ^video/x-ms-asf$
acl webRadioRep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl webRadioRep rep_mime_type -i ^application/x-mms-framed$
acl webRadioRep rep_mime_type -i ^audio/x-scpls$
acl webRadioRep rep_mime_type video/flv
acl webRadioRep rep_mime_type ^video
acl webRadioRep rep_mime_type ^audio
acl webRadioRep rep_mime_type -i ^application/octet-stream$
acl webRadioRep rep_mime_type video/mpeg
acl webRadioRep rep_mime_type audio/mpeg

# Como el streaming de mp3 suele NO TENER mime/type
# clasificamos tambien segun el user_agent.
acl Agente browser Windows-Media-Player/*
acl Agente browser xmms/*
acl Agente browser gator/*
acl Agente browser MPlayer/*
acl Agente browser NSPlayer/*
acl Agente browser QuickTime*/*
acl Agente browser Winamp/*

acl FTP url_regex -i ^ftp://.*\.mp3$
acl FTP url_regex -i ^ftp://.*\.exe$
acl FTP url_regex -i ^ftp://.*\.mpg$
acl FTP url_regex -i ^ftp://.*\.avi$
acl FTP url_regex -i ^ftp://.*\.pdf$
acl FTP url_regex -i ^ftp://.*\.jpg$

http_access deny Agente all

http_reply_access deny FTP webRadioRep
http_reply_access allow All

http_access deny OverConnLimit
http_access allow red_metro Autenticados !denegar !ip_max !IPForHostname
http_access allow localhost
Received on Thu Aug 07 2008 - 22:05:05 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 08 2008 - 12:00:03 MDT