subject:"\[squid\-users\] authentication"

Re: [squid-users] Authentication not applicable on intercepted requests

2017-10-27 Thread Vieri


From: Amos Jeffries 
>
> You do not seem to be using Basic auth. Setting the realm for an unused auth 
> mechanism is pointless.
>
> Try:
>   http_access deny explicit !ORG_all
>   http_access deny explicit SSL_ports
>   http_access deny intercepted !localnet
>   http_access deny interceptedssl !localnet


Works great.

Thanks!

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication not applicable on intercepted requests

2017-10-27 Thread Amos Jeffries


On 27/10/17 20:22, Vieri wrote:

Hi,

I have:

debug_options rotate=1 ALL,1

and I'm getting lots of these messages in cache.log:

NOTICE: Authentication not applicable on intercepted requests.

I have a mixed tproxy/sslbump + auth (via 
/usr/libexec/squid/negotiate_kerberos_auth) config. I know authentication can't 
be done on intercepted requests.
I'd like to know how to fix my squid conf file in order to avoid logging this 
message.

The relevant parts of my squid.conf should be:

external_acl_type nt_group ttl=0 children-max=50 %LOGIN 
/usr/libexec/squid/ext_wbinfo_group_acl -K

auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s 
HTTP/myserver.mydomain@mydomain.org
auth_param negotiate children 60
auth_param negotiate keep_alive on

auth_param basic realm My REALM proxy



You do not seem to be using Basic auth. Setting the realm for an unused 
auth mechanism is pointless.



acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16

acl ORG_all proxy_auth REQUIRED

acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130

[...]
acl allowed_groups external nt_group "/opt/proxy-settings/allowed.groups"
[...]
acl restricted_groups external nt_group "/opt/proxy-settings/restricted.groups"

[...]
http_access deny SSL_ports ORG_all
http_access deny explicit !ORG_all
#http_access deny intercepted ORG_all
#http_access deny interceptedssl ORG_all
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet



Try:
  http_access deny explicit !ORG_all
  http_access deny explicit SSL_ports
  http_access deny intercepted !localnet
  http_access deny interceptedssl !localnet


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Authentication not applicable on intercepted requests

2017-10-27 Thread Vieri

Hi,

I have:

debug_options rotate=1 ALL,1

and I'm getting lots of these messages in cache.log:

NOTICE: Authentication not applicable on intercepted requests.

I have a mixed tproxy/sslbump + auth (via 
/usr/libexec/squid/negotiate_kerberos_auth) config. I know authentication can't 
be done on intercepted requests.
I'd like to know how to fix my squid conf file in order to avoid logging this 
message.

The relevant parts of my squid.conf should be:

external_acl_type nt_group ttl=0 children-max=50 %LOGIN 
/usr/libexec/squid/ext_wbinfo_group_acl -K

auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s 
HTTP/myserver.mydomain@mydomain.org
auth_param negotiate children 60
auth_param negotiate keep_alive on

auth_param basic realm My REALM proxy

acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16

acl ORG_all proxy_auth REQUIRED

acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130

[...]
acl allowed_groups external nt_group "/opt/proxy-settings/allowed.groups"
[...]
acl restricted_groups external nt_group "/opt/proxy-settings/restricted.groups"

[...]
http_access deny SSL_ports ORG_all
http_access deny explicit !ORG_all
#http_access deny intercepted ORG_all
#http_access deny interceptedssl ORG_all
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet

[...]
debug_options rotate=1 ALL,1
[...]
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 40 startup=20 idle=10

reply_header_access Alternate-Protocol deny all
ssl_bump stare all
ssl_bump bump all
[...]

Thanks,

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication pass-through cache_peer

2016-11-24 Thread Eduardo Carneiro

Hi Amos,

I'm still trying to configure login pass-through. Now, I'm using negotiate /
kerberos. On the frontend machine, I enabled login = PASSTHRU in the
cache_peer configuration line. As previously stated, the authentication is
present only on the parent machine.

The cache.log of my parent machine show this:

2016/11/24 09:51:13 kid1 | ERROR: Negotiate Authentication validating user.
Result: {result = BH, notes = {message: gss_accept_sec_context () failed:
Unspecified GSS failure. Minor code may provide more information. Can not
decrypt ticket for HTTP/frontend.domain@domain.com using keytab key for
HTTP/parent.domain@domain.com; }}

If I use the parent machine as a frontend machine, it works perfectly
including the authentication. But, when I enable the cache_peer ...
login=PASSTHRU, the error above happen.

Someone knows how to solve that?



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-pass-through-cache-peer-tp4680587p4680647.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication problem

2016-10-31 Thread Amos Jeffries

On 1/11/2016 6:31 a.m., Eduardo Carneiro wrote:
> Hi all.
> 
> I have a strange authentication issue in my squid 3.5.19. My workstations
> only can authenticate if they are entered into the domain. When they doesn't
> entered into the domain, I access any URL on browser (Firefox and Chrome
> tested) and I'm not able authenticate on the boxes that are shown to me.
> 
> Squid logs show me "TCP_DENIED/407".

Meaning either no credentials were give, or the ones given would not
work, or the NTLM handshake initial request happened.

> 
> Bellow is my squid.conf authentication configuration:
> 
> ---
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 140
> auth_param ntlm keep_alive on

Try with "keep_alive off" on the above line. It may prevent recent
Browsers using the Basic auth when NTLM fails (which it will for
off-domain users).

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Authentication problem

2016-10-31 Thread Eduardo Carneiro

Hi all.

I have a strange authentication issue in my squid 3.5.19. My workstations
only can authenticate if they are entered into the domain. When they doesn't
entered into the domain, I access any URL on browser (Firefox and Chrome
tested) and I'm not able authenticate on the boxes that are shown to me.

Squid logs show me "TCP_DENIED/407".

Bellow is my squid.conf authentication configuration:

---
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 140
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 60
auth_param basic credentialsttl 10 hours
auth_param basic realm enter your password

acl authenticated proxy_auth REQUIRED
http_access deny !authenticated
---

I noticed that in Firefox's private tabs works perfectly.

Am I doing something wrong? Has anyone experienced this?

Thanks,
Eduardo Carneiro



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-problem-tp4680378.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Authentication pop-ups. Questions

2015-12-09 Thread Verónica Ovando


Hi. I have Squid 3.5 running over Debian 8.

I am using AD authentication. This is part of my squid.conf:

#auth_param ntlm program /usr/local/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com
auth_param ntlm program /usr/local/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive off

auth_param basic program /usr/local/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Servidor proxy-cache de mi Dominio
auth_param basic credentialsttl 2 hours

external_acl_type AD_Grupos ttl=10 children=10 %LOGIN
/usr/lib/squid3/ext_wbinfo_group_acl -d

acl AD_Standard external Grupos_AD Standard
acl AD_Exceptuados external Grupos_AD Exceptuados
acl AD_Bloqueados external Grupos_AD Bloqueados

acl face url_regex -i "/etc/squid3/facebook"
acl gob url_regex -i "/etc/squid3/gubernamentales"

http_access allow AD_Standard
http_access allow AD_Exceptuados face
http_access allow AD_Exceptuados gob
http_access deny AD_Bloqueados
http_access deny all


When  a users that belongs to AD_Bloqueados is asked for the AD user and 
password (of course he/she needs one that belongs to AD_Standard or 
AD_Exceptuados). When I try to use one of those users I cannot 
authenticate correctly. the popup appears many times until I cancel it. 
But sometimes it works. I use all the browsers to do the tests (IE, 
Mozilla and the latest Chrome). With Chrome I get good results, but as I 
said, it works sometimes.


Because sometimes I login with users not in the domain and I need to 
access to internet, I cannot use the 'all' directive in the end of the 
line of 'http_access deny AD_Bloqueados.'


I will appreciate a lot any help you can give me.

Sorry for my English. Thanks.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication pop-ups. Questions

2015-12-09 Thread Amos Jeffries

On 10/12/2015 3:25 a.m., Verónica Ovando wrote:
> Hi. I have Squid 3.5 running over Debian 8.
> 
> I am using AD authentication. This is part of my squid.conf:
> 
> #auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com
> auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
> auth_param ntlm keep_alive off
> 
> auth_param basic program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Servidor proxy-cache de mi Dominio
> auth_param basic credentialsttl 2 hours
> 
> external_acl_type AD_Grupos ttl=10 children=10 %LOGIN
> /usr/lib/squid3/ext_wbinfo_group_acl -d
> 
> acl AD_Standard external Grupos_AD Standard
> acl AD_Exceptuados external Grupos_AD Exceptuados
> acl AD_Bloqueados external Grupos_AD Bloqueados
> 
> acl face url_regex -i "/etc/squid3/facebook"
> acl gob url_regex -i "/etc/squid3/gubernamentales"
> 
> http_access allow AD_Standard
> http_access allow AD_Exceptuados face
> http_access allow AD_Exceptuados gob
> http_access deny AD_Bloqueados
> http_access deny all
> 
> 
> When  a users that belongs to AD_Bloqueados is asked for the AD user and
> password (of course he/she needs one that belongs to AD_Standard or
> AD_Exceptuados). 

The first login check is for "AD_Standard". Users initial login is
checked for that group membership ... then a 407 *re-login* is requested
if they are part of AD_Bloqueados.

All users are logged in, just to check the group. So "deny all" at the
end never actually happens unless the user is part of some 5th or 6th
group (for example "Administrators" or "Domain Servers").

When you are authenticating based on *group* instead of the
user/password things get really weird.

> When I try to use one of those users I cannot
> authenticate correctly. the popup appears many times until I cancel it.
> But sometimes it works. I use all the browsers to do the tests (IE,
> Mozilla and the latest Chrome). With Chrome I get good results, but as I
> said, it works sometimes.
> 
> Because sometimes I login with users not in the domain and I need to
> access to internet, I cannot use the 'all' directive in the end of the
> line of 'http_access deny AD_Bloqueados.'

Which means that whenever that group AD_Bloqueados matches the user will
have to *re-login*. Popups etc are expected in such events, because the
browser has what it thinks are fine credentials to use. But has just
been informed that its known set of credentials were invalid. They
almost all panic at that point and do a popup.

Note that the browser does not get told *why* the rejection (it might be
a random attacker, so that info is privileged). Just that the
credentials are not usable.

