ciokan_at_gmail.com wrote:
> I'm having a big issue trying to configure squid to allow users to
> connect only via user/pass. I have 8 ip's on my server and I want each
> user to be able to connect to a single ip using their credentials but
> all I get when I try in firefox is this message: "The proxy server is
> refusing connections" so I must have done something wrong. I'm new to
> squid. I'm willing to pay for assistance so please contact me if
> interested. Anyhow, the help is much appreciated.
>
Firstly. Why the complexity with IPs?
> Here's my squid config:
>
>
> http_port 8888
> visible_hostname weezie
> auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid-passwd
> auth_param basic childred 5
"children"
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> acl ncsa_users proxy_auth REQUIRED
> http_access allow ncsa_users
http_access deny !ncsa_users
http_access allow ncsa_users
Also check that the /etc/squid/squid-passwd has the right user/pass
details inside. It should be created in the format NCSA uses.
NP: Squid may need to be reconfigured (squid -k reconfigure) for the
helper to pick up changes in this password file.
>
> header_access Allow allow all
> header_access Authorization allow all
> header_access WWW-Authenticate allow all
> header_access Proxy-Authorization allow all
> header_access Proxy-Authenticate allow all
> header_access Cache-Control allow all
> header_access Content-Encoding allow all
> header_access Content-Length allow all
> header_access Content-Type allow all
> header_access Date allow all
> header_access Expires allow all
> header_access Host allow all
> header_access If-Modified-Since allow all
> header_access Last-Modified allow all
> header_access Location allow all
> header_access Pragma allow all
> header_access Accept allow all
> header_access Accept-Charset allow all
> header_access Accept-Encoding allow all
> header_access Accept-Language allow all
> header_access Content-Language allow all
> header_access Mime-Version allow all
> header_access Retry-After allow all
> header_access Title allow all
> header_access Connection allow all
> header_access Proxy-Connection allow all
> header_access User-Agent allow all
> header_access Cookie allow all
> header_access All deny all
"Why for love of the Internet? why!!!?" /sigh.
Try and get it working without this violation of HTTP standards killing
potentially useful information.
>
> acl ip1 myip x.x.x.x
>
> tcp_outgoing_address x.x.x.x ip1
>
> acl user1 proxy_auth manilodisan
>
>
> acl all src 0.0.0.0/0.0.0.0
acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
acl localhost src 127.0.0.1
> acl to_localhost dst 127.0.0.0/8
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
The above http_access lines are what we consider to be the basic safety
net for HTTP.
Please move your custom login http_access below them. Right now anyone
who can login has unlimited access to do anything nasty to your network
and the rest of the Internet both.
> http_access allow localhost
Stick your alterations to http_access in right here.
> http_access deny all
> icp_access allow all
An open ICP port. Yay, anyone can cache scan you for content :)
> http_port 3128
Open port 3128 and 8888 ? why not just one?
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
You want to remove those QUERY bits.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
Missing:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
Strange to be allowing Microsoft WebDAV requests through, but stripping
the headers they require to work... oh well.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23 Current Beta Squid 3.1.0.16Received on Sat Feb 13 2010 - 08:16:33 MST
This archive was generated by hypermail 2.2.0 : Sat Feb 13 2010 - 12:00:04 MST