AW: [squid-users] ask three times authentication

From: Rietzler, Markus \(RZF, SG 324 / \) <markus.rietzler_at_fv.nrw.de>
Date: Wed, 15 Jan 2014 13:56:22 +0000

wonder why there are popups at all. or popups at all. NTLM should work without any popups.
which browser do you use? IE?

could you try to discard the group-check auth?
we are using NTLM but everyone is allowed, after authentication. so we do not use external_acl_type.

we only use

acl auth_user proxy_auth REQUIRED
http_access allow auth_surfer all

> -----Ursprüngliche Nachricht-----
> Von: Usuário do Sistema [mailto:maiconlp_at_ig.com.br]
> Gesendet: Dienstag, 14. Januar 2014 13:27
> An: Eliezer Croitoru
> Cc: squid-users_at_squid-cache.org
> Betreff: Re: [squid-users] ask three times authentication
>
> Thank you,
>
> From 2.6 to 3.1.10, was there any other change in the system?
>
> yes, I have changed my squid from an machine with S.O Red Hat 5.9
> to other machine with S.O CentOS 6.5
>
> the issue it's seems to be something about authentication
> compatibility between Browse and new squid version 3.1.10
>
> I have the old machine yet. I have done some test and from a client
> machine when I put the old proxy on browse all it's work.
> but the strange I use the same squid.conf either old proxy machine as
> well as new proxy machine so why the pop-up authentication appear
> three times only at the new proxy squid version 3.1.10 ?
>
> my question is if there is any problem with squid version 3.1.10 about
> authentication ?
>
> Follow my squid.conf.
>
>
> ############################################################
> #
> # Squid.conf autenticacao AD
> #
> #############################################################
>
> ## Autenticacao
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-
> ntlmssp
> auth_param ntlm children 50
> auth_param ntlm keep_alive on
>
> #auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-
> basic
> #auth_param basic children 30
>
> ## comentadas
>
> auth_param basic realm Acesso a Internet teste SA
> auth_param basic credentialsttl 2 hours
>
> authenticate_cache_garbage_interval 1 hour
> authenticate_ttl 120 seconds
>
> external_acl_type NT_global_group children=50 %LOGIN
> /usr/lib64/squid/squid_unix_group
>
> ## SQSTAT
>
>
> acl ntlm_users proxy_auth REQUIRED
>
> #cache_store_log none
> #cache_log /var/log/squid/cache.log
> #cache_log none
> #request_entities on
>
> # debug_options rotate=16 ALL,1
> #debug_options ALL,9
> #debug_options ALL,1 33,2
> #debug_options ALL
>
>
> visible_hostname proxy.teste.com
> http_port 8080
> http_port 127.0.0.1:3128
> hierarchy_stoplist cgi-bin ?
>
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
>
> access_log /var/log/squid/access.log squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> ie_refresh on
>
> max_filedesc 4096
>
>
> ###################################
> # Parametros de Cache NAO ALTERAR #
> ###################################
>
> #cache_dir aufs /var/spool/squid 6000 16 256
> #cache_dir ufs /var/spool/squid 5000 64 1024
> #cache_dir ufs /var/spool/squid 2048 64 64
>
> diskd_program /usr/lib64/squid/diskd-daemon
>
> cache_dir diskd /var/spool/squid/1 1000 16 128 Q1=64 Q2=72
> cache_dir diskd /var/spool/squid/2 1000 16 128 Q1=64 Q2=72
> cache_dir diskd /var/spool/squid/3 1000 16 128 Q1=64 Q2=72
> cache_dir diskd /var/spool/squid/4 1000 16 128 Q1=64 Q2=72
>
>
> #This stops squid from holding onto ram that it is no longer actively
> using.
> memory_pools off
>
> #Buffers the write-out to log files. This can increase performance
> slightly
> buffered_logs on
>
> cache_mem 1024 MB
>
> half_closed_clients off
> cache_swap_low 80%
> cache_swap_high 100%
>
> maximum_object_size 10 MB
> maximum_object_size_in_memory 2048 KB
>
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap GDSF
>
> #######################################
>
> ftp_passive on
> acl ftp_21 port 21
>
> ############################################################
> #
> # Regras Padrao
> #
> ############################################################
>
>
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 20 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # companyling http
> acl Safe_ports port 10080 # Porta http das unidades remotas teste.