> 
> I will appreciate a lot any help you can give me.

I highly recommend that you do it like this:

 acl auth proxy_auth REQUIRED
 http_access deny !auth
 http_access allow AD_Standard
 http_access allow face AD_Exceptuados
 http_access allow gob AD_Exceptuados
 http_access deny all

Why:
* that !auth will ensure that users are only authenticated once and the
407 request lookup cycles all happen predictably at that first line
instead of interleaved within the group checks.

* the line ordering change of face/gob ACLs will greatly reduce the time
and CPU spent on helper lookups for non-face and non-gob traffic. (up to
50% reduction in proxy caused latency).

Note that you dont even need to check group AD_Bloqueados. The "deny
all" at the end rejects that groups access along with all other
undefined groups.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication Problem

2015-12-04 Thread Dima Ermakov

Thank you, Amos.

I checked all, that you wrote.
It didn't help me.

I have this problem only on google chrome browser.
Before 2015-12-03 all was good.
I didn't change my configuration more than one month.

Ten minutes ago "Noel Kelly nke...@citrusnetworks.net" wrote in this list,
that google chrome v47 has broken NTLM authentication.
My clients with problems has google chrome v47 (((

Mozilla Firefox clients work good.

Thank you!

This is message from Noel Kelly:
"

Hi

For information, the latest version of Google Chrome (v47.0.2526.73M) has
broken NTLM authentication:

https://code.google.com/p/chromium/issues/detail?id=544255
https://productforums.google.com/forum/#!topic/chrome/G_9eXH9c_ns;context-place=forum/chrome

Cheers
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

"

On 4 December 2015 at 04:55, Amos Jeffries  wrote:

> On 4/12/2015 9:46 a.m., Dima Ermakov wrote:
> > Hi!
> > I have a problem with authentiation.
> >
> > I use samba ntlm authentication in my network.
> >
> > Some users ( not all ) have problems with http traffic.
> >
> > They see basic authentication request.
>
> Meaning you *dont* have NTLM authentication on your network.
>
> Or you are making the mistake of thinking a popup means Basic
> authentication.
>
> > If they enter correct domain login and password, they have auth error.
> > If this users try to open https sites: all works good, they have not any
> > type of errors.
>
> So,
>  a) they are probably not going through this proxy, or
>  b) the browser is suppressing the proxy-auth popups, or
>  c) the authentication request is not coming from *your* proxy.
>
> >
> > So we have errors only with unencrypted connections.
> >
> > I have this error on two servers:
> > debian8, squid3.4 (from repository)
> > CentOS7, squid3.3.8 (from repository).
> >
>
> Two things to try:
>
> 1) Adding a line like this before the group access controls in
> frntend.conf. This will ensure that authentiation credentials are valid
> before doing group lookups:
>  http_access deny !AuthorizedUsers
>
>
> 2) checking up on the Debian winbind issue mentioned in
> <
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions
> >
>
> Im not sure about this it is likely to be involved on Debian, but CentOS
> is not known to have that issue.
>
>
> Oh and:
>  3) remove the "acl manager" line from squid.conf.
>
>  4) change your cachemgr_passwd. Commenting it out does not hide it from
> view when you post it on this public mailing list.
>
> You should remove all the commented out directives as well, some of them
> may be leading to misunderstanding of what the config is actually doing.
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
С уважением, Дмитрий Ермаков.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication Problem

2015-12-04 Thread Samuel Anderson

Hi Amos and Dima,

I'm having the exact same problem. After updating Chrome to version
(47.0.2526.73
m) I'm no longer able to authenticate. IE and Firefox still seem to work
fine. I haven't changed anything in my config file for months.

On Fri, Dec 4, 2015 at 5:22 AM, Dima Ermakov  wrote:

> Thank you, Amos.
>
> I checked all, that you wrote.
> It didn't help me.
>
> I have this problem only on google chrome browser.
> Before 2015-12-03 all was good.
> I didn't change my configuration more than one month.
>
> Ten minutes ago "Noel Kelly nke...@citrusnetworks.net" wrote in this
> list, that google chrome v47 has broken NTLM authentication.
> My clients with problems has google chrome v47 (((
>
> Mozilla Firefox clients work good.
>
> Thank you!
>
> This is message from Noel Kelly:
> "
>
> Hi
>
> For information, the latest version of Google Chrome (v47.0.2526.73M) has
> broken NTLM authentication:
>
> https://code.google.com/p/chromium/issues/detail?id=544255
>
> https://productforums.google.com/forum/#!topic/chrome/G_9eXH9c_ns;context-place=forum/chrome
>
> Cheers
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> "
>
> On 4 December 2015 at 04:55, Amos Jeffries  wrote:
>
>> On 4/12/2015 9:46 a.m., Dima Ermakov wrote:
>> > Hi!
>> > I have a problem with authentiation.
>> >
>> > I use samba ntlm authentication in my network.
>> >
>> > Some users ( not all ) have problems with http traffic.
>> >
>> > They see basic authentication request.
>>
>> Meaning you *dont* have NTLM authentication on your network.
>>
>> Or you are making the mistake of thinking a popup means Basic
>> authentication.
>>
>> > If they enter correct domain login and password, they have auth error.
>> > If this users try to open https sites: all works good, they have not any
>> > type of errors.
>>
>> So,
>>  a) they are probably not going through this proxy, or
>>  b) the browser is suppressing the proxy-auth popups, or
>>  c) the authentication request is not coming from *your* proxy.
>>
>> >
>> > So we have errors only with unencrypted connections.
>> >
>> > I have this error on two servers:
>> > debian8, squid3.4 (from repository)
>> > CentOS7, squid3.3.8 (from repository).
>> >
>>
>> Two things to try:
>>
>> 1) Adding a line like this before the group access controls in
>> frntend.conf. This will ensure that authentiation credentials are valid
>> before doing group lookups:
>>  http_access deny !AuthorizedUsers
>>
>>
>> 2) checking up on the Debian winbind issue mentioned in
>> <
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions
>> >
>>
>> Im not sure about this it is likely to be involved on Debian, but CentOS
>> is not known to have that issue.
>>
>>
>> Oh and:
>>  3) remove the "acl manager" line from squid.conf.
>>
>>  4) change your cachemgr_passwd. Commenting it out does not hide it from
>> view when you post it on this public mailing list.
>>
>> You should remove all the commented out directives as well, some of them
>> may be leading to misunderstanding of what the config is actually doing.
>>
>>
>> Amos
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> --
> С уважением, Дмитрий Ермаков.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


-- 
Samuel Anderson  |  System Administrator  |  International Document Services

IDS  |  11629 South 700 East, Suite 200  |  Draper, UT 84020-4607

-- 
CONFIDENTIALITY NOTICE:
This e-mail and any attachments are confidential. If you are not an 
intended recipient, please contact the sender to report the error and 
delete all copies of this message from your system.  Any unauthorized 
review, use, disclosure or distribution is prohibited.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Authentication Problem

2015-12-03 Thread Dima Ermakov

Hi!
I have a problem with authentiation.

I use samba ntlm authentication in my network.

Some users ( not all ) have problems with http traffic.

They see basic authentication request.
If they enter correct domain login and password, they have auth error.
If this users try to open https sites: all works good, they have not any
type of errors.


So we have errors only with unencrypted connections.

I have this error on two servers:
debian8, squid3.4 (from repository)
CentOS7, squid3.3.8 (from repository).

squid servers are domain joined.

System Time on client PC is correct.

Sorry for my bad English.
Thank you, for your help.

Configuration files are in attachment.

-- 
С уважением, Дмитрий Ермаков.
# Uncomment and adjust the following to add a disk cache directory.
cache_dir aufs /var/spool/squid3/ 1 32 256

http_port 127.0.0.1:4001
cache_mem 1024 MB
visible_hostname it-gw-b.vod.local
http_access allow localhost

access_log /var/log/squid3/access.backend.log
cache_log /var/log/squid3/cache.backend.log

#Memoty Cache size
cache_mem 256 MB

maximum_object_size_in_memory 1024 KB

cache_peer 127.0.0.1 parent 4001 0 default name=it-squid-b.vod.local
never_direct allow all

visible_hostname it-gw-f.vod.local

##AUTHENTICATION BLOCK#
#Authentication Programs
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 startup=5 idle=5
auth_param ntlm keep_alive on

#authenticate_ttl 1 hour
#authenticate_cache_garbage_interval 1 hour


auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic credentialsttl 600 second
auth_param basic children 60 startup=5 idle=5



#Need Auth
acl AuthorizedUsers proxy_auth REQUIRED

#Unlim speed users
acl unlim_group src "/etc/squid/acl/unlim_group"

#Check group membership
external_acl_type testforGroup   children-max=30 children-startup=5  %LOGIN 
/usr/lib/squid3/ext_wbinfo_group_acl
acl internet_G external testforGroup Internet_group
acl internet_SG external testforGroup Internet_super_group

## END AUTHENTICATION BLOCK #


### Speed Limits Block ###
delay_pools 3

#Limit for internet super group
delay_class 1 4

#Limit for internet group
delay_class 2 4

# No Speed Limit - unlim
delay_class 3 4

delay_parameters 1 -1/-1 -1/-1 -1/-1 -1/-1
delay_parameters 2 -1/-1 -1/-1 -1/-1 125000/125000
delay_parameters 3 -1/-1 -1/-1 -1/-1 64000/64000


delay_access 1 allow unlim_group
#delay_access 1 allow unlim_domains
delay_access 1 deny all

delay_access 2 allow internet_SG
delay_access 2 deny all

delay_access 3 allow internet_G
delay_access 3 deny all

 End Speed Limits Block ###3


 ACL Control Block ##

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet

http_access allow unlim_group
http_access allow internet_SG
http_access allow internet_G

#http_access allow unlim_group


# And finally deny all other access to this proxy
http_access allow localhost

http_access deny all

#3 End ACL Control Block ##

# Squid normally listens to port 3128
http_port 8080
##https_port 8080

access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
#
# Recommended minimum configuration:
#

SNMP
#if ${process_number} = 2
##   snmp_port 3401
#endif
acl zabbix src 192.168.4.19/32
acl snmppublic snmp_community public
snmp_access allow snmppublic zabbix
snmp_access allow snmppublic localhost
snmp_access deny all

### END SNMP



pid_filename /var/run/squid3/squid.pid

### Set local DNS as DNS for squid
dns_nameservers 127.0.0.1 192.168.4.23 192.168.4.1 192.168.4.2

#DNS V4
dns_v4_first on

 SMP support
###workers 4

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/18 # RFC1918 possible internal network
acl localnet src 192.168.4.0/23 # RFC1918 possible internal network
#acl localnet src fc00::/7   # RFC 4193 local private network range
#acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl SSL_ports port 443 #https
acl SSL_ports port 8445 #it-smtp.vod.local
acl SSL_ports port 8443 #it-ubiquiti.vod.local

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 #

Re: [squid-users] Authentication Problem

2015-12-03 Thread Amos Jeffries

On 4/12/2015 9:46 a.m., Dima Ermakov wrote:
> Hi!
> I have a problem with authentiation.
> 
> I use samba ntlm authentication in my network.
> 
> Some users ( not all ) have problems with http traffic.
> 
> They see basic authentication request.

