Re: [squid-users] Repeated auth challenges, credentialsttl 8 hour from Amos Jeffries on 2011-01-27 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 28 Jan 2011 18:20:26 +1300

On 28/01/11 07:22, Jim Moseby wrote:
>
>
>>>> On 1/27/2011 at 11:40 AM, in
>>>> message<4D41A000.6010204_at_treenet.co.nz>, Amos
> Jeffries<squid3_at_treenet.co.nz> wrote:
>> On 28/01/11 04:26, Jim Moseby wrote:
>>> Some of my users are getting repeated auth challenges, even
>>> though I have "auth_param basic credentialsttl 8 hour" in
>>> squid.conf. What triggers the auth challenge, and how can I
>>> configure so my users will only be challenged once per 8 hour
>>> workday?
>>>
>>
>> Triggers when the browser has no credentials stored to send to the
>> proxy. Or if the credentials it sent were rejected by your ACLs.
>>
>> The common cause of ACLs triggering popups after good auth has been
>> in use is group access checks on the end of a deny line. Place
>> "all" at the end of such lines to prevent existing credentials
>> being re-challenged.
>>
>> A less common cause if its just a few out of many users may be
>> strange characters in their login or password. Or UTF binary coding
>> being sent by their browser.
>>
>>
>> The only way to prevent popups for all day with Basic is to keep
>> the browser open at all times. Otherwise normally they can expect
>> one initial popup when they open a new browser.
>>
>> Amos
>
> Hi Amos,
>
> Thanks for that quick and helpful reply.
>
> I have verified that each 'deny' line has 'all' at the end.
>
> The behavior I want is exactly as you describe. They should be
> challenged when they first open their browser, and not again until
> they close and reopen it, or 8 hours has passed.
>
> I am also seeing challenges from other triggers. For instance, if
> they receive an email with an external reference (images, etc), or
> office applications (Excel, Word, etc) checking for updates. Since
> these are not really browser initiated, should they be causing their
> own challenges?

What do you think fetches the embeded binary content for those email
displays?

They are in fact full web pages which are pushed via the email system
instead of pulled via HTTP request. Email viewers which are capable of
displaying them are just another web browser. With all the same auth
requirements when fetching the data. Some like Outlook share credentials
with IE to hide this detail. Others don't.

The software updaters are in the same boat, they use HTTP to fetch their
updates. Most should have proxy settings and/or the login configured
somewhere. The good ones can use a system credentials mechanism to
prevent popups and even auto-detect the proxy for use.

> Can I white list known update sites so that they do
> not cause auth challenges?

Yes.

For microsot products there is a list here:
http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
this is built from the list I and a few other ISP types use for our
clients. So its fairly complete, but may be missing things for the less
common or newer MS software.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

Received on Fri Jan 28 2011 - 05:20:30 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 28 2011 - 12:00:04 MST