Re: [squid-users] ask three times authentication

From: Usuário do Sistema <maiconlp_at_ig.com.br>
Date: Wed, 15 Jan 2014 15:54:23 -0200

Thanks for yours tips.

But I figure out the issue other way. I have done roll back to my old
machine what has squid 2.6 version so all it's working

2014/1/15 Rietzler, Markus (RZF, SG 324 / <RIETZLER_SOFTWARE>)
<markus.rietzler_at_fv.nrw.de>:
> wonder why there are popups at all. or popups at all. NTLM should work without any popups.
> which browser do you use? IE?
>
> could you try to discard the group-check auth?
> we are using NTLM but everyone is allowed, after authentication. so we do not use external_acl_type.
>
>
> we only use
>
> acl auth_user proxy_auth REQUIRED
> http_access allow auth_surfer all
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: Usuário do Sistema [mailto:maiconlp_at_ig.com.br]
>> Gesendet: Dienstag, 14. Januar 2014 13:27
>> An: Eliezer Croitoru
>> Cc: squid-users_at_squid-cache.org
>> Betreff: Re: [squid-users] ask three times authentication
>>
>> Thank you,
>>
>> From 2.6 to 3.1.10, was there any other change in the system?
>>
>> yes, I have changed my squid from an machine with S.O Red Hat 5.9
>> to other machine with S.O CentOS 6.5
>>
>> the issue it's seems to be something about authentication
>> compatibility between Browse and new squid version 3.1.10
>>
>> I have the old machine yet. I have done some test and from a client
>> machine when I put the old proxy on browse all it's work.
>> but the strange I use the same squid.conf either old proxy machine as
>> well as new proxy machine so why the pop-up authentication appear
>> three times only at the new proxy squid version 3.1.10 ?
>>
>> my question is if there is any problem with squid version 3.1.10 about
>> authentication ?
>>
>> Follow my squid.conf.
>>
>>
>> ############################################################
>> #
>> # Squid.conf autenticacao AD
>> #
>> #############################################################
>>
>> ## Autenticacao
>>
>> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-
>> ntlmssp
>> auth_param ntlm children 50
>> auth_param ntlm keep_alive on
>>
>> #auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-
>> basic
>> #auth_param basic children 30
>>
>> ## comentadas
>>
>> auth_param basic realm Acesso a Internet teste SA
>> auth_param basic credentialsttl 2 hours
>>
>> authenticate_cache_garbage_interval 1 hour
>> authenticate_ttl 120 seconds
>>
>> external_acl_type NT_global_group children=50 %LOGIN
>> /usr/lib64/squid/squid_unix_group
>>
>> ## SQSTAT
>>
>>
>> acl ntlm_users proxy_auth REQUIRED
>>
>> #cache_store_log none
>> #cache_log /var/log/squid/cache.log
>> #cache_log none
>> #request_entities on
>>
>> # debug_options rotate=16 ALL,1
>> #debug_options ALL,9
>> #debug_options ALL,1 33,2
>> #debug_options ALL
>>
>>
>> visible_hostname proxy.teste.com
>> http_port 8080
>> http_port 127.0.0.1:3128
>> hierarchy_stoplist cgi-bin ?
>>
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>> acl apache rep_header Server ^Apache
>>
>> access_log /var/log/squid/access.log squid
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>>
>> ie_refresh on
>>
>> max_filedesc 4096
>>
>>
>> ###################################
>> # Parametros de Cache NAO ALTERAR #
>> ###################################
>>
>> #cache_dir aufs /var/spool/squid 6000 16 256
>> #cache_dir ufs /var/spool/squid 5000 64 1024
>> #cache_dir ufs /var/spool/squid 2048 64 64
>>
>> diskd_program /usr/lib64/squid/diskd-daemon
>>
>> cache_dir diskd /var/spool/squid/1 1000 16 128 Q1=64 Q2=72
>> cache_dir diskd /var/spool/squid/2 1000 16 128 Q1=64 Q2=72
>> cache_dir diskd /var/spool/squid/3 1000 16 128 Q1=64 Q2=72
>> cache_dir diskd /var/spool/squid/4 1000 16 128 Q1=64 Q2=72
>>
>>
>> #This stops squid from holding onto ram that it is no longer actively
>> using.