Meaning you *dont* have NTLM authentication on your network.

Or you are making the mistake of thinking a popup means Basic
authentication.

> If they enter correct domain login and password, they have auth error.
> If this users try to open https sites: all works good, they have not any
> type of errors.

So,
 a) they are probably not going through this proxy, or
 b) the browser is suppressing the proxy-auth popups, or
 c) the authentication request is not coming from *your* proxy.

> 
> So we have errors only with unencrypted connections.
> 
> I have this error on two servers:
> debian8, squid3.4 (from repository)
> CentOS7, squid3.3.8 (from repository).
> 

Two things to try:

1) Adding a line like this before the group access controls in
frntend.conf. This will ensure that authentiation credentials are valid
before doing group lookups:
 http_access deny !AuthorizedUsers

2) checking up on the Debian winbind issue mentioned in

Im not sure about this it is likely to be involved on Debian, but CentOS
is not known to have that issue.

Oh and:
 3) remove the "acl manager" line from squid.conf.

 4) change your cachemgr_passwd. Commenting it out does not hide it from
view when you post it on this public mailing list.

You should remove all the commented out directives as well, some of them
may be leading to misunderstanding of what the config is actually doing.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] authentication of every GET request from part of URL?

2015-11-06 Thread Amos Jeffries

On 7/11/2015 1:33 a.m., Sreenath BH wrote:
> Hi
> I am very new to Squid, and think have a strange requirement.
> We want to serve cached content only if the client has been
> authenticated before.
> Since we don't expect the client software to send any information in
> headers, we embed a token in the URL that we present to the user.
> 

Um, you know how sending username and password in plain-text Basic auth
headers is supposed to be the worst form of security around?

It's not quite. Sending credentials in the URL is worse. Even if its
just an encoded token.

Why are you avoiding actual HTTP authentication?

Why be so actively hostile to every other cache in existence?

> So when the client s/w uses this URL, we want to extract the token
> from URL and do a small database query to ensure that the token is
> valid.
> 
> This is in accelerator mode.
> Is it possible to use something similar to basic_fake_auth and put my
> code there that does some database query?

The "basic_..._auth" parts of that helpers name mean that it performs
HTTP Basic authentication.

The "fake" part means that it does not perform any kind of validation.

All of the text above has been describing how you want to perform
actions which are the direct opposite of everything basic_fake_auth does.

> If the query fails, we don't return the cached content?

What do you want to be delivered instead?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] authentication of every GET request from part of URL?

2015-11-06 Thread Sreenath BH

Hi
I am very new to Squid, and think have a strange requirement.
We want to serve cached content only if the client has been
authenticated before.
Since we don't expect the client software to send any information in
headers, we embed a token in the URL that we present to the user.

So when the client s/w uses this URL, we want to extract the token
from URL and do a small database query to ensure that the token is
valid.

This is in accelerator mode.
Is it possible to use something similar to basic_fake_auth and put my
code there that does some database query?
If the query fails, we don't return the cached content?

Basically what I am looking for is ability to execute some script for
every request.

Any tips greatly appreciated.

thanks,
Sreenath
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] authentication setup for squid-internal-mgr

2015-10-07 Thread Amos Jeffries

On 7/10/2015 6:41 a.m., Tory M Blue wrote:
> So I was playing with squid-internal-mgr (replacement for cachemgr.cgi it
> seems), but I have no real authentication access , other than my ACL's
> 
> acl manager url_regex -i ^cache_object:// +i
> ^https?://[^/]+/squid-internal-mgr/
> 
> 
> And limited to my networks obviously.
> 
> But as of now those pages are wide open, so anyone could go to /menu and
> see /shutdown and type that in and bingo bango my squid server is shutdown.
> 

I believe the word is "Meh.". This is one of the expected use-cases for
CacheMgr. ie how the new access methods are designed to be used.

Strictly speaking its anyone who can access those reports. You just have
one less layer of protection than default installs use.

> 
> So was wondering if there is a way to make some of these pages require
> authentication? I'm not clear what "public" means in each instance below,

"public" means there is no report-specific password set by
cachemgr_passwd directive required to access it. The only control will
be the http_access rules you configure.

You create a urlpath_regex ACL to match regular (not squidclient or
cachemgr.cgi) requests for the reports like so:

 acl foo urlpath_regex \
^/squid-internal-mgr/(shutdown|reconfigure|rotate|offline_toggle)

Authentication can be applied in combination with that to do whatever
reports you want authenticated. Also group limitations, external ACL,
specific src IPs, etc..

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] authentication setup for squid-internal-mgr

2015-10-06 Thread Tory M Blue

So I was playing with squid-internal-mgr (replacement for cachemgr.cgi it
seems), but I have no real authentication access , other than my ACL's

acl manager url_regex -i ^cache_object:// +i
^https?://[^/]+/squid-internal-mgr/


And limited to my networks obviously.

But as of now those pages are wide open, so anyone could go to /menu and
see /shutdown and type that in and bingo bango my squid server is shutdown.


So was wondering if there is a way to make some of these pages require
authentication? I'm not clear what "public" means in each instance below,
sooo..


Thanks

Tory




index   Cache Manager Interface public
 menu   Cache Manager Menu  public
 offline_toggle Toggle offline_mode setting public
 shutdown   Shut Down the Squid Process public
 reconfigureReconfigure Squid   public
 rotate Rotate Squid Logs   public
 cached_ssl_certStatistic of cached generated ssl certificates  public
 pconn  Persistent Connection Utilization Histogramspublic
 memMemory Utilization  public
 squidaio_countsAsync IO Function Counters  public
 diskd  DISKD Stats public
 config Current Squid Configuration public
 client_listCache Client List   public
 comm_epoll_incomingcomm_incoming() stats   public
 ipcacheIP Cache Stats and Contents public
 fqdncache  FQDN Cache Stats and Contents   public
 idns   Internal DNS Statistics public
 redirector URL Redirector Statspublic
 store_id   StoreId helper Statspublic
 external_acl   External ACL stats  public
 http_headers   HTTP Header Statistics  public
 info   General Runtime Information public
 service_times  Service Times (Percentiles) public
 filedescriptorsProcess Filedescriptor Allocation   public
 objectsAll Cache Objects   public
 vm_objects In-Memory and In-Transit Objectspublic
 io Server-side network read() size histograms  public
 counters   Traffic and Resource Counters   public
 peer_selectPeer Selection Algorithms   public
 digest_stats   Cache Digest and ICP blob   public
 5min   5 Minute Average of Counterspublic
 60min  60 Minute Average of Counters   public
 utilizationCache Utilization   public
 histograms Full Histogram Counts   public
 active_requestsClient-side Active Requests public
 username_cache Active Cached Usernames public
 openfd_objects Objects with Swapout files open public
 store_digest   Store Digestpublic
 store_log_tags Histogram of store.log tags public
 storedir   Store Directory Stats   public
 store_io   Store IO Interface Statspublic
 store_check_cachable_stats storeCheckCachable() Stats  public
 refreshRefresh Algorithm Statisticspublic
 delay  Delay Pool Levels   public
 forwardRequest Forwarding Statistics   public
 cbdata Callback Data Registry Contents public
 sbuf   String-Buffer statisticspublic
 events Event Queue public
 netdb  Network Measurement Databasepublic
 asndb  AS Number Database  public
 carp   CARP informationpublic
 userhash   peer userhash information   public
 sourcehash peer sourcehash information public
 server_listPeer Cache Statistics   public
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Authentication help

2015-03-05 Thread Informatico Neurodesarrollo


Hi list,
I am new in the list and I want to solve a problem with the 
authentication process in the factory that I worked some years ago and 
in this place I began work with Linux.

They use openSuSE 13.2 (64bits) with squid 3.4.4, the specification are:
- the authentication is local, Unix users
- two groups created :intranet (only can access to domain .cu ),internet

What is the deal?:

When I try to access, in the surfer arise a windows ask me the user and 
password, but when I push Enter key, this windows arise again and I have 
to press several times the ESC key to can navigate.


I attach bellow squid.conf file.

My best regards.

PD Apologist my english, but if any body else understand Spanish 
language I can explain better.


