[squid-users] squid 3.3.3 : deny_info with NTLM - remove popup auth - from David Touzeau on 2013-07-03 (squid-users)

From: David Touzeau <david_at_articatech.com>
Date: Wed, 3 Jul 2013 20:47:05 +0200

Dear,

i would like squid to not display authentication popup if the client is not
authenticated trough NTLM
For this i have understood that if deny_info is set then Squid redirect the
error to the specified url.

I have set this:
auth_param ntlm program
/usr/bin/ntlm_auth --domain=ABC.LAB --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20 startup=1 idle=1
auth_param ntlm keep_alive on
auth_param basic program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 3 startup=1 idle=1
auth_param basic realm Basic Identification
auth_param basic credentialsttl 2 hours

acl AUTHENTICATED proxy_auth REQUIRED
acl AllowedUrisTemplates dstdomain .domain.tld

http_access allow AllowedUrisTemplates
http_access deny !AUTHENTICATED all
deny_info http://proxy-error.domain.tld AUTHENTICATED
http_access deny all

But it seems that squid did not care about the deny_info defined for
AUTHENTICATED acl and force to use the ERR_CACHE_ACCESS_DENIED template.

Why ?

Best regards

2013/07/03 20:20:29.171 kid1| Acl.cc(339) matches: ACLList::matches: result
is false
2013/07/03 20:20:29.171 kid1| Checklist.cc(275) matchNode: 0x135c238
matched=0 async=0 finished=0
2013/07/03 20:20:29.171 kid1| Checklist.cc(299) matchNode: 0x135c238 simple
mismatch
2013/07/03 20:20:29.172 kid1| Checklist.cc(160) checkAccessList: 0x135c238
checking 'http_access deny !AUTHENTICATED'
2013/07/03 20:20:29.172 kid1| Acl.cc(336) matches: ACLList::matches:
checking !AUTHENTICATED
2013/07/03 20:20:29.172 kid1| Acl.cc(319) checklistMatches:
ACL::checklistMatches: checking 'AUTHENTICATED'
2013/07/03 20:20:29.172 kid1| Acl.cc(66) AuthenticateAcl: returning 3
sending authentication challenge.
2013/07/03 20:20:29.172 kid1| Checklist.cc(146) markFinished: 0x135c238
answer AUTH_REQUIRED for AuthenticateAcl exception
2013/07/03 20:20:29.172 kid1| Acl.cc(321) checklistMatches:
ACL::ChecklistMatches: result for 'AUTHENTICATED' is -1
2013/07/03 20:20:29.172 kid1| Acl.cc(339) matches: ACLList::matches: result
is false
2013/07/03 20:20:29.172 kid1| Checklist.cc(275) matchNode: 0x135c238
matched=0 async=0 finished=1
2013/07/03 20:20:29.172 kid1| Checklist.cc(294) matchNode: 0x135c238
exception: AUTH_REQUIRED
2013/07/03 20:20:29.172 kid1| Checklist.cc(88) matchNonBlocking:
ACLChecklist::check: 0x135c238 match found, calling back with AUTH_REQUIRED
2013/07/03 20:20:29.172 kid1| Checklist.cc(182) checkCallback:
ACLChecklist::checkCallback: 0x135c238 answer=AUTH_REQUIRED
2013/07/03 20:20:29.172 kid1| client_side_request.cc(778)
clientAccessCheckDone: The request GET
http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp
is AUTH_REQUIRED, because it matched 'AUTHENTICATED'
2013/07/03 20:20:29.172 kid1| client_side_request.cc(794)
clientAccessCheckDone: Access Denied:
http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp
