[squid-users] PINNED or not PINNED ? from Vernet Jerome on 2013-12-02 (squid-users)

From: Vernet Jerome <Jerome.Vernet_at_belambra.fr>
Date: Mon, 2 Dec 2013 15:10:51 +0100

Hi,

On a SQUID 3.1.23, we use Active Directory Authentification, with some user/group definition.
I'm trying to access with 2 different user a web site that need some authentication. With these two nearly identical user (except the name, they belong to the same AD group), one work, the other not... On the same PC (mine)/. Any Idea where to look ?

Here is the log: user1 working, user2 not.
root_at_metis (0) lun. déc. 02 14:31:28
/etc/squid3>tail -f /var/log/squid3/access.log|grep 10.2.41.1
1385991126.828 0 10.2.41.1 TCP_DENIED/407 2404 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports - NONE/- text/html
** here come the Auth box from IE **
1385991131.345 13 10.2.41.1 TCP_MISS/401 2072 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 DIRECT/193.251.215.217 text/html
1385991144.805 20 10.2.41.1 TCP_MISS/401 2208 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 DIRECT/193.251.215.217 text/html
1385991144.834 23 10.2.41.1 TCP_MISS/301 568 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 PINNED/193.251.215.217 text/html
1385991144.893 15 10.2.41.1 TCP_MISS/401 2072 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports/ user1 PINNED/193.251.215.217 text/html
1385991144.985 49 10.2.41.1 TCP_MISS/401 2272 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports/ user1 DIRECT/193.251.215.217 text/html
1385991145.020 21 10.2.41.1 TCP_MISS/200 756 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports/ user1 PINNED/193.251.215.217 text/html
1385991145.368 16 10.2.41.1 TCP_MISS/401 2072 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports/main.asp? Jvernet PINNED/193.251.215.217 text/html
^C
root_at_metis (0) lun. déc. 02 14:32:25
/etc/squid3>

root_at_metis (0) lun. déc. 02 14:33:03
/etc/squid3>tail -f /var/log/squid3/access.log|grep 10.2.41.1
1385991188.009 0 10.2.41.1 TCP_DENIED/407 2404 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports - NONE/- text/html
1385991216.316 42 10.2.41.1 TCP_MISS/401 2235 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html
1385991229.107 17 10.2.41.1 TCP_MISS/401 2307 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html
1385991229.146 34 10.2.41.1 TCP_MISS/401 2054 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html
1385991230.492 26 10.2.41.1 TCP_MISS/401 2307 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html
1385991230.528 31 10.2.41.1 TCP_MISS/401 2054 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html
1385991231.172 26 10.2.41.1 TCP_MISS/401 2307 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html
1385991231.216 40 10.2.41.1 TCP_MISS/401 2054 GET http://rtr.flexiblecontactcenter.orange-business.com/realtimereports user1 FIRST_UP_PARENT/127.0.0.1 text/html

An extract of my squid.conf
http_port 3128
acl NOCACHE url_regex -i "/etc/squid3/nocache.url"
cache deny NOCACHE
...
acl Authenticated proxy_auth REQUIRED
acl directaccess external ad_group www-directaccess <user1 and user2 belong to this same AD group
acl activefilter external ad_group www-activefilter
acl directurls dstdomain "/etc/squid3/directurls"
http_access allow directurls
always_direct allow directurls
http_access allow localhost
acl restrictedfilter01 external ad_group www-restricted01
acl restrictedfilter02 external ad_group www-restricted02
acl goodsites01 url_regex "/etc/squid3/contentlist01"
acl goodsites02 url_regex "/etc/squid3/contentlist02"
http_access deny !Safe_ports activefilter
http_access deny !Safe_ports restrictedfilter01
http_access deny !Safe_ports restrictedfilter02
http_access allow goodsites01 restrictedfilter01
http_access allow goodsites02 restrictedfilter02
http_access allow directaccess
always_direct allow directaccess
http_access allow activefilter
http_access allow directaccess SSL_ports
http_access allow activefilter SSL_ports
http_access deny restrictedfilter01
http_access deny restrictedfilter02
http_access deny !Authenticated !localhost
http_access deny all
http_reply_access allow all
icp_access allow all
...
always_direct allow localhost
always_direct allow directurls
never_direct allow activefilter
forwarded_for off
never_direct deny all
Received on Mon Dec 02 2013 - 15:00:51 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 03 2013 - 12:00:05 MST