--

Jesús Reyes Piedra
Admin Red Neurodearrollo,Cárdenas
La caja decía:Requiere windows 95 o superior...
Entonces instalé LINUX.



squid.conf:

# Squid normally listens to port 3128
http_port 3128

###
#Memoria destinada para mantener el cache en la RAM
cache_mem 1024 MB

# Uncomment and adjust the following to add a disk cache directory.
cache_dir aufs /var/cache/squid 9 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mgr ju...@jvr.cu
cache_replacement_policy lru
cache_swap_high 95
cache_swap_low 90
client_lifetime 1 days
connect_timeout 2 minutes
#emulate_httpd_log off
debug_options ALL,1 33,2

ftp_passive on
maximum_object_size 4096 KB
memory_replacement_policy lru
minimum_object_size 0 KB


#Autenticación

auth_param basic program /usr/sbin/basic_getpwnam_auth 
--helper-protocol=squid-2.5-basic

auth_param basic children 20
auth_param basic realm Servidor Proxy JVR
auth_param basic credentialsttl 1 hours
auth_param basic casesensitive off


#Grupos Unix

external_acl_type groupo_linux %LOGIN /usr/sbin/ext_unix_group_acl -p

acl nav_nac external groupo_linux intranet
acl nav_int external groupo_linux internet

acl nav_full proxy_auth nav_int
acl nav_cuba proxy_auth nav_nac

acl Auth_jvr proxy_auth REQUIRED

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern -i  (/cgi-bin/|\?) 0 0 0
refresh_pattern . 0 20 4320


cache_log /var/log/squid/cache.log
access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
error_directory /usr/share/squid/errors/es


acl localnet src 10.44.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

acl restricted_sites dstdomain /etc/squid/listas/blocked_sites.acl
acl restricted_dst dst /etc/squid/listas/blocked_src
acl nacional dstdomain .cu

# Regla para denegar palabras indebidas
acl palabras url_regex -i /etc/squid/deneg


#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
# Deny CONNECT to other than secure SSL ports
# Only allow cachemgr access from localhost
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
# Allow localhost always proxy functionality
# And finally deny all other access to this proxy

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on localhost is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

http_access allow localnet !restricted_sites !restricted_dst !palabras
http_access allow Auth_jvr nav_full !nav_nac
http_access allow Auth_jvr nav_cuba nacional


http_access deny all


--
Este mensaje le ha llegado mediante el servicio de correo electronico que 
ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema 
Nacional de Salud. La persona que envia este correo asume el compromiso de usar 
el servicio a tales fines y cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Authentication Passthrough Failing

2015-02-26 Thread Curtis.M

Hi all, 

I have squid 2.7 setup on a Win2012R2 DC used for caching purposes. The main
use is for caching Apple iOS updates but is also starting to be used for
general web browsing. 

The issue I have is there is a web filtering system being used in this
environment that relies on AD usernames to filter web traffic. When clients
are configured with squid, they are essentially unfiltered. Reason being is
the box squid runs off is excluded from filtering and it seems all clients
using the configured proxy receive the same level of filtering as the host
squid is running from. 

I have already researched this and found that I may need to use Connection
Pinning but when the line connection-auth=on is added to the conf, squid
refuses to start. 
(Full error below) 

So my questions are: 
 Am I right in trying to use Connection Pinning to resolve this issue? 
 Am I missing code needed from the conf I mentioned? 
  

Thanks for reading and I hope you can help! 

Kind Regards, 

Curtis. 


Squid.conf 
---
 
http_port 3128 connection-auth=on 

acl all src all 
acl manager proto cache_object 
acl localhost src 127.0.0.1/32 
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network 
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network 
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network 
acl SSL_ports port 443 
acl Safe_ports port 80  # http 
acl Safe_ports port 21  # ftp 
acl Safe_ports port 443 # https 
acl Safe_ports port 70  # gopher 
acl Safe_ports port 210 # wais 
acl Safe_ports port 1025-65535  # unregistered ports 
acl Safe_ports port 280 # http-mgmt 
acl Safe_ports port 488 # gss-http 
acl Safe_ports port 591 # filemaker 
acl Safe_ports port 777 # multiling http 
acl CONNECT method CONNECT 

http_access allow manager localhost 
http_access deny manager 
http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 

http_access allow localnet 

http_access deny all 



icp_access allow localnet 
icp_access deny all 



hierarchy_stoplist cgi-bin ? 

maximum_object_size 307200 bytes 
cache_dir aufs C:\squid\var\cache 256000 128 256 max-size=204800 

access_log c:/squid/var/logs/access.log squid 

Cache-Control: max-age=0, no-cache, no-store 
Pragma: no-cache 
refresh_pattern -i appldnld\.apple\.com 129600 100% 129600 ignore-reload
ignore-no-store override-expire override-lastmod ignore-must-revalidate 
refresh_pattern -i phobos\.apple\.com 129600 100% 129600 ignore-reload
ignore-no-store override-expire override-lastmod ignore-must-revalidate 
refresh_pattern ^ftp:   144020% 10080 
refresh_pattern ^gopher:14400%  1440 
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0 
refresh_pattern .   0   20% 4320 

acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] 
upgrade_http0.9 deny shoutcast 

acl apache rep_header Server ^Apache 
broken_vary_encoding allow apache 

coredump_dir c:/squid/var/cache 
---
 
Full Error: 
FATAL: Bungled squid.conf line 1: http_port 3128 connection-auth=on 
Squid Cache (Version 2.7.STABLE8): Terminated abnormally.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-Passthrough-Failing-tp4670095.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication\Authorization using a PAC file?

2014-11-25 Thread Eliezer Croitoru

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/24/2014 10:06 PM, Jason Haar wrote:
 I think you are confusing proxy authentication with WPAD/PAC files.
 WPAD knows nothing about proxy authentication: browsers do
 
 ie you use WPAD to tell browsers where/if they need to use a proxy
 and under what circumstances, and when they then attempt to do so,
 the BROWSER will have to respond to authentication issues
 surrounding authentication proxies.

Thanks Jason for the referrals.
WPAD purpose is solid but there is an option to create a WPAD/PAC file
on the fly and on the background authorize the client user name with a
specific ip.
Some restrictions can be applied on the use of a specific user to be
used only with one IP at a time which is similar to some AD features.

WPAD can be used with authorization and it should be like any other
http\s resource and the user + password can be written inside the url
similar to ftp URL.
Windows specifically has a daemon\script\service that does the
WPAD\PAC file and there for all the limitations are to this service only.
In any other system these limitations might be the same but I didn't
tested any of these yet.

I might add this to my TODO list.

Thanks,
Eliezer
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUdMtsAAoJENxnfXtQ8ZQUgsIIAIl5CUYcvYWIY4rNhG8ZTBWe
4oB08L0yHWPt7lbN/PEksxp+8dsJo5ZD0VTXMHD7CwRh+sIy8Nb01HaW+Rpb8hDD
CzFJjAnscEw99kJr+0Yv9WZ+Ba+O6JfbmzFdozV6fHrnD4fd4L8Kni3EXCUcL1KS
iUHepiOkLq/Bf4MmSo9Eo49Ao7cRNAKEAC5t8I6wkLOCWo/ijxmBZimpnRwNMba9
z6KUUcRp1biwSyFfaUPqGCRtwaWxQPLmgkZI1ABJvO+mWyiMX1Droq8+Zz8iioJs
mRBrydNnBIqBf+LjADkYJsNnQeLSJ2hsHJe2O0USM1+l3JhNzE7R/o3Y5HnVC3E=
=HwV7
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Authentication\Authorization using a PAC file?

2014-11-24 Thread Eliezer Croitoru

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I do know that pac files contains some form of JS and in the past I
have seen couple complex PAC files but unsure about the options.
I want to know if a PAC file can be used for
Authentication\Authorization, maybe even working against another
external system to get a token?

Thanks,
Eliezer
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUcweKAAoJENxnfXtQ8ZQUy7oH/ieegXDfKslc8NPYgzkRfpRW
JVYcRB9gqVEQSEpphznVz3s4PTuspYYKmNnr1uWMnUQRC906GPaa326j+EMtQ9Eq
mcPc2dBU7jyMkj5V4EUAJlMZ+29YzDFKSAAJkf4/cYX5ik1JKOMyIljaKF5O4PQU
HNhSUVrQ+/9nkDE8puzALYYFygKn+u8exN2pr9ikobAgsGhoMMsULJxQi90st67S
W9/Be12+2KiBxGWBwnTCNTZjRs5xAg/8xsLTOuMMzKPF0ihpDRcDFQFYZYF22uKM
BQAZCG1VJWz8wwDrDN8Pmy7AbII2ygFvKu/8s6S7ZAdq7mragGVsyhJzVoQzqJc=
=l9Ue
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication\Authorization using a PAC file?

2014-11-24 Thread Kinkie

Hi Eliezer,
  I don't think so. PACfiles have no access to the DOM or facilities
like AJAX, and are very limited in what they can return or affect as
side-effects. In theory it could be possible to do something, but in
practice it would be only advisory and not secure: a pacfile must by
definition be in a publicly-accessible URL, so anyone can read it and
interpret it.

On Mon, Nov 24, 2014 at 11:25 AM, Eliezer Croitoru elie...@ngtech.co.il wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 I do know that pac files contains some form of JS and in the past I
 have seen couple complex PAC files but unsure about the options.
 I want to know if a PAC file can be used for
 Authentication\Authorization, maybe even working against another
 external system to get a token?

 Thanks,
 Eliezer
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1

 iQEcBAEBAgAGBQJUcweKAAoJENxnfXtQ8ZQUy7oH/ieegXDfKslc8NPYgzkRfpRW
 JVYcRB9gqVEQSEpphznVz3s4PTuspYYKmNnr1uWMnUQRC906GPaa326j+EMtQ9Eq
 mcPc2dBU7jyMkj5V4EUAJlMZ+29YzDFKSAAJkf4/cYX5ik1JKOMyIljaKF5O4PQU
 HNhSUVrQ+/9nkDE8puzALYYFygKn+u8exN2pr9ikobAgsGhoMMsULJxQi90st67S
 W9/Be12+2KiBxGWBwnTCNTZjRs5xAg/8xsLTOuMMzKPF0ihpDRcDFQFYZYF22uKM
 BQAZCG1VJWz8wwDrDN8Pmy7AbII2ygFvKu/8s6S7ZAdq7mragGVsyhJzVoQzqJc=
 =l9Ue
 -END PGP SIGNATURE-
 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users



-- 
Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication\Authorization using a PAC file?

2014-11-24 Thread Eliezer Croitoru

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/24/2014 03:24 PM, Kinkie wrote:
 But what if multiple users share the same IP (e.g. Citrix, X11)?
This is another situation which requires authentication...
Two users can use the same pac files and be authorized as another
user(a regular forward proxy).
While I do like the Radius solution we can use external_acl in some
way to check if the specific user is allowed to authenticate from this
specific IP.
In a more strict environments a Radius server can help with this issue
to disallow one username to be allow the usage from two src IP at the
same time.

Eliezer
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUc2A0AAoJENxnfXtQ8ZQUW6UH/2HM/FHijhGozGUlCHMc3hpi
IdBQhEWjkKAYmTmI44ZhULPn/Nc76qBbHW8cRBhU4ziOJLyQ/Wq9yFKa8g4HS7IS
pJBzQum+fP2eVbUVz1kqjggq2sPnEe8SNtLr99sF25UoocTf/thl3ssoKOqHgudb
1vgRIQoDMB1SMqQ5XAQ/rwiFg969OITs65AKUHEu50FfbGeorqO64+32mLtGcoUG
hDKGThLMHnZeFsNafCecm2bvvJjcCjBV3Uj4tbwbYF2uRRRdbT3aa9vTnWUH6na0
exA6Cj7UQQp42eakWZl7LKd9xRTn4kReGgLxRa+v+VO/hwNkd4z7wyhUQWpE3mA=
=fzkF
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication\Authorization using a PAC file?