>> memory_pools off
>>
>> #Buffers the write-out to log files. This can increase performance
>> slightly
>> buffered_logs on
>>
>> cache_mem 1024 MB
>>
>> half_closed_clients off
>> cache_swap_low 80%
>> cache_swap_high 100%
>>
>> maximum_object_size 10 MB
>> maximum_object_size_in_memory 2048 KB
>>
>> cache_replacement_policy heap LFUDA
>> memory_replacement_policy heap GDSF
>>
>> #######################################
>>
>> ftp_passive on
>> acl ftp_21 port 21
>>
>> ############################################################
>> #
>> # Regras Padrao
>> #
>> ############################################################
>>
>>
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 20 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # companyling http
>> acl Safe_ports port 10080 # Porta http das unidades remotas teste.
>> acl Safe_ports port 8181 # Publicacao
>> acl Safe_ports port 10082 # DBMessenger
>> acl Safe_ports port 9082
>> acl ftp proto FTP
>> acl CONNECT method CONNECT
>>
>>
>> #################################
>> # Origens
>> #################################
>> acl rede_projeto src 192.168.52.0/22
>> acl nelson src 128.2.20.213
>> acl 2m041187 src 128.2.20.171
>> acl localhost src 127.0.0.1/32
>> acl LAN_GERAL src 128.0.0.0/8
>> acl LAN_ADM src 128.2.0.0/16
>> acl gilson src 128.2.20.141/32
>> acl LAN_IDU src 128.4.0.0/16
>> acl LAN_JBOCD src 10.13.0.0/16
>> acl LAN_COJ src 128.1.0.0/16
>> acl LAN_COJ_TS src 10.1.251.0/25
>> acl dropbox_liberado src 128.2.30.201/32
>> acl testebo dst 189.36.1.226/32
>>
>>
>> #################################
>> # Regras LYNC e Sites sem AUTH
>> #################################
>> acl MSN_Liberado external NT_global_group msn_liberado
>> acl lync url_regex "/etc/squid/acls/lync.txt"
>> http_access allow lync
>>
>> acl semauth url_regex -i "/etc/squid/acls/sites_semauth.txt"
>> http_access allow all semauth all
>> http_access allow CONNECT semauth all
>> http_access allow testebo
>>
>> acl semauth_sap url_regex -i
>> "/etc/squid/acls/sites_semauth_sap.txt"
>> http_access allow rede_projeto semauth_sap all
>>
>>
>> acl msn.8 url_regex "/etc/squid/acls/msn.txt"
>> acl local url_regex localhost
>>
>> http_access allow local
>> http_access allow semauth 2m041187
>> http_access allow localhost all
>> http_access allow nelson
>> http_access allow MSN_Liberado msn.8
>>
>> ############################################################
>> #
>> # Regras teste
>> #
>> ############################################################
>>
>> acl manager proto cache_object
>>
>> acl semcache url_regex "/etc/squid/acls/semcache.txt"
>> acl SITES_BLOQUEADOS url_regex -i
>> "/etc/squid/acls/sites_bloqueados.txt"
>> acl SITES_LIBERADOS url_regex -i "/etc/squid/acls/sites_liberados.txt"
>> acl acesso_mkt_vendas url_regex -i
>> "/etc/squid/acls/acesso_mkt_vendas.txt"
>> #acl quiosque url_regex -i "/etc/squid/acls/quiosque.txt"
>> acl mtmon url_regex -i "/etc/squid/acls/mtmon.txt"
>> acl IPS_LIBERADOS src "/etc/squid/acls/ips_liberados.txt"
>> acl IPS_BLOQUEADOS src "/etc/squid/acls/ips_bloqueados.txt"
>> acl PORN url_regex -i "/etc/squid/acls/porn.txt"
>> acl NOPORN url_regex -i "/etc/squid/acls/noporn.txt"
>> acl downloads url_regex -i "/etc/squid/acls/extensoes.txt"
>>
>>
>> acl msn dstdomain loginnet.passport.com login.live.com
>> acl msn.1 dstdomain loginnet.passport.com
>> acl msn.2 dstdomain webmessenger.msn.com
>> acl msn.3 url_regex -i gateway.dll
>> acl msn.4 req_mime_type -i ^application/x-msn-messenger$
>> acl msn.5 url_regex -i "/etc/squid/acls/msn.txt"
>> acl msn.6 src 65.0.0.0/12
>> acl msn.7 url_regex -i gateway.dll?
