On Wed, 24 Feb 2010 16:27:44 +0100, Bastian Spanneberg
<bastian.spanneberg_at_linkwerk.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thx again for the help, Henrik
>
>> localhost is not in your list of sites/domains to forward to the
>> SERVICES cache_peer...
>>
>> but most do not want this.. they want localhost services to be
>> restricted to browsers running on the same box, not random clients out
>> anywhere on the net..
>>
>
> That was mainly intended for test purposes, but meanwhile, I just edited
> my /etc/hosts for testing, and my current setup seems to work nice
> concerning this.
>
>> You need to tell Squid that the peer is trusted for forwarding login
>> credentials. See the login= option to cache_peer.
>>
>
> That was exactly what was missing, and this works nice now, too.
> But I'm still not finished yet :)
>
> Now, I added a parent proxy and proxy-authentication to the forwarding
> proxy configuration, and the new problem is, that when I use the
> instance as proxy now, I'm prompted for authentication for every host I
> visit/connect to.
>
> It looks like the browser (Firefox) sees the proxy authentication as
> basic HTTP authentication on every site.
>
> Here are the importan parts of my current configuration:
>
> http_port 80 accel
>
> cache_peer 127.0.0.1 parent 7070 0 no-query originserver login=PASS
> name=SERVICES
> acl FOO dstdomain www.example.net
> cache_peer_access SERVICES allow FOO
> cache_peer_access SERVICES deny all
> acl CONNECT method CONNECT
> never_direct allow FOO !CONNECT
>
> auth_param basic program /usr/lib/squid/db_auth --user user --password
> pass --plaintext --persist
> auth_param basic children 5
> auth_param basic realm Proxy-Auth
> auth_param basic credentialsttl 1 minute
> auth_param basic casesensitive off
> acl db-auth proxy_auth REQUIRED
>
> [...]
>
> http_access allow db-auth
> http_access allow localhost
> http_access deny all
NP: none of the http_access rules below "deny all" will work.
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all
> icp_access allow all
>
> cache_peer 127.0.0.1 parent 9090 0 no-query name=PROXY
> cache_peer_access PROXY allow db-auth
>
> Any ideas why the authentication is regarded as basic HTTP by the
browser ?
Because the "accel" flag tells Squid to behave like th authoritative web
server for all incoming requests. When it needs auth it sends a web-server
auth challenge (linked to domain name by the browser to prevent XSS
credential loss). Not a proxy challenge (linked to the proxy IP or user
session by the browser).
To require a second http_port line without "accel" that browsers are
configured to connect to for regular proxy access.
Amos
Received on Wed Feb 24 2010 - 21:22:51 MST
This archive was generated by hypermail 2.2.0 : Thu Feb 25 2010 - 12:00:06 MST