2014-11-24 Thread Walter H.


Hi,

a sample of a .pac-File

function FindProxyForURL( url, host )
{
  var strURL = ( decodeURI( url ) ).toLowerCase( );

  var strHost = host.toLowerCase( );

  // Redirect to proxy with these URLs
  if ( ( strURL == http://flickr.com/images/spaceball.gif; ) ||
   ( strURL == ... ) )
return PROXY host:port;;

  // Don't use a proxy with these domains/hosts
  if ( dnsDomainIs( strHost, www.domain.tld ) ||
   dnsDomainIs( strHost, ... ) )
return DIRECT;

  // Bad words or combinations, use localhost as proxy
  if ( ( strURL.search(/advert/) == -1 ) 
   ( strURL.search(/banner/) == -1 ) 
   ( strURL.search(/realmedia/) == -1 ) 
   ( strURL.search(/[^a-z0-9]ads/) == -1 ) 
   ( strURL.search(/[a-z][c,k]lick/) == -1 ) );
  else
return PROXY ntwaldivm-001.waldinet.home:8080;;

  // Use a proxy on higher domain levels,
  // except for educational or academical domains
  if ( dnsDomainLevels( strHost )  3 )
if ( ( strHost.search(/.ac.[a-z][a-z]/) == ( strHost.length - 6 ) ) ||
 ( strHost.search(/.edu.[a-z][a-z]/) == ( strHost.length - 7 ) ) ||
 ( strHost.search(/.mail.yahoo.com/) == ( strHost.length - 15 ) 
) ||

 ( strHost.search(/.edu/) == ( strHost.length - 4 ) ) )
  return PROXY host:port;;
else
  return DIRECT;

  // DIRECT connections to non-FQDN hosts
  if ( isPlainHostName( strHost ) )
return DIRECT;

  // Bad words or combinations in host, use proxy
  if ( ( strHost.search(/stat[0-9s]/) == -1 ) 
   ( strHost.search(/media/) == -1 ) 
   ( strHost.search(/spy/) == -1 ) 
   ( strHost.search(/track/) == -1 ) 
   ( strHost.search(/trade/) == -1 ) 
   ( strHost.search(/klamm/) == -1 ) 
   ( strHost.search(/trade/) == -1 ) 
   ( strHost.search(/meter/) == -1 ) 
   ( strHost.search(/poker/) == -1 ) 
   ( strHost.search(/sex/) == -1 ) 
   ( strHost.search(/xxx/) == -1 ) 
   ( strHost.search(/cash/) == -1 ) 
   ( strHost.search(/pay/) == -1 ) 
   ( strHost.search(/popup/) == -1 ) 
   ( strHost.search(/^ad./) == -1 ) 
   ( strHost.search(/^www.ad./) == -1 ) 
   ( strHost.search(/^www.free/) == -1 ) 
   ( strHost.search(/^www.web/) == -1 ) );
  else
return PROXY host:port;;

  //  If nothing above matches, then go directly there,
  //  in case of a DNS failure use proxy
  if ( isResolvable( strHost ) )
return DIRECT;
  else
return PROXY host:port;;
}

any authorization to a proxy in this .pac-File is the same as if the 
proxy were

configured directly in the browser;
with such a setup you can use different proxies for e.g. specific sites
 even with SSL without SSL-bump ...

Walter


On 24.11.2014 11:25, Eliezer Croitoru wrote:

I do know that pac files contains some form of JS and in the past I
have seen couple complex PAC files but unsure about the options.
I want to know if a PAC file can be used for
Authentication\Authorization, maybe even working against another
external system to get a token?

Thanks,
Eliezer





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication\Authorization using a PAC file?

2014-11-24 Thread Eliezer Croitoru

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Well james you are 100% right.
But as you may know not everybody can test all day long.
Some have day jobs and someone else knows the answer already and can
assist here and there.
This is the basic foundation of this mailing list.
Anyone anytime can ask a question and others will be able to respond.

Specifically squid-users is for squid-cache proxy but many will agree
with me that you can ask here things which are not directly related to
squid and find that others already knows the answer and you do not
need to run and start a Philosophy Dr research about it.

All The Bests,
Eliezer Croitoru

On 11/24/2014 10:42 PM, James Harper wrote:
 Seems like the sort of thing you could test with a minimum of
 effort...
 
 James

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUc7NcAAoJENxnfXtQ8ZQUb0AH/j1b5RjHNRDVWrLyaItl0Xh0
FhIiDtSTDCX14VQ3HaUUTpey46Ov7gqUKNhw/A/hPHzksDCWvPPdi82jn72Pwfw2
mflKTZ5iA6ZI3txikpK/n7SerTzaLxP+mnFHvPdgxAkPsIH/yE22rCq4Kylqj18k
eaqK6JPF+zFPE8/x8KeAENoYraPJuOrDjbAly7dlvPe/gEmPYdbRJyWTPiVXS1jS
Lwx/w7yUWfAa5Ck27CamCgwK5tFNIKtURXBc4amfex04jvFhG+xEwceotU6urstk
P+os2+6uJ+yhYHch0RRnGbPKVcH3ttUJYYz0UBkz1xeCJ+GHlR0OlQStxc+aq/U=
=oxc/
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] authentication via web page

2014-02-04 Thread Al Zick


Hello,


On Jan 31, 2014, at 12:12 PM, Amos Jeffries wrote:


On 31/01/2014 11:56 a.m., Al Zick wrote:

Hi,

I am considering switching to authentication via a web page. Are  
there
examples of how to do this somewhere? What are the pros and cons  
of this

configuration? I am very concerned about security with web page
authentication.


The Pro (singular) is that you can format the display to look any way
you like using HTML/CSS, images or other display technologies.


I was looking for a way to make it easy for the end user to find  
where they put their credentials.



The Cons are many, but these are the major ones:

* HTTP and web auth are unrelated systems. There is no way for the
client software to know what HTTP credentials to deliver on followup
traffic.
 Web browsers and servers typically use a Cookie value exchanged back
and forth to store the credentials. This has a whole pile of security
issues in and of itself, on top of the other issues in this list.


Would https help with this, or is it inherently insecure?

* Web authentication is tied securely to the server endpoint which  
does
the authentication. The login does not cross to other domains. Thus  
any
Cookie or login may be required to be repeated many times while  
browsing.



The above cons essentially mean that web authentication for a proxy is
not possible with todays technology. We have to use a session  
workaround.
 * redirecting the client to a page which both authenticates and  
starts

a session for that client on successful authentication.
 * authorizing any request which matches the session. Making the
assumption that it is the same user/login. This is somewhat  
unreliable,

but can be used if the clients have a fairly static IP or a detectable
unique signature.


What could be used as a detectable unique signature?




Also, I am not really sure if it is a good idea. For example, in most
emails the images in them are not sent as attachments, they are
downloaded from a web server and go through the proxy. If a re- 
write was

used to load the authentication page, then it would put that page in
place of the image. How would you authenticate the proxy with this
scenario?



The authentication will be linked to the URL redirected *to*. Not the
email embeded URL.


Okay.


I will probably need a consultant to help me through this project
because I have been working on this way too long. Would anyone be
available?


Maybe. If the session authorization scenario above sounds workable to
you take a look at the two session helpers bundled with Squid.

NOTE: that session by IP is for the *machine*. All software using it
shares the same session by IP address. If the IP is being NAT'ed for
multiple end-users they also all share the session.


This is going to be a real problem. I need it to be unique to the  
computer. Is there any work around for this?



1) the original squid_session / ext_session_acl helper acts in the  
same
was as a session for a browser when using a website. But for the  
machine

using the web proxy. The helper maintains its own BDB database of
sessions in the background.

 It has a passive mode (the default) where session are started
automatically on ever new IP address.

 It has an active mode. Where the session is not started until some
magic URL is requested. You create a login page that redirects to the
URL whereafter the session helper tells Squid an OK result. Then
redirect from there back to the original URL.

More details at:
http://www.squid-cache.org/Versions/v3/3.3/manuals/ 
ext_session_acl.html
http://www.squid-cache.org/Versions/v3/3.4/manuals/ 
ext_session_acl.html



2) the newer ext_sql_session_acl helper bundled with Squid-3.4+  
acts in
a slightly different way. It performs a SQL database lookup for a  
string

matching whatever fields you put in the external_acl_type format.
Returning OK/ERR results to Squid along with a username / label for an
existing session that matches.

 With this one you redirect to your authentication page like usual.  
But

instead of redirecting to a magic URL on success the auth script needs
to update the SQL database and redirect back to the original URL.

More details at:
http://www.squid-cache.org/Versions/v3/3.4/manuals/ 
ext_sql_session_acl.html


Still, there is a lot that needs to be done to make this work. I  
wonder if I would not be better off with some kind of thin client  
that would just put the proxy settings into a computer for win/mac  
and then give a place to put in a username and password. If this was  
to reside in the tray or dock then it would make it easy to change.  
Do you have, or know where I could get, a client for setting up the  
proxy?


Thanks,
Al

Re: [squid-users] authentication via web page

2014-01-31 Thread Amos Jeffries

On 31/01/2014 11:56 a.m., Al Zick wrote:
 Hi,
 
 I am considering switching to authentication via a web page. Are there
 examples of how to do this somewhere? What are the pros and cons of this
 configuration? I am very concerned about security with web page
 authentication.

The Pro (singular) is that you can format the display to look any way
you like using HTML/CSS, images or other display technologies.


The Cons are many, but these are the major ones:

* HTTP and web auth are unrelated systems. There is no way for the
client software to know what HTTP credentials to deliver on followup
traffic.
 Web browsers and servers typically use a Cookie value exchanged back
and forth to store the credentials. This has a whole pile of security
issues in and of itself, on top of the other issues in this list.

* Web authentication is tied securely to the server endpoint which does
the authentication. The login does not cross to other domains. Thus any
Cookie or login may be required to be repeated many times while browsing.


