Re: [squid-users] squid 3.4.1 , basic auth and timeout from Amos Jeffries on 2013-12-11 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 12 Dec 2013 16:08:47 +1300

On 11/12/2013 11:02 p.m., Dmitry Melekhov wrote:
> Hello!
>
> Just tried to install 3.4.1 to production.
> Users complain that need to do reauth after some timeout.
>
> Parts of config:
>
> external_acl_type LdapGroup children-max=30 children-startup=10
> concurrency=0 ttl=600 negative_ttl=10 grace=0 protocol=2.5 %LOGIN
> /usr/sbin/sq
> uid_ldap_group -v 3 -h 127.0.0.1 -b "o=company,c=RU" -B
> "org=company,ou=People,o=company,c=RU" -f "(&(cn=%g)(memberUid=%u))" -F
> "(&(objectClass=acc
> ount)(uid=%s))" -s sub
>
>
> and
>
> auth_param basic program /usr/sbin/squid_ldapauth
> auth_param basic credentialsttl 600 seconds
> auth_param basic children 10
> auth_param basic realm Squid proxy-caching web server
> #auth_param basic casesensitive on
> auth_param basic casesensitive off
>
> I see following in my logs, firefox doesn't ask me for auth info though:
> 1386754087.151 2 192.168.22.229 TCP_DENIED/407 6701 GET
> http://www.rbc.ru/? dm HIER_NONE/- text/html
> 1386754810.393 2 192.168.22.229 TCP_DENIED/407 6702 GET
> http://www.rbc.ru/? dm HIER_NONE/- text/html
> 1386755534.579 2 192.168.22.229 TCP_DENIED/407 6702 GET
> http://www.rbc.ru/? dm HIER_NONE/- text/html
>
>
> as far as I remember, there was such problem in 3.2, or something like
> this, so I installed 3.3 before it was released- this was acl problem.
>
> Some changes were introduced in 3.4 ? Or I need to reconfigure something?

Try setting grace period to a value larger than 0. The grace period is a
short time before the credentials TTL expires when they can be looked up
at the helper for validity without needing to block the client request
or send an immediate pass/fail result to the access control.
** there was a bug in this for some 3.2-3.3 releases.

If you are using the auth check in a fast-type access control the TTL
expiry will cause a fail result after the credentials have expired even
if the helper lookup will some time later produce a valid/success
result. Grace allows that lookup to be started before the TTL is over
and hopefully the credentials next TTL can be assigned before the old
one expires.

Amos
Received on Thu Dec 12 2013 - 03:08:55 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 16 2013 - 12:00:06 MST