We're having some 'weirdness' come about the last few months regarding our
access control to the internet via squid. It only happens to some users, and
not to others, with no apparent differences between the setup of each of the
users' machines.

Here's the deal:

   We're running FreeBSD 4.7-RELEASE, with squid-2.5.STABLE1 on a relatively
small dual-homed machine. the Machine has a single internal interface to one
network ( and a second interface to the internet. The machine is
running a firewall using ipfw, but it allows all traffic from any to any via any

We've got squid configured to do the following, (in this order):
 -only allow access from src
 -allow http/ftp access to any src 10.0.0.XX 10.0.0.XY etc (list of
managers' machines)
 -disallow http/ftp access to any sites matching a regexp in the file
 -allow http/ftp access to any sites matching a regexp in the file
 -require proxy_auth via ncsa_auth external program to access anything else
via http/ftp

The long(er) version of the problem:

The setup has worked well now for a little over 3 years. That is, up until
most recently. When a user brings up internet explorer (usually from a Win2K
host, all patched up/updated) they first get an 'access denied' reply from
squid. If the user hits 'enter' from the address bar (thus making a second
request for the same page), then squid requires them to login/authenticate
themselves and allows them access from there on. The problem now of course
being that squid doesn't just ask for the user's password the first time,
with no apparent reason why. The logs don't give any reasoning, just state
'denied to http... whatever'. The oddest part being that it only does this
for a handful of users, with no apparent reason. Almost all machines have
the same configuration, and all machines are always kept up to date
regarding patches/service packs, (all but a few client machines are running
windows; those in question with the problem are all running Win2K Pro,
though there are those that are running properly with 95,98se,NT4,W2KPro,
and Xp Pro).

The short version:

   - why do some machines not attempt to authenticate through the proxy on
their first attempt to reach a site which requires it, while other machines
   - is anyone else experiencing similar issues?
   - if so, what have they done about them?

If we could provide any more useful information or insight into this issue,
we'd be happy to do so; obviously we're looking to find a resolution. Since
we're totally stumped at this point as to why this happens we'd appreciate
any ideas, directions, or comments on the subject. Please reply directly to
[EMAIL PROTECTED] as we are not subscribed to freebsd-questions anymore.

Jamie Beekhuis
Computer Systems Engineer
Windsor Match Plate and Tool Ltd.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to