The above cons essentially mean that web authentication for a proxy is
not possible with todays technology. We have to use a session workaround.
 * redirecting the client to a page which both authenticates and starts
a session for that client on successful authentication.
 * authorizing any request which matches the session. Making the
assumption that it is the same user/login. This is somewhat unreliable,
but can be used if the clients have a fairly static IP or a detectable
unique signature.



 
 Also, I am not really sure if it is a good idea. For example, in most
 emails the images in them are not sent as attachments, they are
 downloaded from a web server and go through the proxy. If a re-write was
 used to load the authentication page, then it would put that page in
 place of the image. How would you authenticate the proxy with this
 scenario?
 

The authentication will be linked to the URL redirected *to*. Not the
email embeded URL.


 I will probably need a consultant to help me through this project
 because I have been working on this way too long. Would anyone be
 available?

Maybe. If the session authorization scenario above sounds workable to
you take a look at the two session helpers bundled with Squid.

NOTE: that session by IP is for the *machine*. All software using it
shares the same session by IP address. If the IP is being NAT'ed for
multiple end-users they also all share the session.


1) the original squid_session / ext_session_acl helper acts in the same
was as a session for a browser when using a website. But for the machine
using the web proxy. The helper maintains its own BDB database of
sessions in the background.

 It has a passive mode (the default) where session are started
automatically on ever new IP address.

 It has an active mode. Where the session is not started until some
magic URL is requested. You create a login page that redirects to the
URL whereafter the session helper tells Squid an OK result. Then
redirect from there back to the original URL.

More details at:
http://www.squid-cache.org/Versions/v3/3.3/manuals/ext_session_acl.html
http://www.squid-cache.org/Versions/v3/3.4/manuals/ext_session_acl.html


2) the newer ext_sql_session_acl helper bundled with Squid-3.4+ acts in
a slightly different way. It performs a SQL database lookup for a string
matching whatever fields you put in the external_acl_type format.
Returning OK/ERR results to Squid along with a username / label for an
existing session that matches.

 With this one you redirect to your authentication page like usual. But
instead of redirecting to a magic URL on success the auth script needs
to update the SQL database and redirect back to the original URL.

More details at:
http://www.squid-cache.org/Versions/v3/3.4/manuals/ext_sql_session_acl.html


Amos

Re: [squid-users] authentication via web page

2014-01-31 Thread Leonardo Rodrigues


Em 30/01/14 20:56, Al Zick escreveu:

Hi,

I am considering switching to authentication via a web page. Are there 
examples of how to do this somewhere? What are the pros and cons of 
this configuration? I am very concerned about security with web page 
authentication.


Also, I am not really sure if it is a good idea. For example, in most 
emails the images in them are not sent as attachments, they are 
downloaded from a web server and go through the proxy. If a re-write 
was used to load the authentication page, then it would put that page 
in place of the image. How would you authenticate the proxy with this 
scenario?


i would consider that a good idea on a guests network, for example, 
some sort of wifi hotspot. On a corporate environment, i would never 
consider that :/



--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it

[squid-users] authentication via web page

2014-01-30 Thread Al Zick


Hi,

I am considering switching to authentication via a web page. Are  
there examples of how to do this somewhere? What are the pros and  
cons of this configuration? I am very concerned about security with  
web page authentication.


Also, I am not really sure if it is a good idea. For example, in most  
emails the images in them are not sent as attachments, they are  
downloaded from a web server and go through the proxy. If a re-write  
was used to load the authentication page, then it would put that page  
in place of the image. How would you authenticate the proxy with this  
scenario?


I will probably need a consultant to help me through this project  
because I have been working on this way too long. Would anyone be  
available?


Thanks,
Al

[squid-users] Authentication problem upgrading from squid 2 to squid 3

2012-12-20 Thread Javier Smaldone

I've been using squid 2.6.STABLE5 for a long time. Now, I'm upgrading
to 3.1.19 (Ubuntu 12.04). On my previous setup i've used ldap_auth
(with basic authentication) and after tuning my configuration I made
it work for squid3.

But now I have a problem with some (allowed) sites that load some
(forbidden) content (as twitter and facebook javascript, for example):
When loading such a page, the user get prompted (again) for the login
credentials.

I've raised the loglevel to 9 and found some differences on the log
for exactly the same request.

Please, take a look at my config and logfile and save my life!

Thanks in advance.

--
Javier


This is the relevant part of my squid.conf file:

auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
dc=mycompany,dc=com,dc=ar -D
cn=ldaplinux,ou=ati,dc=mycompany,dc=com,dc=ar -W /etc/squid3/secret
-f sAMAccountName=%s -h ldapserver
auth_param basic children 5
auth_param basic credentialsttl 2 hours
auth_param basic realm Internet access

external_acl_type adsgroup %LOGIN  /usr/lib/squid3/squid_ldap_group
-b dc=mycompany,dc=com,dc=ar -D
cn=ldaplinux,ou=ati,dc=mycompany,dc=com,dc=ar -W /etc/squid3/secret
-f 
((objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=internet,dc=mycompany,dc=com,dc=ar))
-h ldapserver -v 3

http_access allow manager localhost
http_access deny manager

acl forbidden_ip src /var/squid/acls/noips
http_access deny forbidden_ip

acl users.privileged external adsgroup internet.privileged
http_access allow users.privileged

[...lot of acl and http_access rules...]\.twitter\

acl domains.banned.re dstdom_regex /var/squid/acls/domains.banned.re
http_access deny domains.banned.re
# domains.banned.re includes '\.twitter\'


For the request GET http://platform.twitter.com/widgets.js;, the
first part of the log info is always the same (and it is the expected
behaviour):


| HttpMsg.cc(445) parseRequestFirstLine: parsing possible request:
GEThttp://platform.twitter.com/widgets.js HTTP/1.1
Host: platform.twitter.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: */*
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: 
http://www.infobae.com/notas/687652-Cromanon-todos-los-condenados-seran-detenidos-inmediatamente.html
Proxy-Authorization: Basic XXX


| Parser: retval 1: from 0-52: method 0-2; url 4-41; version 43-50 (1/1)
| parseHttpRequest: req_hdr = {Host: platform.twitter.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: */*
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: 
http://www.infobae.com/notas/687652-Cromanon-todos-los-condenados-seran-detenidos-inmediatamente.html
Proxy-Authorization: Basic XXX

}
| parseHttpRequest: end = {
}

[...]

| parsing HttpHeaderEntry: near 'Proxy-Authorization: Basic
XXX'
| parsed HttpHeaderEntry: 'Proxy-Authorization: Basic XXX'
| created HttpHeaderEntry 0x7f6b92f4d790: 'Proxy-Authorization : Basic
XXX
| 0x7f6b7dc43150 adding entry: 40 at 7

[...]

| ACLChecklist::preCheck: 0x7f6b80288658 checking 'http_access deny
forbidden_ip'
| ACLList::matches: checking forbidden_ip
| ACL::checklistMatches: checking 'forbidden_ip'
| aclIpMatchIp: '192.168.1.1:53563' NOT found
| ACL::ChecklistMatches: result for 'forbidden_ip' is 0
| ACLList::matches: result is false
| aclmatchAclList: 0x7f6b80288658 returning false (AND list entry
failed to match)
| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0
lastACLResult() = 0 finished() = 0


Now, the important part: Checking user credentials (and group membership).

Despite the presence of the Proxy-Authorization field on the
request, the log shows:

| ACLChecklist::preCheck: 0x7f6b80288658 checking 'http_access allow
users.privileged'
| ACLList::matches: checking users.privileged
| ACL::checklistMatches: checking 'users.privileged'
| aclMatchExternal: acl=adsgroup
| authenticateAuthenticate: broken auth or no proxy_auth header.
Requesting auth header.
| Acl.cc(70) AuthenticateAcl: returning 0 sending authentication challenge.
| aclMatchExternal: adsgroup user not authenticated (0)
| ACL::ChecklistMatches: result for 'users.privileged' is 0
| ACLList::matches: result is false
| aclmatchAclList: 0x7f6b80288658 returning false (AND list entry
failed to match)
| ACLChecklist::checkForAsync: requiring Proxy Auth header.

As a result, the browser asks the user for credentials again. When
entered, the requests shows exactly the same for the firs ACL checks,
but when checking http_access allow users.privileged it shows:

| ACLChecklist::preCheck: 0x7f6b80288658 checking 'http_access allow
users.privileged'
| ACLList::matches: checking users.privileged
| ACL::checklistMatches: checking 'users.privileged'
| aclMatchExternal: acl=adsgroup
|

Re: Re: [squid-users] Authentication of non-standard methods

2012-12-14 Thread Trever L. Adams

On 12/11/2012 05:32 PM, Amos Jeffries wrote:
On 12.12.2012 11:33, Trever L. Adams wrote:
Hello Everyone,

I am looking at Shibboleth. I have seen one example

(http://www.switch.ch/aai/support/presentations/opcom-201105/AAI-OpCom-AAI_for_mandatory_authentication_and_proxy_usage.pdf)

for using it with Squid. I am afraid it makes no sense to me.

I am afraid I do not know much about Shibboleth yet. It has three
components for authentication, user, password, domain. It has to use
redirects, etc.

I see an easy way for this to work, but need help figuring it out.

If a user isn't authenticated, I need to send them to a url.

acl bounce src all
acl auth proxy_auth REQUIRED
deny_info 307:http://example.com/ bounce
http_access deny !auth bounce

... but see below...

How do I know if a user is authenticated? Well, it seems that this is
going to have to be passing the requesting client's ip address to a
program and get the response back if they are authenticated or not.

NOTE: user != IP address. Therefore user authentication doe not imply
IP address is authenticated, particularly in HTTP where one client (IP
address) can be presenting traffic from multiple users.
Essentially stateful connection-based authentication and stateless
HTTP do not mix well - as is constantly being 'discovered' by NTLM
people.
Yes, I had this reservation, but I need to figure out something. This is
a private proxy to general Internet, so some fudging for the time being
may be ok.

It
would be nice if I could pass a user name, but I am not sure how to do
this as this would require interaction with the browser and this should
be SSO.

The ACLs above pass the Proxy-Authenticate header to a helper program
for authentication tests. That header contains username and security
token, sometimes domain if the auth type uses domains.