> acl Safe_ports port 8181 # Publicacao
> acl Safe_ports port 10082 # DBMessenger
> acl Safe_ports port 9082
> acl ftp proto FTP
> acl CONNECT method CONNECT
>
>
> #################################
> # Origens
> #################################
> acl rede_projeto src 192.168.52.0/22
> acl nelson src 128.2.20.213
> acl 2m041187 src 128.2.20.171
> acl localhost src 127.0.0.1/32
> acl LAN_GERAL src 128.0.0.0/8
> acl LAN_ADM src 128.2.0.0/16
> acl gilson src 128.2.20.141/32
> acl LAN_IDU src 128.4.0.0/16
> acl LAN_JBOCD src 10.13.0.0/16
> acl LAN_COJ src 128.1.0.0/16
> acl LAN_COJ_TS src 10.1.251.0/25
> acl dropbox_liberado src 128.2.30.201/32
> acl testebo dst 189.36.1.226/32
>
>
> #################################
> # Regras LYNC e Sites sem AUTH
> #################################
> acl MSN_Liberado external NT_global_group msn_liberado
> acl lync url_regex "/etc/squid/acls/lync.txt"
> http_access allow lync
>
> acl semauth url_regex -i "/etc/squid/acls/sites_semauth.txt"
> http_access allow all semauth all
> http_access allow CONNECT semauth all
> http_access allow testebo
>
> acl semauth_sap url_regex -i
> "/etc/squid/acls/sites_semauth_sap.txt"
> http_access allow rede_projeto semauth_sap all
>
>
> acl msn.8 url_regex "/etc/squid/acls/msn.txt"
> acl local url_regex localhost
>
> http_access allow local
> http_access allow semauth 2m041187
> http_access allow localhost all
> http_access allow nelson
> http_access allow MSN_Liberado msn.8
>
> ############################################################
> #
> # Regras teste
> #
> ############################################################
>
> acl manager proto cache_object
>
> acl semcache url_regex "/etc/squid/acls/semcache.txt"
> acl SITES_BLOQUEADOS url_regex -i
> "/etc/squid/acls/sites_bloqueados.txt"
> acl SITES_LIBERADOS url_regex -i "/etc/squid/acls/sites_liberados.txt"
> acl acesso_mkt_vendas url_regex -i
> "/etc/squid/acls/acesso_mkt_vendas.txt"
> #acl quiosque url_regex -i "/etc/squid/acls/quiosque.txt"
> acl mtmon url_regex -i "/etc/squid/acls/mtmon.txt"
> acl IPS_LIBERADOS src "/etc/squid/acls/ips_liberados.txt"
> acl IPS_BLOQUEADOS src "/etc/squid/acls/ips_bloqueados.txt"
> acl PORN url_regex -i "/etc/squid/acls/porn.txt"
> acl NOPORN url_regex -i "/etc/squid/acls/noporn.txt"
> acl downloads url_regex -i "/etc/squid/acls/extensoes.txt"
>
>
> acl msn dstdomain loginnet.passport.com login.live.com
> acl msn.1 dstdomain loginnet.passport.com
> acl msn.2 dstdomain webmessenger.msn.com
> acl msn.3 url_regex -i gateway.dll
> acl msn.4 req_mime_type -i ^application/x-msn-messenger$
> acl msn.5 url_regex -i "/etc/squid/acls/msn.txt"
> acl msn.6 src 65.0.0.0/12
> acl msn.7 url_regex -i gateway.dll?
