Re: [squid-users] squid ntlm issues

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 04 Feb 2010 01:46:00 +1300

Chris Boczko wrote:
> Hello list,
>
> I'm having problems with my new squid box (i've finally upgraded to 2.7
> :)), but i'm having problems making my ruleset work quiet right.
>
> I have some apps that can use a proxy, but don't provide any
> authentication whatsoever, this wasn't a problem with the old box
> (2.5Stable), i just allowed the sites before the auth required
> statements, but on the new 2.7, it seems to just respond with 407 - auth
> required.
>
> I'm authenticating users against AD with
>
> # NTLM Auth Parameters
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
>
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 10
> auth_param basic realm "Chemdry UK Ltd - Internet Access -
> Authentication Required"
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> # Enable group lookup
>
> external_acl_type ntgroup %LOGIN
> /usr/lib/squid/wbinfo_group.pl
>
> # Define ACL's
>
> acl admingroup external ntgroup "/etc/squid/inetadmin"
> acl xweball external ntgroup "/etc/squid/xweball"
> acl scotlandusers external ntgroup "/etc/squid/xwebscott"
> acl Authenticated proxy_auth REQUIRED
>
> pulling in my acl with
>
> acl allowedsites url_regex -i "/etc/squid/allowedsites"
>
> then allowing access with
>
> # allow allowedsite
> http_access allow allowedsites
>
>
> # Allow internet pc to access blacklisted sites
> http_access allow internetpc allsites
>
> # deny if you havent authd
>
> http_access deny !Authenticated
> http_access deny !Safe_ports
> http_access deny CONNECT !Safe_ports
>
> http_access allow xweball all
>
> Authenticated users can access the internet just fine, but whenever
> these apps try to access the internet they are getting a 407 - auth
> required, and dying.
>
> Does anyone have any ideas?
>

Nothing in the ACL logic has changed.
It has to be something about the GNU regex patterns.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
   Current Beta Squid 3.1.0.16
Received on Wed Feb 03 2010 - 12:46:09 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 03 2010 - 12:00:02 MST