SSO is a property of the *backend* accepting the credentials supplied
by the client to Squid. SSO is simply the process of the backend
accepting the same credentials from multiple services (Squid being one).
It is no more different than a user signing up at two separate
websites with identical username/password details and being able to
login to both.
The problem with Shibboleth is it is SAML and requires a domain that is
plain text (select from a drop down dialog). Hence the need to redirect
to a webpage to select and enter things.

RFC 6128 (is that right? the http auth stuff?) doesn't seem to allow a
webpage to give credentials to be used for the next page. I do not know
even if it does, if it would work for proxy auth.

I suppose it might be possible to have them enter a bogus password and
their full home user name (u...@example.org) which seems to be returned
by Shibboleth authentication. The problem then is, I need a secure way
of sharing the data between the proxy_auth stuff and the page where they
get redirected so that the two can be linked in a common database.

Is there a way to do this?

If no, then do a url_rewrite_access (I am assuming this is correct)?

redirector helper is one way to do it. But these must first accept the
request for processing (http_access allow). It is more efficient to do
the above ACLs I listed and alter the denial message sent by Squid
into a 307 redirect message.

** redirectors like external ACL helpers, do not perform HTTP
authentication. Just authorization.
Can you show me an example of a redirector? (If I am just missing one in
the docs, a url is fantastic)

I think a redirector is how the url I posted did things, but I couldn't
figure it out.

Finally, is it possible to have multiple authentication algorithms?

When using Proxy-Authenticate: yes of course.
But not with redirector?

Some
of the users will be local and be able to do krb5/spnego. So, if at all
possible, I would like to have the option of trying krb5, then spnego,
then Shibboleth.

I suggest you work along the lines of using an external_acl_type
helper for Shibboleth. Since it is more about authorization of a
request to be processed than authenticating that the source IP is a
genuine user account.

You can use localnet ACL or a similar check for internal/external
clients to skip or require the authentication with Negotiate/kerberos.

Amos
Well, this is on a home network where various filtering would be
required for different users (think of that for homes where parents
think porn is ok for them but bad for children, or more likely that
certain health or other categories are appropriate/needed by certain
people, but inappropriate for young children, etc.)

Thank you for the help,
Trever

signature.asc
Description: OpenPGP digital signature

[squid-users] Authentication of non-standard methods

2012-12-11 Thread Trever L. Adams

Hello Everyone,

I am looking at Shibboleth. I have seen one example
(http://www.switch.ch/aai/support/presentations/opcom-201105/AAI-OpCom-AAI_for_mandatory_authentication_and_proxy_usage.pdf)
for using it with Squid. I am afraid it makes no sense to me.

I am afraid I do not know much about Shibboleth yet. It has three
components for authentication, user, password, domain. It has to use
redirects, etc.

I see an easy way for this to work, but need help figuring it out.

If a user isn't authenticated, I need to send them to a url.

How do I know if a user is authenticated? Well, it seems that this is
going to have to be passing the requesting client's ip address to a
program and get the response back if they are authenticated or not. It
would be nice if I could pass a user name, but I am not sure how to do
this as this would require interaction with the browser and this should
be SSO.

So, is it possible to do an auth_param to a special program that just
looks at the ip address? Have it return yes/no for if it is an
authenticated session?

If no, then do a url_rewrite_access (I am assuming this is correct)?

Finally, is it possible to have multiple authentication algorithms? Some
of the users will be local and be able to do krb5/spnego. So, if at all
possible, I would like to have the option of trying krb5, then spnego,
then Shibboleth.

Thank you for any help,
Trever



signature.asc
Description: OpenPGP digital signature

Re: [squid-users] Authentication of non-standard methods

2012-12-11 Thread Amos Jeffries

On 12.12.2012 11:33, Trever L. Adams wrote:

Hello Everyone,

I am looking at Shibboleth. I have seen one example

(http://www.switch.ch/aai/support/presentations/opcom-201105/AAI-OpCom-AAI_for_mandatory_authentication_and_proxy_usage.pdf)
for using it with Squid. I am afraid it makes no sense to me.

I am afraid I do not know much about Shibboleth yet. It has three
components for authentication, user, password, domain. It has to use
redirects, etc.

I see an easy way for this to work, but need help figuring it out.

If a user isn't authenticated, I need to send them to a url.

acl bounce src all
acl auth proxy_auth REQUIRED
deny_info 307:http://example.com/ bounce
http_access deny !auth bounce

... but see below...

It
would be nice if I could pass a user name, but I am not sure how to
do
this as this would require interaction with the browser and this
should

be SSO.

The ACLs above pass the Proxy-Authenticate header to a helper program
for authentication tests. That header contains username and security
token, sometimes domain if the auth type uses domains.

So, is it possible to do an auth_param to a special program that just
looks at the ip address? Have it return yes/no for if it is an
authenticated session?

No. auth_param is about verifying that the user is who they say they
are. Cousin Bob arriving in Alices car ('from' IP address) does not
verify that Bob == Alice, only that the vehicle is a car not a truck.

IP can at most be used as an authorization check to make some handling
decision about the particular request. Authorization is done with
external_acl_type helpers.

If no, then do a url_rewrite_access (I am assuming this is correct)?

** redirectors like external ACL helpers, do not perform HTTP
authentication. Just authorization.

Finally, is it possible to have multiple authentication algorithms?

When using Proxy-Authenticate: yes of course.

Some
of the users will be local and be able to do krb5/spnego. So, if at
all
possible, I would like to have the option of trying krb5, then
spnego,

then Shibboleth.

I suggest you work along the lines of using an external_acl_type helper
for Shibboleth. Since it is more about authorization of a request to be
processed than authenticating that the source IP is a genuine user
account.

You can use localnet ACL or a similar check for internal/external
clients to skip or require the authentication with Negotiate/kerberos.

Amos

[squid-users] Authentication problem

2012-11-22 Thread Warren Baker

HI List

I have squid-3.2.3 configured to make use of negotiate, and to
authenticate certain users. However the following config doesn't work


acl userA proxy_auth warren
acl userB proxy_auth testb

http_access allow userA
http_access allow userB
http_access deny all

userA successfully authenticates and can browse. userB however
obviously doesn't match userA acl and just gets presented with the
cache denied page.
Debugging the acl shows that it never moves passed the userA acl and
doesn't continue onto authenticating the 'testb' user.

What am I doing wrong here?

thx

-- 
.warren

[squid-users] Authentication problems with NTLM

2012-07-06 Thread Bruno Santos

Hi !


I've configure squid 3.1.10-1 (latest available for CentOS 6.2) with NTLM 
authentication, but squid keeps asking for username and password. And sometimes 
more than once...


Users are authenticated in the domain, using IE6/7/9, but squid keeps asking 
for username/password.


Those with other browsers and Linux it's normal, but in windows no. I don't 
know if Firefox in windows is supposed to ask for password or not, but it asks.


I have everything working with samba and winbind.


Samba recognizes the user and winbind too.


Wbinfo authentication:



wbinfo -a teste%12345
plaintext password authentication succeeded
challenge/response password authentication succeeded


Squid ntlm_auth also is working ok



/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
teste 12345
OK


I notice something in the logs that are also a lots of TCP_DENIED before 
TCP_MISS (and squid din't ask for password)
An example of access a website:



111.111.11.11 TCP_DENIED/407 4758 GET 
http://www.venezuelatuya.com/tour/minitour.JPG - NONE/- text/html
1341573268.467 8 111.111.11.11 TCP_DENIED/407 4778 GET 
http://www.venezuelatuya.com/tour/minioccidente.jpg - NONE/- text/html
1341573268.469 9 111.111.11.11 TCP_DENIED/407 4766 GET 
http://www.venezuelatuya.com/tour/minicentro.jpg - NONE/- text/html
1341573268.472 11 111.111.11.11 TCP_DENIED/407 4778 GET 
http://www.venezuelatuya.com/tour/minilosroques.jpg - NONE/- text/html
1341573268.472 11 111.111.11.11 TCP_DENIED/407 4774 GET 
http://www.venezuelatuya.com/tour/minimorrocoy.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4770 GET 
http://www.venezuelatuya.com/tour/minicaracas.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4762 GET 
http://www.venezuelatuya.com/tour/miniandes.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4778 GET 
http://www.venezuelatuya.com/tour/minimargarita.jpg - NONE/- text/html
1341573268.549 275 111.111.11.11 TCP_MISS/200 2186 GET 
http://www.venezuelatuya.com/scripts/mapapaginaprincipal.js teste 
DIRECT/207.58.139.197 applicat
ion/javascript
1341573268.576 139 111.111.11.11 TCP_MISS/200 444 GET 
http://www.venezuelatuya.com/principal.css teste DIRECT/207.58.139.197 text/css
1341573268.602 1 111.111.11.11 TCP_DENIED/407 4467 GET 
http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
1341573268.606 1 111.111.11.11 TCP_DENIED/407 4770 GET 
http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
1341573268.608 1 111.111.11.11 TCP_DENIED/407 4907 GET 
http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
1341573268.617 1 111.111.11.11 TCP_DENIED/407 5186 GET 
http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
1341573268.699 399 111.111.11.11 TCP_MISS/200 3817 GET 
http://www.venezuelatuya.com/scripts/barrabusqueda.js teste 
DIRECT/207.58.139.197 application/ja
vascript
1341573268.741 272 111.111.11.11 TCP_MISS/200 2801 GET 
http://www.venezuelatuya.com/tour/minioccidente.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.745 137 111.111.11.11 TCP_MISS/200 3520 GET 
http://www.venezuelatuya.com/tour/minioriente.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.753 274 111.111.11.11 TCP_MISS/200 2062 GET 
http://www.venezuelatuya.com/tour/minilosroques.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.755 276 111.111.11.11 TCP_MISS/200 2725 GET 
http://www.venezuelatuya.com/tour/miniandes.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.867 400 111.111.11.11 TCP_MISS/200 4137 GET 
http://www.venezuelatuya.com/tour/minitour.JPG teste DIRECT/207.58.139.197 
image/jpeg
1341573268.869 396 111.111.11.11 TCP_MISS/200 3447 GET 
http://www.venezuelatuya.com/tour/minicentro.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.877 400 111.111.11.11 TCP_MISS/200 3310 GET 
http://www.venezuelatuya.com/tour/minimorrocoy.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.880 403 111.111.11.11 TCP_MISS/200 3829 GET 
http://www.venezuelatuya.com/tour/minimargarita.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.882 404 111.111.11.11 TCP_MISS/200 3452 GET 
http://www.venezuelatuya.com/tour/minicaracas.jpg teste DIRECT/207.58.139.197 
image/jpeg



Here is my samba config:
-


[global]

workgroup = workgroup
server string = Squid Server Version %v

netbios name = Dakota

hosts allow = 127. list_of_ips_allowed

log file = /var/log/samba/log.%m
max log size = 50

security = domain
realm = HAL.MIN-SAUDE.PT


password server = dc.domain.com dc1.domain.com
acl compatibility = win2k
unix extensions = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes


-


And here is my squid config:

Re: [squid-users] Authentication problems with NTLM

2012-07-06 Thread Amos Jeffries


On 6/07/2012 11:42 p.m., Bruno Santos wrote:

Hi !