>> acl webmails_liberado url_regex -i
>> "/etc/squid/acls/webmail_liberados.txt"
>> acl webmail_bloqueado url_regex -i
>> "/etc/squid/acls/webmail_bloqueado.txt"
>> acl bb browser C:\BancoBrasil\officeIE\index.html
>> acl bancos url_regex -i "/etc/squid/acls/bancos.txt"
>> acl bb1 url_regex -i "/etc/squid/acls/bb.txt"
>> acl CAIXA url_regex -i "/etc/squid/acls/caixa.txt"
>> acl WINDOWS_UPDATE url_regex -i "/etc/squid/acls/windows_update.txt"
>> acl teste url_regex -i "/etc/squid/acls/teste.txt"
>> acl sites_bloqueados2 url_regex -i
>> "/etc/squid/acls/sites_bloqueados2.txt"
>> acl sites_mfseguranca url_regex -i
>> "/etc/squid/acls/sites_mfseguranca.txt"
>> acl sites_gilson url_regex -i "/etc/squid/acls/sites_gilson.txt"
>> acl GTALK url_regex -i "/etc/squid/acls/gtalk.txt"
>> acl SITES_INTERNET_SAP url_regex -i
>> "/etc/squid/acls/sites_internet_sap.txt"
>>
>>
>> # Fix support.microsoft.com by removing Accept-Encoding header
>>
>> acl support.microsoft.com dstdomain support.microsoft.com
>> acl trendmicro url_regex "/etc/squid/acls/trendmicro.txt"
>> acl GOV url_regex -i "/etc/squid/acls/gov.txt"
>> acl sites_normas url_regex -i "/etc/squid/acls/sites_normas.txt"
>> acl twitter url_regex -i "/etc/squid/acls/twitter.txt"
>> acl orkut url_regex -i "/etc/squid/acls/orkut.txt"
>> acl ninecon url_regex -i "/etc/squid/acls/ninecon.txt"
>> acl youtube url_regex -i "/etc/squid/acls/youtube.txt"
>> acl facebook url_regex -i "/etc/squid/acls/facebook.txt"
>>
>> ####################################
>> # ACL USANDO AUTENTICACAO GRUPOS AD
>> ####################################
>>
>> acl facebook_liberado external NT_global_group facebook_liberado
>> acl internet_teste external NT_global_group internet_teste
>> acl internet_normal external NT_global_group internet_normal
>> acl internet_liberada external NT_global_group internet_liberada
>> acl internet_bloqueada external NT_global_group internet_bloqueada
>> acl download_liberado external NT_global_group download_liberado
>> acl orkut_liberado external NT_global_group orkut_liberado
>> acl twitter_liberado external NT_global_group twitter_liberado
>> acl youtube_liberado external NT_global_group youtube_liberado
>> acl update_liberado external NT_global_group update_liberado
>> acl webmail_liberado external NT_global_group webmail_liberado
>> acl webmailninecon external NT_global_group webmailninecon
>> acl sites_mkt_vendas external NT_global_group sites_mkt_vendas
>> acl semi_liberado external NT_global_group semi_liberado
>> acl internet_consultores_sap external NT_global_group
>> internet_consultores_sap
>> #acl quiosque_liberado external NT_global_group internet_quiosque
>>
>>
>> ###########################################################
>> #
>> # BLOQUEIO DO SQUID
>> ###########################################################
>>
>> http_access allow manager localhost
>> http_access allow localhost manager
>> http_access allow localhost all
>>
>> #http_access allow all
>> http_access allow teste all
>> http_access allow bancos
>> http_access allow bb
>> http_access allow bb1
>> http_access allow GOV
>> http_access allow CAIXA
>> http_access allow sites_normas
>> http_access allow webmails_liberado
>> http_access allow mtmon
>>
>> http_access allow internet_liberada all
>>
>> http_access allow LAN_ADM sites_mfseguranca
>> #http_access allow gilson sites_gilson