> acl webmails_liberado url_regex -i
> "/etc/squid/acls/webmail_liberados.txt"
> acl webmail_bloqueado url_regex -i
> "/etc/squid/acls/webmail_bloqueado.txt"
> acl bb browser C:\BancoBrasil\officeIE\index.html
> acl bancos url_regex -i "/etc/squid/acls/bancos.txt"
> acl bb1 url_regex -i "/etc/squid/acls/bb.txt"
> acl CAIXA url_regex -i "/etc/squid/acls/caixa.txt"
> acl WINDOWS_UPDATE url_regex -i "/etc/squid/acls/windows_update.txt"
> acl teste url_regex -i "/etc/squid/acls/teste.txt"
> acl sites_bloqueados2 url_regex -i
> "/etc/squid/acls/sites_bloqueados2.txt"
> acl sites_mfseguranca url_regex -i
> "/etc/squid/acls/sites_mfseguranca.txt"
> acl sites_gilson url_regex -i "/etc/squid/acls/sites_gilson.txt"
> acl GTALK url_regex -i "/etc/squid/acls/gtalk.txt"
> acl SITES_INTERNET_SAP url_regex -i
> "/etc/squid/acls/sites_internet_sap.txt"
>
>
> # Fix support.microsoft.com by removing Accept-Encoding header
>
> acl support.microsoft.com dstdomain support.microsoft.com
> acl trendmicro url_regex "/etc/squid/acls/trendmicro.txt"
> acl GOV url_regex -i "/etc/squid/acls/gov.txt"
> acl sites_normas url_regex -i "/etc/squid/acls/sites_normas.txt"
> acl twitter url_regex -i "/etc/squid/acls/twitter.txt"
> acl orkut url_regex -i "/etc/squid/acls/orkut.txt"
> acl ninecon url_regex -i "/etc/squid/acls/ninecon.txt"
> acl youtube url_regex -i "/etc/squid/acls/youtube.txt"
> acl facebook url_regex -i "/etc/squid/acls/facebook.txt"
>
> ####################################
> # ACL USANDO AUTENTICACAO GRUPOS AD
> ####################################
>
> acl facebook_liberado external NT_global_group facebook_liberado
> acl internet_teste external NT_global_group internet_teste
> acl internet_normal external NT_global_group internet_normal
> acl internet_liberada external NT_global_group internet_liberada
> acl internet_bloqueada external NT_global_group internet_bloqueada
> acl download_liberado external NT_global_group download_liberado
> acl orkut_liberado external NT_global_group orkut_liberado
> acl twitter_liberado external NT_global_group twitter_liberado
> acl youtube_liberado external NT_global_group youtube_liberado
> acl update_liberado external NT_global_group update_liberado
> acl webmail_liberado external NT_global_group webmail_liberado
> acl webmailninecon external NT_global_group webmailninecon
> acl sites_mkt_vendas external NT_global_group sites_mkt_vendas
> acl semi_liberado external NT_global_group semi_liberado
> acl internet_consultores_sap external NT_global_group
> internet_consultores_sap
> #acl quiosque_liberado external NT_global_group internet_quiosque
>
>
> ###########################################################
> #
> # BLOQUEIO DO SQUID
> ###########################################################
>
> http_access allow manager localhost
> http_access allow localhost manager
> http_access allow localhost all
>
> #http_access allow all
> http_access allow teste all
> http_access allow bancos
> http_access allow bb
> http_access allow bb1
> http_access allow GOV
> http_access allow CAIXA
> http_access allow sites_normas
> http_access allow webmails_liberado
> http_access allow mtmon
>
> http_access allow internet_liberada all
>
> http_access allow LAN_ADM sites_mfseguranca
> #http_access allow gilson sites_gilson
> http_access allow gilson
> http_access allow LAN_COJ sites_mfseguranca
> http_access allow dropbox_liberado
> http_access allow ftp
> http_access allow ftp_21
> http_access allow IPS_LIBERADOS
> http_access allow acesso_mkt_vendas sites_mkt_vendas
> http_access allow youtube youtube_liberado
> http_access allow facebook facebook_liberado
> http_access allow WINDOWS_UPDATE update_liberado
> http_access allow webmailninecon ninecon
> http_access allow downloads download_liberado
> http_access deny IPS_BLOQUEADOS
> #http_access allow downloads download_liberado
> #no_cache deny semcache
> cache deny semcache
> http_access allow semcache all
>
> http_access allow semi_liberado !youtube !facebook !twitter !orkut
> !GTALK !msn !msn.1 !msn.2 !msn.3 !msn.4 !msn.5 !msn.6 !msn.7
> !sites_bloqueados !PORN
> http_access deny sites_bloqueados2
> http_access allow MSN_Liberado msn msn.1 msn.2 msn.3 msn.4 msn.5 msn.6
> msn.7
> http_access deny MSN_Liberado SITES_BLOQUEADOS
> http_access deny MSN_Liberado ORKUT
> http_access allow internet_teste SITES_LIBERADOS
> http_access allow internet_normal SITES_LIBERADOS
> http_access deny internet_teste SITES_BLOQUEADOS
> http_access deny internet_normal SITES_BLOQUEADOS