2013/07/03 20:20:29.172 kid1| client_side_request.cc(795)
clientAccessCheckDone: AclMatchedName = AUTHENTICATED
2013/07/03 20:20:29.172 kid1| client_side_request.cc(798)
clientAccessCheckDone: Proxy Auth Message = <null>
2013/07/03 20:20:29.172 kid1| FilledChecklist.cc(77) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x7ffff93bb370
2013/07/03 20:20:29.172 kid1| Checklist.cc(334) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7ffff93bb370
2013/07/03 20:20:29.172 kid1| FilledChecklist.cc(77) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x7ffff93bb250
2013/07/03 20:20:29.172 kid1| Checklist.cc(334) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7ffff93bb250
2013/07/03 20:20:29.172 kid1| client_side_request.cc(1314)
sslBumpAccessCheck: cannot SslBump this request
2013/07/03 20:20:29.172 kid1| store.cc(825) storeCreateEntry:
storeCreateEntry:
'http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp'
2013/07/03 20:20:29.172 kid1| store.cc(401) StoreEntry: new StoreEntry
0x135c4f0
2013/07/03 20:20:29.172 kid1| MemObject.cc(88) MemObject: new MemObject
0x135c570
2013/07/03 20:20:29.172 kid1| HttpHeader.cc(402) HttpHeader: init-ing hdr:
0x135c688 owner: 3
2013/07/03 20:20:29.172 kid1| store_key_md5.cc(109) storeKeyPrivate:
storeKeyPrivate: GET
http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp
2013/07/03 20:20:29.172 kid1| store.cc(487) hashInsert:
StoreEntry::hashInsert: Inserting Entry 0x135c4f0 key
'464E68CBC43B3990C6A6986641D292AB'
2013/07/03 20:20:29.172 kid1| store.cc(541) setReleaseFlag:
StoreEntry::setReleaseFlag: '464E68CBC43B3990C6A6986641D292AB'
2013/07/03 20:20:29.172 kid1| store.cc(530) lock: StoreEntry::lock: key
'464E68CBC43B3990C6A6986641D292AB' count=2
2013/07/03 20:20:29.172 kid1| Checklist.cc(153) preCheck: 0x7ffff93bafd0
checking fast rules
2013/07/03 20:20:29.172 kid1| Checklist.cc(414) fastCheck: aclCheckFast:
list: 0x13178e8
2013/07/03 20:20:29.172 kid1| Acl.cc(336) matches: ACLList::matches:
checking all
2013/07/03 20:20:29.172 kid1| Acl.cc(319) checklistMatches:
ACL::checklistMatches: checking 'all'
2013/07/03 20:20:29.172 kid1| Ip.cc(560) match: aclIpMatchIp:
'192.168.1.225:53970' found
2013/07/03 20:20:29.172 kid1| Acl.cc(321) checklistMatches:
ACL::ChecklistMatches: result for 'all' is 1
2013/07/03 20:20:29.172 kid1| Acl.cc(343) matches: ACLList::matches: result
is true
2013/07/03 20:20:29.172 kid1| Checklist.cc(275) matchNode: 0x7ffff93bafd0
matched=1 async=0 finished=0
2013/07/03 20:20:29.172 kid1| Checklist.cc(260) matchNodes: 0x7ffff93bafd0
success: all ACLs matched
2013/07/03 20:20:29.172 kid1| Checklist.cc(146) markFinished: 0x7ffff93bafd0
answer DENIED for first matching rule won
2013/07/03 20:20:29.172 kid1| FilledChecklist.cc(77) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x7ffff93bafd0
2013/07/03 20:20:29.172 kid1| Checklist.cc(334) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7ffff93bafd0
2013/07/03 20:20:29.172 kid1| errorpage.cc(615) errorAppendEntry: Creating
an error page for entry 0x135c4f0 with errorstate 0x135c408 page id 2

