RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 05 Oct 2009 14:15:38 +1300

On Mon, 5 Oct 2009 12:03:12 +1100, "Dion Beauglehall"
<beauglehalld_at_vermontsc.vic.edu.au> wrote:
> Hi,
>
> This has worked, but what I am now experiencing is that external sites
that
> require (challenge-based?) authentication do not present the pop-up for
the
> password (and hence log-in into the site fails, or falls into a loop).
Am
> I now in a catch-22 position, or is there a way around this too?
>
> Regards,
> Dion

Website WWW-Auth has nothing to do with Proxy-Auth.

The new config will only be related to WWW-Auth if you are running a
reverse-proxy (aka accelerator). In which case you need login=PASS on the
cache_peer lines for the relevant backend servers.

Challenge based Auth for websites is an extension created by MS and does
not work reliably when there are proxies in the middle. The best you can do
for normal proxies is enable persistent connections for both servers and
clients and check that the connection-auth settings are still turned on
(default is on for Squid-2).

Amos

>
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Thursday, 10 September 2009 11:30 AM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Squid/LDAP re-challenges browser on
http_access
> deny
>
> On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall"
> <BeauglehallD_at_vermontsc.vic.edu.au> wrote:
>> Hi,
>>
>> I’m configuring a squid proxy box with LDAP authentication, and ACLs
> based
>> on LDAP groups. I have the LDAP authentication working, as are groups.
>>
>> However, when I add a user to an “Access Denied” group, squid then
causes
>> the browser to bring up a authentication dialog box. Most squid
installs
> I
>> have seen bring up a squid “Cache Access Denied” screen at this point.
>> This is what I would like it to do.
>>
>> I am unsure if what I am experiencing is expected behaviour, or whether
I
>> have an error in my config file.
>>
>> I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines
>> from squid.conf are below. Note that the LDAP works correctly, and so I
>> have not provided details. What is not acting as I expected is the
>> behaviour of Squid when it hits the “http_access deny accessdenied”
line.
>
>> This seems to be what re-challenges the browser.
>>
>> As we are a school, we need to ensure that both the user is a valid user
>> (from the initial challenge, which collects their machine login,
> invisible
>> to the user), and that they have not been denied for some reason (hence
> the
>> denied group). The re-challenge will lead to students logging into
squid
>> with their friends account. A Cache Access Denied screen is a much
> better
>> alternative.
>
> Yes it was a config issue.
> Re-writing your ACLs slightly to follow that exact logic as described
above
> should solve your problem.
>
>>
>> Note that once I have this working, there will be other “denied” groups
> to
>> deny on, prior to allowing access.
>>
>> Any suggestions or ideas are appreciated.
>>
>> Regards,
>> Dion
>>
>>
>> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe ......
>> auth_param basic children 5
>> auth_param basic realm VSC
>> auth_param basic credentialsttl 5 minutes
>>
>> external_acl_type ldapgroup &LOGIN ......
>>
>> acl ldap-auth proxy_auth REQUIRED
>>
>> acl accessdenied external ldapgroup InternetAccessDeny
>> acl accessallowed external ldapgroup InternetAccess
>>
>> http_access deny accessdenied
>
> Change the above line to:
> http_access deny accessdenied all
>
> ... which will produce the "Access Denied" page instead of a challenge.
>
> Any other denied groups need to go in here one to a line with "all" at
the
> end of each line.
>
>
> After all them add a new line:
> http_access deny !ldap-auth
>
> ... which will cause Squid to challenge if no credentials are given yet.
> People who have given _any_ valid credentials will not be asked twice.
> This action was being done as side-effect of the accessdenied ACL test,
but
> with the new version it needs to be done separately.
>
>
>> http_access allow accessallowed
>> http_access deny all
>
>
> Amos
>
> --- Scanned by M+ Guardian Messaging Firewall ---
Received on Mon Oct 05 2009 - 01:15:43 MDT

This archive was generated by hypermail 2.2.0 : Mon Oct 05 2009 - 12:00:02 MDT