Re: [squid-users] Forwarding loop detected issue from Amos Jeffries on 2009-02-06 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 07 Feb 2009 00:07:25 +1300

Ricardo Nuno wrote:
> Hello Amos,
>
> | I would have thought Squid->DG->Internet would be sufficient to meet those
> | needs. With the front squid doing cache+auth of stuff that gets past the
> | DG filtering. (and DG doing less work on cacheable things its already
> | scanned once).
>
> I tried that too. But it does not work.
>
> |
> | NP: Squid2 in your setup must NOT do any peering. Remember this is the
> | EXIT. All access is direct to the Internet. It's one and only client is
> | DG.
>
> Yes. This solved the loop issue. Ans puting the cache_peer directive on
> Squid1 with the "never_direct allow all".
>
> | Don't include any unique stuff into both configs.
> | If you need usernames logged at Squid2 at all use the fakeauth helper and
> | LoggingOnly setup on that squid:
> | http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly
>
> Now here lies my new problem. I do need to login UserName+IP on the access.log
> of the Squid2(Cache). Now that the loop is fixed it stop recording the UserName
> only record IP, like this:
>
> 1233913862.159 6 192.168.20.140 TCP_MISS/304 250 GET http://m80.clix.pt/styles/m80_txt.css - DIRECT/195.23.102.200 -
>
> I tried to use fakeauth as you suggested but when I do auth stop working.
> On IE it keeps asking for my credentials and just keep denying.
> I follow the docs on Squid Wiki but i get this on the log:
>
> 2009/02/06 10:03:02| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic c2JhdGFsaGE6bm9wYXNzd29yZA=='
>
> This is what I added on Squid2(Cache):
>
> auth_param ntlm program /usr/lib/squid/fakeauth_auth -d -v
> auth_param ntlm children 10
> auth_param ntlm realm Proxy Server
> auth_param ntlm credentialsttl 1 hours
> auth_param ntlm casesensitive off
>
> acl logauth proxy_auth REQUIRED
> http_access deny !logauth all
>
> I think that i'm not using fakeauth the right way or something.
> In alternative i could use the access.log from Squid1(NTML) for my reports because here
> i get UserName+IP but I think if I use this one i will get more false positives like alot
> of the DENIED, or i'm wrong and should just use it?

Ah, okay, here is what I think is happening:
Squid1 does the ntlm auth, and converts it to BasicAuth for DG.
So Squid2 gets the BasicAuth form. which means at Squid2 the other
dummy_auth is needed to catch and log basic login details.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.5

Received on Fri Feb 06 2009 - 11:07:12 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 06 2009 - 12:00:02 MST