>> http_access allow gilson
>> http_access allow LAN_COJ sites_mfseguranca
>> http_access allow dropbox_liberado
>> http_access allow ftp
>> http_access allow ftp_21
>> http_access allow IPS_LIBERADOS
>> http_access allow acesso_mkt_vendas sites_mkt_vendas
>> http_access allow youtube youtube_liberado
>> http_access allow facebook facebook_liberado
>> http_access allow WINDOWS_UPDATE update_liberado
>> http_access allow webmailninecon ninecon
>> http_access allow downloads download_liberado
>> http_access deny IPS_BLOQUEADOS
>> #http_access allow downloads download_liberado
>> #no_cache deny semcache
>> cache deny semcache
>> http_access allow semcache all
>>
>> http_access allow semi_liberado !youtube !facebook !twitter !orkut
>> !GTALK !msn !msn.1 !msn.2 !msn.3 !msn.4 !msn.5 !msn.6 !msn.7
>> !sites_bloqueados !PORN
>> http_access deny sites_bloqueados2
>> http_access allow MSN_Liberado msn msn.1 msn.2 msn.3 msn.4 msn.5 msn.6
>> msn.7
>> http_access deny MSN_Liberado SITES_BLOQUEADOS
>> http_access deny MSN_Liberado ORKUT
>> http_access allow internet_teste SITES_LIBERADOS
>> http_access allow internet_normal SITES_LIBERADOS
>> http_access deny internet_teste SITES_BLOQUEADOS
>> http_access deny internet_normal SITES_BLOQUEADOS
>> #http_access deny !internet_teste
>> http_access deny webmail_bloqueado !webmail_liberado
>> http_access allow SITES_LIBERADOS
>> http_access deny ORKUT !orkut_liberado
>> http_access deny twitter !twitter_liberado all
>> http_access deny ORKUT
>> http_access deny internet_bloqueada all
>> http_access allow sites_normas
>> #http_access allow WINDOWS_UPDATE update_liberado
>> http_access deny WINDOWS_UPDATE
>> http_access allow all SSL_ports
>> http_access deny msn
>> http_access deny msn.1
>> http_access deny msn.2
>> http_access deny msn.3
>> http_access deny msn.4
>> http_access deny msn.5
>> http_access deny GTALK
>> http_access deny PORN !NOPORN all
>> http_access deny SITES_BLOQUEADOS
>> ##http_access allow downloads download_liberado
>> http_access deny downloads
>>
>>
>> acl BLOQUEIO_SAP url_regex
>> "/etc/squid/acls/sites_internet_sap_bloqueio.txt"
>> http_access deny rede_projeto BLOQUEIO_SAP
>>
>> http_access allow ntlm_users rede_projeto
>>
>> http_access allow internet_consultores_sap SITES_INTERNET_SAP
>> http_access allow internet_consultores_sap SITES_LIBERADOS
>> http_access allow internet_consultores_sap semauth_sap
>> http_access allow rede_projeto SITES_INTERNET_SAP
>> http_access allow rede_projeto SITES_LIBERADOS
>> http_access deny internet_consultores_sap all
>> http_access deny rede_projeto all
>>
>>
>> # nelson http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow ntlm_users
>> http_access allow LAN_ADM
>> http_access allow rede_projeto
>> http_access allow LAN_IDU
>> http_access allow LAN_JBOCD
>> http_access allow LAN_COJ
>> http_access allow LAN_COJ_TS
>>
>> http_access deny all
>> http_reply_access allow all
>> icp_access allow all
>>
>> cache_mgr suporte_at_teste.com
>> #cachemgr_passwd companytTask all
>> error_directory /usr/share/squid/errors/pt-br
>> coredump_dir /pacotes/squid/core
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2014/1/13 Eliezer Croitoru <eliezer_at_ngtech.co.il>:
>> > Hey,
>> >
>> > I would like to try and understand the issue but it seems like more
>> complex
>> > to me to understand what happens yet.
