Re: [squid-users] Squid in acceleration mode and authentciation

From: Amos Jeffries <>
Date: Sun, 02 May 2010 23:59:13 +1200

Rakesh Jha wrote:
> Hi,
> I want to run squid in acceleration mode for a internal site. The ISS
> site prompts window for authentication. When I connect to the site I get
> window prompt for entering username and password. But after entering
> domain username and password, I get access denied to the site.

ISS (or did you mean IIS?) is the software doing the reject.

I've done an audit below, with a lot of things you can fix up. They need
doing first, but by themselves will likely not resolve the auth issue
until the server is also fixed not to reject.

> I have compiled squid 3 with following option -
> /sbin/squid -v
> Squid Cache: Version
> configure options: '--enable-ssl' '--enable-ntlm-auth'
> '--enable-basic-auth'

Those two options are not valid in Squid's configure script.

For 3.1 series it should be: --enable-auth="basic ntlm"

As well as --enable-basic-auth-helpers="PAM" to build the PAM helper you
are using.

Also, ... 3.1 is in stable cycle now. Please try 3.1.3.

> --with-squid=/tmp/squid-
> --enable-ltdl-convenience
> My squid.conf is
> acl manager proto cache_object
> acl localhost src
> acl to_localhost dst
> acl bd_host dst
> acl all src

"all" ACL needs to be remove for 3.1+. It's now built in and defined

> acl SSL_ports port 443
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

The above lines are all forward proxy configuration.

Reverse-proxy http_access configuration must be above them to work properly.

For a pure reverse-proxy you can erase the forward-proxy configuration
http_access lines.

> http_access allow bd_host

In a reverse proxy clients are never expected to be asking for the
hidden master server. This will only work with split-DNS.

I think you really want to define this as a dstdomain type ACL listing
the internal domain(s) being serviced.

With that done Squid can handle all the attack rejections and save your
server from potential DoS overloads.

> http_access allow all

More forward-proxy config?

> icp_access deny all
> htcp_access deny all
> https_port defaultsite=tpaspp01 protocol=http
> cert=/usr/local/cert/cert.crt key=/usr/local/cert/private.key version=3
> options=NO_SSLv2
> ssl_unclean_shutdown on
> cache_peer tpaspp01 parent 80 0 no-query proxy-only login=PASS
> front-end-https=on

Since this is a master peer you could also add the "default" option here.

If that is a web server (IIS? or ISS?) then it also needs the
"originserver" option to pass on the credentials properly.
That said, Squid is not doing any auth anyway (see below).

> hierarchy_stoplist cgi-bin ?
> access_log /usr/local/squid/var/logs/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0

That line should now be:
  refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

> refresh_pattern . 0 20% 4320
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname bdproxy
> icp_port 3130
> auth_param basic program /usr/local/squid/pam_auth
> auth_param basic children 5
> auth_param basic realm Adzapping Squid
> auth_param basic credentialsttl 1 week
> acl password proxy_auth REQUIRED
> http_access allow password

Your Squid is not doing the auth challenge. There is a "http_access
allow all" above here which prevents this auth from happening.

Also, it's not clear whether you want authenticated requests to go
through OR requests to the bd_host.


Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.3
Received on Sun May 02 2010 - 11:59:24 MDT

This archive was generated by hypermail 2.2.0 : Sun May 02 2010 - 12:00:03 MDT