2013/07/03 20:20:29.172 kid1| Acl.cc(336) matches: ACLList::matches:
checking all
2013/07/03 20:20:29.172 kid1| Acl.cc(319) checklistMatches:
ACL::checklistMatches: checking 'all'
2013/07/03 20:20:29.172 kid1| Ip.cc(560) match: aclIpMatchIp:
'192.168.1.225:53970' found
2013/07/03 20:20:29.172 kid1| Acl.cc(321) checklistMatches:
ACL::ChecklistMatches: result for 'all' is 1
2013/07/03 20:20:29.172 kid1| Acl.cc(343) matches: ACLList::matches: result
is true
2013/07/03 20:20:29.172 kid1| Checklist.cc(275) matchNode: 0x7ffff93bafd0
matched=1 async=0 finished=0
2013/07/03 20:20:29.172 kid1| Checklist.cc(260) matchNodes: 0x7ffff93bafd0
success: all ACLs matched
2013/07/03 20:20:29.172 kid1| Checklist.cc(146) markFinished: 0x7ffff93bafd0
answer DENIED for first matching rule won
2013/07/03 20:20:29.172 kid1| FilledChecklist.cc(77) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x7ffff93bafd0
2013/07/03 20:20:29.172 kid1| Checklist.cc(334) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7ffff93bafd0
2013/07/03 20:20:29.172 kid1| errorpage.cc(615) errorAppendEntry: Creating
an error page for entry 0x135c4f0 with errorstate 0x135c408 page id 2
2013/07/03 20:20:29.172 kid1| store.cc(530) lock: StoreEntry::lock: key
'464E68CBC43B3990C6A6986641D292AB' count=3
2013/07/03 20:20:29.172 kid1| HttpHeader.cc(402) HttpHeader: init-ing hdr:
0x135c978 owner: 3
2013/07/03 20:20:29.172 kid1| HttpHeader.cc(968) getList: 0x135b2b8: joined
for id 3: 0x7ffff93bb0c0
2013/07/03 20:20:29.172 kid1| errorpage.cc(448) loadFor: Testing Header:
'fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3'
2013/07/03 20:20:29.172 kid1| errorpage.cc(458) loadFor: Found language
'fr', testing for available template
2013/07/03 20:20:29.172 kid1| disk.cc(95) file_open: file_open: FD 12
2013/07/03 20:20:29.172 kid1| fd.cc(221) fd_open: fd_open() FD 12
/usr/share/squid3/errors/fr/ERR_CACHE_ACCESS_DENIED
2013/07/03 20:20:29.173 kid1| disk.cc(150) file_close: file_close: FD 12
really closing
2013/07/03 20:20:29.173 kid1| fd.cc(116) fd_close: fd_close FD 12
/usr/share/squid3/errors/fr/ERR_CACHE_ACCESS_DENIED
2013/07/03 20:20:29.173 kid1| ModEpoll.cc(139) SetSelect: FD 12, type=1,
handler=0, client_data=0, timeout=0
2013/07/03 20:20:29.173 kid1| ModEpoll.cc(139) SetSelect: FD 12, type=2,
handler=0, client_data=0, timeout=0
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%} --> '%}'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%; --> '%;'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%; --> '%;'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
% --> '% '
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%} --> '%}'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%} --> '%}'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%} --> '%}'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%} --> '%}'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%} --> '%}'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%; --> '%;'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%U -->
'http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%U -->
'http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%U -->
'http://www.google.com/search?q=www&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a&channel=np&source=hp'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%h --> 'squid32-64.localhost.localdomain'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%T --> 'Wed, 03 Jul 2013 18:20:29 GMT'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%h --> 'squid32-64.localhost.localdomain'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%s --> 'squid/3.3.3-20130414-r12525'
2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert: errorConvert:
%%c --> 'ERR_CACHE_ACCESS_DENIED'
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding
entry: 50 at 0
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding
entry: 36 at 1
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding
entry: 21 at 2
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding
entry: 18 at 3
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding
entry: 14 at 4
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding
entry: 70 at 5
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding
entry: 61 at 6
2013/07/03 20:20:29.173 kid1| HttpHeader.cc(907) addEntry: 0x135c978 adding
entry: 13 at 7
Received on Wed Jul 03 2013 - 18:47:31 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 04 2013 - 12:00:06 MDT