RE: [squid-users] squid ntlm issues

On Wed, 3 Feb 2010 13:26:52 -0000, "Chris Boczko"
<Christopher.Boczko_at_chemdry.co.uk> wrote:
> Hi Amos,
>
> The squid box on 2.5 has the same regex (infact the config is more or
> less the same), and it works fine on the old box, and doesn't work on
> the 2.7 box.
>
> As soon as i make a request to the box (any request), i get a 407 - auth
> required, for any url, i've even tried adding single domain regex, and
> it does the same, and adding an http_access allow as the first rule, and
> it still asks for auth.
>
> On the old box, if its in the allowed sites file, it will allow me out
> without asking for any auth.
>
> I'm pretty sure, whatever im requesting its asking for auth BEFORE it
> checks the acl's
>
> Kind Regards,
> Christopher Boczko

Then you will need to add "debug_options 28,6" to your config and watch
what happens in the ACLs for a test request.

It could be you are using the auth ACL in some other access control that
has been made async since 2.5.

Amos

>
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: 03 February 2010 12:46
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] squid ntlm issues
>
> Chris Boczko wrote:
>> Hello list,
>>
>> I'm having problems with my new squid box (i've finally upgraded to
> 2.7
>> :)), but i'm having problems making my ruleset work quiet right.
>>
>> I have some apps that can use a proxy, but don't provide any
>> authentication whatsoever, this wasn't a problem with the old box
>> (2.5Stable), i just allowed the sites before the auth required
>> statements, but on the new 2.7, it seems to just respond with 407 -
> auth
>> required.
>>
>> I'm authenticating users against AD with
>>
>> # NTLM Auth Parameters
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 10
>> auth_param ntlm keep_alive off
>>
>>
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 10
>> auth_param basic realm "Chemdry UK Ltd - Internet Access -
>> Authentication Required"
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>> # Enable group lookup
>>
>> external_acl_type ntgroup %LOGIN
>> /usr/lib/squid/wbinfo_group.pl
>>
>> # Define ACL's
>>
>> acl admingroup external ntgroup "/etc/squid/inetadmin"
>> acl xweball external ntgroup "/etc/squid/xweball"
>> acl scotlandusers external ntgroup "/etc/squid/xwebscott"
>> acl Authenticated proxy_auth REQUIRED
>>
>> pulling in my acl with
>>
>> acl allowedsites url_regex -i "/etc/squid/allowedsites"
>>
>> then allowing access with
>>
>> # allow allowedsite
>> http_access allow allowedsites
>>
>>
>> # Allow internet pc to access blacklisted sites
>> http_access allow internetpc allsites
>>
>> # deny if you havent authd
>>
>> http_access deny !Authenticated
>> http_access deny !Safe_ports
>> http_access deny CONNECT !Safe_ports
>>
>> http_access allow xweball all
>>
>> Authenticated users can access the internet just fine, but whenever
>> these apps try to access the internet they are getting a 407 - auth
>> required, and dying.
>>
>> Does anyone have any ideas?
>>
>
> Nothing in the ACL logic has changed.
> It has to be something about the GNU regex patterns.
>
> Amos
Received on Wed Feb 03 2010 - 21:44:28 MST