>> > You use NTLM auth but I do not understand the authentication settings
>> yet.
>> > From 2.6 to 3.1.10, was there any other change in the system?
>> > As I understand it's an internal proxy it seems a bit weird.
>> > I do not assume that the issue is in the config file but a basic
>> description
>> > of the environment can help to understand more about the subject.
>> >
>> > If you can share the basic squid.conf it would help but note to remove
>> any
>> > personal details or at least change them to make sure that the
>> environment
>> > can be understood properly.
>> >
>> > All The Bests,
>> > Eliezer
>> >
>> >
>> > On 13/01/14 16:13, Usuário do Sistema wrote:
>> >>
>> >> Hello everyone,
>> >>
>> >>
>> >> I have done upgrade in the my squid from Version 2.6.STABLE21 to
>> Version
>> >> 3.1.10
>> >>
>> >> After that it always pop-up authentication three times before allow
>> >> that url. follow a example for www.bol.com.br url
>> >>
>> >>
>> >> 1389621501.201 1 192.168.53.31 TCP_DENIED/407 3849 GET
>> >> http://www.bol.com.br/ - NONE/- text/html
>> >> 1389621501.213 2 192.168.53.31 TCP_DENIED/407 4148 GET
>> >> http://www.bol.com.br/ - NONE/- text/html
>> >> 1389621501.226 4 192.168.53.31 TCP_DENIED/407 4135 GET
>> >> http://www.bol.com.br/ - NONE/- text/html
>> >> 1389621532.660 2 192.168.53.31 TCP_DENIED/407 3947 GET
>> >> http://www.bol.com.br/ - NONE/- text/html
>> >> 1389621534.117 0 192.168.53.31 TCP_DENIED/407 3947 GET
>> >> http://www.bol.com.br/ - NONE/- text/html
>> >> 1389621535.165 98 192.168.53.31 TCP_DENIED/407 4148 GET
>> >> http://www.bol.com.br/ - NONE/- text/html
>> >> 1389621535.397 143 192.168.53.31 TCP_MISS/302 577 GET
>> >> http://www.bol.com.br/ sa_mtmon DIRECT/200.147.35.224 text/html
>> >> 1389621535.542 88 192.168.53.31 TCP_DENIED/407 4187 GET
>> >> http://www.bol.uol.com.br/ - NONE/- text/html
>> >> 1389621535.829 256 192.168.53.31 TCP_DENIED/407 4486 GET
>> >> http://www.bol.uol.com.br/ - NONE/- text/html
>> >> 1389621536.969 1129 192.168.53.31 TCP_MISS/200 35705 GET
>> >> http://www.bol.uol.com.br/ sa_mtmon DIRECT/200.147.68.9 text/html
>> >>
>> >>
>> >> I released with upgrade changed NTLM version too. before
>> >> 3.6.6-0.136.el5 and now 3.6.9-167.el6_5
>> >>
>> >>
>> >> how to can I figure out that problem the pop-up authentication three
>> >> times ? before upgrade it ask only one pop-up authentication.
>> >>
>> >>
>> >> thanks
>> >>
>> >
Received on Wed Jan 15 2014 - 17:54:35 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 16 2014 - 12:00:05 MST