Re: [squid-users] squid 2.7 on windows 2008 and ntlm authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 31 Jul 2010 16:30:47 +1200

Bob_P wrote:
> I have installed squid 2.7 on windows 2008 r2 server. any time I try to
> access an external site I get a credentials log in box and I'm unable to get
> past it. Eventually it errors out with "Cache Access Denied. Sorry, you are
> not currently allowed to request." Below is my squid.conf. If anyone can
> tell me what I'm doing wrong I would greatly appreciate it.
>
> Thanks
> Bob
>

Your squid.conf is very mucked up. Below are some changes you need to
make to correct it.

>
> # WELCOME TO SQUID 2.7.STABLE8
> # ----------------------------
>
> #Recommended minimum configuration:
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
>
> auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
> auth_param ntlm children 5
>
> acl localnet proxy_auth REQUIRED src 10.0.0.0/8

The above line means that the usernames "src" and "10.0.0.0/8" are
permitted to login. As long as they present valid NTLM tokens accepted
by your mswin_ntlm_auth.exe.

What you are trying to do is this:

   acl authenticated proxy_auth REQUIRED
   acl localnet src 10.0.0.0/8

   http_access allow localnet authenticated

That should also all be down further in the config underneath the
security rule about preventing unsafe CONNECT tunnels.

>
> http_access allow localnet
>

The above line needs to be remove now.

> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to unknown ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
>
> #http_access deny all

Uncomment this again. It's there to make an explicit ban on non-LAN
users accessing your proxy.

After making those changes if you still are stuck on the login box you
will need to check up on the persistent connections. NTLM requires them
to be on.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.5
Received on Sat Jul 31 2010 - 04:30:55 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 31 2010 - 12:00:05 MDT