RE: [squid-users] squid ntlm issues

Hi Amos,

The squid box on 2.5 has the same regex (infact the config is more or
less the same), and it works fine on the old box, and doesn't work on
the 2.7 box.

As soon as i make a request to the box (any request), i get a 407 - auth
required, for any url, i've even tried adding single domain regex, and
it does the same, and adding an http_access allow as the first rule, and
it still asks for auth.

On the old box, if its in the allowed sites file, it will allow me out
without asking for any auth.

I'm pretty sure, whatever im requesting its asking for auth BEFORE it
checks the acl's

Kind Regards,
Christopher Boczko

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: 03 February 2010 12:46
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] squid ntlm issues

Chris Boczko wrote:
> Hello list,
>
> I'm having problems with my new squid box (i've finally upgraded to
2.7
> :)), but i'm having problems making my ruleset work quiet right.
>
> I have some apps that can use a proxy, but don't provide any
> authentication whatsoever, this wasn't a problem with the old box
> (2.5Stable), i just allowed the sites before the auth required
> statements, but on the new 2.7, it seems to just respond with 407 -
auth
> required.
>
> I'm authenticating users against AD with
>
> # NTLM Auth Parameters
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
>
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 10
> auth_param basic realm "Chemdry UK Ltd - Internet Access -
> Authentication Required"
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> # Enable group lookup
>
> external_acl_type ntgroup %LOGIN
> /usr/lib/squid/wbinfo_group.pl
>
> # Define ACL's
>
> acl admingroup external ntgroup "/etc/squid/inetadmin"
> acl xweball external ntgroup "/etc/squid/xweball"
> acl scotlandusers external ntgroup "/etc/squid/xwebscott"
> acl Authenticated proxy_auth REQUIRED
>
> pulling in my acl with
>
> acl allowedsites url_regex -i "/etc/squid/allowedsites"
>
> then allowing access with
>
> # allow allowedsite
> http_access allow allowedsites
>
>
> # Allow internet pc to access blacklisted sites
> http_access allow internetpc allsites
>
> # deny if you havent authd
>
> http_access deny !Authenticated
> http_access deny !Safe_ports
> http_access deny CONNECT !Safe_ports
>
> http_access allow xweball all
>
> Authenticated users can access the internet just fine, but whenever
> these apps try to access the internet they are getting a 407 - auth
> required, and dying.
>
> Does anyone have any ideas?
>

Nothing in the ACL logic has changed.
It has to be something about the GNU regex patterns.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
   Current Beta Squid 3.1.0.16