Re: [squid-users] Problem in access to cache manager from Amos Jeffries on 2013-12-25 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 25 Dec 2013 23:24:49 +1300

On 24/12/2013 9:35 p.m., ana any wrote:
>
>
> Greeting,
>
> I installed squid 3.3.9 on debian, but I don't have access to cache manager with authentication :(
> If I remove "http_access allow authenticated" line, then I have access.
>
> Here is a part of my config:
>
> cache_mgr admin_at_example.com
> cachemgr_passwd MYPASS all
>
> auth_param digest program /usr/local/squid/libexec/digest_file_auth -c /home/passwd.htdigest
> auth_param digest children 5
> auth_param digest realm ProxyServer
> auth_param digest nonce_garbage_interval 5 minutes
> auth_param digest
> nonce_max_duration 30 minutes
> auth_param digest nonce_max_count 50
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
>
> What's wrong with it?!
> Any helps would be appreciated.
>

What should be happening is one of:

* forward-proxy ports:
- your proxy challenges for proxy-auth credentials using Digest and
uses your helper to validate those Digest credentials.
- when those are presented and accepted,
- the cachemgr challenges for www-auth using Basic and uses your
cachemgr_passwd settings to validate these Basic credentials.

* reverse-proxy ports:
- your proxy challenges for www-auth credentials using Digest and uses
your helper to validate those Digest credentials.
- when those are presented and accepted,
- the cachemgr attempts to locate www-auth Basic credentials an fails.
(If you were authenticating with Basic for the proxy and the users
password matched cachemgr_passwd this might go through as above).

* transparent intercept ports
- your proxy ignores the request and passes it on to the server upstream.

How does the HTTP traffic you are seeing match up with that description?

Alternatively could you be hitting one of the bugs which appear to be in
Squid Digest implementation? there are a few which result in erroneous
rejections.

As a workaround you could set "cachemgr_passwd none all" and rely on the
Digest authentication and "manager" ACL to filter people who are logged
in whether they can access the cachemgr or not.

Amos
Received on Wed Dec 25 2013 - 10:25:01 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 26 2013 - 12:00:06 MST