> #http_access deny !internet_teste
> http_access deny webmail_bloqueado !webmail_liberado
> http_access allow SITES_LIBERADOS
> http_access deny ORKUT !orkut_liberado
> http_access deny twitter !twitter_liberado all
> http_access deny ORKUT
> http_access deny internet_bloqueada all
> http_access allow sites_normas
> #http_access allow WINDOWS_UPDATE update_liberado
> http_access deny WINDOWS_UPDATE
> http_access allow all SSL_ports
> http_access deny msn
> http_access deny msn.1
> http_access deny msn.2
> http_access deny msn.3
> http_access deny msn.4
> http_access deny msn.5
> http_access deny GTALK
> http_access deny PORN !NOPORN all
> http_access deny SITES_BLOQUEADOS
> ##http_access allow downloads download_liberado
> http_access deny downloads
>
>
> acl BLOQUEIO_SAP url_regex
> "/etc/squid/acls/sites_internet_sap_bloqueio.txt"
> http_access deny rede_projeto BLOQUEIO_SAP
>
> http_access allow ntlm_users rede_projeto
>
> http_access allow internet_consultores_sap SITES_INTERNET_SAP
> http_access allow internet_consultores_sap SITES_LIBERADOS
> http_access allow internet_consultores_sap semauth_sap
> http_access allow rede_projeto SITES_INTERNET_SAP
> http_access allow rede_projeto SITES_LIBERADOS
> http_access deny internet_consultores_sap all
> http_access deny rede_projeto all
>
>
> # nelson http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow ntlm_users
> http_access allow LAN_ADM
> http_access allow rede_projeto
> http_access allow LAN_IDU
> http_access allow LAN_JBOCD
> http_access allow LAN_COJ
> http_access allow LAN_COJ_TS
>
> http_access deny all
> http_reply_access allow all
> icp_access allow all
>
> cache_mgr suporte_at_teste.com
> #cachemgr_passwd companytTask all
> error_directory /usr/share/squid/errors/pt-br
> coredump_dir /pacotes/squid/core
>
>
> Thanks
>
>
>
>
>
>
>
>
>
>
>
> 2014/1/13 Eliezer Croitoru <eliezer_at_ngtech.co.il>:
> > Hey,
> >
> > I would like to try and understand the issue but it seems like more
> complex
> > to me to understand what happens yet.
> > You use NTLM auth but I do not understand the authentication settings
> yet.
> > From 2.6 to 3.1.10, was there any other change in the system?
> > As I understand it's an internal proxy it seems a bit weird.
> > I do not assume that the issue is in the config file but a basic
> description
> > of the environment can help to understand more about the subject.
> >
> > If you can share the basic squid.conf it would help but note to remove
> any
> > personal details or at least change them to make sure that the
> environment
> > can be understood properly.
> >
> > All The Bests,
> > Eliezer
> >
> >
> > On 13/01/14 16:13, Usuário do Sistema wrote:
> >>
> >> Hello everyone,
> >>
> >>
> >> I have done upgrade in the my squid from Version 2.6.STABLE21 to
> Version
> >> 3.1.10
> >>
> >> After that it always pop-up authentication three times before allow
> >> that url. follow a example for www.bol.com.br url
> >>
> >>
> >> 1389621501.201 1 192.168.53.31 TCP_DENIED/407 3849 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621501.213 2 192.168.53.31 TCP_DENIED/407 4148 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621501.226 4 192.168.53.31 TCP_DENIED/407 4135 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621532.660 2 192.168.53.31 TCP_DENIED/407 3947 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621534.117 0 192.168.53.31 TCP_DENIED/407 3947 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621535.165 98 192.168.53.31 TCP_DENIED/407 4148 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621535.397 143 192.168.53.31 TCP_MISS/302 577 GET
> >> http://www.bol.com.br/ sa_mtmon DIRECT/200.147.35.224 text/html
> >> 1389621535.542 88 192.168.53.31 TCP_DENIED/407 4187 GET
> >> http://www.bol.uol.com.br/ - NONE/- text/html
> >> 1389621535.829 256 192.168.53.31 TCP_DENIED/407 4486 GET
> >> http://www.bol.uol.com.br/ - NONE/- text/html
> >> 1389621536.969 1129 192.168.53.31 TCP_MISS/200 35705 GET
> >> http://www.bol.uol.com.br/ sa_mtmon DIRECT/200.147.68.9 text/html
> >>
> >>
> >> I released with upgrade changed NTLM version too. before
> >> 3.6.6-0.136.el5 and now 3.6.9-167.el6_5
> >>
> >>
> >> how to can I figure out that problem the pop-up authentication three
> >> times ? before upgrade it ask only one pop-up authentication.
> >>
> >>
> >> thanks
> >>
> >
Received on Wed Jan 15 2014 - 13:56:44 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 15 2014 - 12:00:06 MST