I've configure squid 3.1.10-1 (latest available for CentOS 6.2) with NTLM 
authentication, but squid keeps asking for username and password. And sometimes 
more than once...


Users are authenticated in the domain, using IE6/7/9, but squid keeps asking 
for username/password.


Those with other browsers and Linux it's normal, but in windows no. I don't 
know if Firefox in windows is supposed to ask for password or not, but it asks.


For machines logged into the domain being logged into a proxy which uses 
the domain credentials - the browser should never ask. This is a strong 
sign that the proxy is using different credentials than the ones used to 
log into the machine, or is loosing them somehow..





I have everything working with samba and winbind.


Samba recognizes the user and winbind too.


Wbinfo authentication:



wbinfo -a teste%12345
plaintext password authentication succeeded
challenge/response password authentication succeeded


Squid ntlm_auth also is working ok



/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
teste 12345
OK


How much delay is the next thing to look for: I suspect 0.2sec?



I notice something in the logs that are also a lots of TCP_DENIED before 
TCP_MISS (and squid din't ask for password)
An example of access a website:



111.111.11.11 TCP_DENIED/407 4758 GET 
http://www.venezuelatuya.com/tour/minitour.JPG - NONE/- text/html
1341573268.467 8 111.111.11.11 TCP_DENIED/407 4778 GET 
http://www.venezuelatuya.com/tour/minioccidente.jpg - NONE/- text/html
1341573268.469 9 111.111.11.11 TCP_DENIED/407 4766 GET 
http://www.venezuelatuya.com/tour/minicentro.jpg - NONE/- text/html
1341573268.472 11 111.111.11.11 TCP_DENIED/407 4778 GET 
http://www.venezuelatuya.com/tour/minilosroques.jpg - NONE/- text/html
1341573268.472 11 111.111.11.11 TCP_DENIED/407 4774 GET 
http://www.venezuelatuya.com/tour/minimorrocoy.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4770 GET 
http://www.venezuelatuya.com/tour/minicaracas.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4762 GET 
http://www.venezuelatuya.com/tour/miniandes.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4778 GET 
http://www.venezuelatuya.com/tour/minimargarita.jpg - NONE/- text/html
1341573268.549 275 111.111.11.11 TCP_MISS/200 2186 GET 
http://www.venezuelatuya.com/scripts/mapapaginaprincipal.js teste 
DIRECT/207.58.139.197 applicat
ion/javascript
1341573268.576 139 111.111.11.11 TCP_MISS/200 444 GET 
http://www.venezuelatuya.com/principal.css teste DIRECT/207.58.139.197 text/css


This appears to be normal.
 * Over the course of 7ms the client delivers 8 requests.
 * squid responds with auth-needed challenge as required by NTLM to 
each of these.


This might be connections opened in parallel, or requests pipelined at 
once before the first response comes back. 8 is a suspicious number, 
that is the default browser config value for maximum number of 
connections to open for any one website. I highly suspect this is 8 new 
connections being opened and performing NTLM handshake.



50ms later there are more denies. Which looks like the connections 
earlier authenticated (partially?) got closed and new ones needed 
authenticating.



1341573268.602 1 111.111.11.11 TCP_DENIED/407 4467 GET 
http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
1341573268.606 1 111.111.11.11 TCP_DENIED/407 4770 GET 
http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
1341573268.608 1 111.111.11.11 TCP_DENIED/407 4907 GET 
http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
1341573268.617 1 111.111.11.11 TCP_DENIED/407 5186 GET 
http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
1341573268.699 399 111.111.11.11 TCP_MISS/200 3817 GET 
http://www.venezuelatuya.com/scripts/barrabusqueda.js teste 
DIRECT/207.58.139.197 application/ja
vascript


About 200ms after the earlier bunch of DENIED/407 responses an identical 
bunch pass through successfully. Exactly like the auth challenge was 
being responded to with correct credentials.



1341573268.741 272 111.111.11.11 TCP_MISS/200 2801 GET 
http://www.venezuelatuya.com/tour/minioccidente.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.745 137 111.111.11.11 TCP_MISS/200 3520 GET 
http://www.venezuelatuya.com/tour/minioriente.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.753 274 111.111.11.11 TCP_MISS/200 2062 GET 
http://www.venezuelatuya.com/tour/minilosroques.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.755 276 111.111.11.11 TCP_MISS/200 2725 GET 
http://www.venezuelatuya.com/tour/miniandes.jpg teste DIRECT/207.58.139.197 
image/jpeg
1341573268.867 400 111.111.11.11 TCP_MISS/200 4137 GET 
http://www.venezuelatuya.com/tour/minitour.JPG teste DIRECT/207.58.139.197 
image/jpeg
1341573268.869 396 111.111.11.11 TCP_MISS/200 3447 GET 
http://www.venezuelatuya.com/tour/minicentro.jpg teste

Re: [squid-users] Authentication problems with NTLM

2012-07-06 Thread Bruno Santos

Hi !

Thanks for the reply Amos !

For some reason, i get the squid mailing list emails with a delay...
While i wasn't getting any response (thank you for your response) i dig a bit 
myself and i found in the squid wiki a page about CentOS 5.5 (i'm using 6.2 but 
is different than the page about CentOS)

http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5

some notes about ntlm authentication.

I didn't need samba or nmb running, so i shutdown those services and kept 
winbind running.

Removed the basic authentication from squid.conf (i've already tried in Firefox 
3 and Firefox 2 in a Ubuntu 7.10 - The oldest Linux i'm running around here) 
and the authentication page appears, the user types it's credentials and 
everything is fine.

I've also changed a line in my squid.conf :

From:
http_access allow ntlmAuth

to:
http_access allow HomeNetworks ntlmAuth

and it just start working - no authentication in windows...

Thank you all !


- Original Message -
From: Amos Jeffries squ...@treenet.co.nz
To: squid-users@squid-cache.org
Sent: Friday, 6 July, 2012 2:08:19 PM
Subject: Re: [squid-users] Authentication problems with NTLM

On 6/07/2012 11:42 p.m., Bruno Santos wrote:
 Hi !


 I've configure squid 3.1.10-1 (latest available for CentOS 6.2) with NTLM 
 authentication, but squid keeps asking for username and password. And 
 sometimes more than once...


 Users are authenticated in the domain, using IE6/7/9, but squid keeps asking 
 for username/password.


 Those with other browsers and Linux it's normal, but in windows no. I don't 
 know if Firefox in windows is supposed to ask for password or not, but it 
 asks.

For machines logged into the domain being logged into a proxy which uses
the domain credentials - the browser should never ask. This is a strong
sign that the proxy is using different credentials than the ones used to
log into the machine, or is loosing them somehow..



 I have everything working with samba and winbind.


 Samba recognizes the user and winbind too.


 Wbinfo authentication:



 wbinfo -a teste%12345
 plaintext password authentication succeeded
 challenge/response password authentication succeeded


 Squid ntlm_auth also is working ok



 /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
 teste 12345
 OK

How much delay is the next thing to look for: I suspect 0.2sec?


 I notice something in the logs that are also a lots of TCP_DENIED before 
 TCP_MISS (and squid din't ask for password)
 An example of access a website:



 111.111.11.11 TCP_DENIED/407 4758 GET 
 http://www.venezuelatuya.com/tour/minitour.JPG - NONE/- text/html
 1341573268.467 8 111.111.11.11 TCP_DENIED/407 4778 GET 
 http://www.venezuelatuya.com/tour/minioccidente.jpg - NONE/- text/html
 1341573268.469 9 111.111.11.11 TCP_DENIED/407 4766 GET 
 http://www.venezuelatuya.com/tour/minicentro.jpg - NONE/- text/html
 1341573268.472 11 111.111.11.11 TCP_DENIED/407 4778 GET 
 http://www.venezuelatuya.com/tour/minilosroques.jpg - NONE/- text/html
 1341573268.472 11 111.111.11.11 TCP_DENIED/407 4774 GET 
 http://www.venezuelatuya.com/tour/minimorrocoy.jpg - NONE/- text/html
 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4770 GET 
 http://www.venezuelatuya.com/tour/minicaracas.jpg - NONE/- text/html
 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4762 GET 
 http://www.venezuelatuya.com/tour/miniandes.jpg - NONE/- text/html
 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4778 GET 
 http://www.venezuelatuya.com/tour/minimargarita.jpg - NONE/- text/html
 1341573268.549 275 111.111.11.11 TCP_MISS/200 2186 GET 
 http://www.venezuelatuya.com/scripts/mapapaginaprincipal.js teste 
 DIRECT/207.58.139.197 applicat
 ion/javascript
 1341573268.576 139 111.111.11.11 TCP_MISS/200 444 GET 
 http://www.venezuelatuya.com/principal.css teste DIRECT/207.58.139.197 
 text/css

This appears to be normal.
  * Over the course of 7ms the client delivers 8 requests.
  * squid responds with auth-needed challenge as required by NTLM to
each of these.

This might be connections opened in parallel, or requests pipelined at
once before the first response comes back. 8 is a suspicious number,
that is the default browser config value for maximum number of
connections to open for any one website. I highly suspect this is 8 new
connections being opened and performing NTLM handshake.


50ms later there are more denies. Which looks like the connections
earlier authenticated (partially?) got closed and new ones needed
authenticating.

 1341573268.602 1 111.111.11.11 TCP_DENIED/407 4467 GET 
 http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
 1341573268.606 1 111.111.11.11 TCP_DENIED/407 4770 GET 
 http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
 1341573268.608 1 111.111.11.11 TCP_DENIED/407 4907 GET 
 http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
 1341573268.617 1 111.111.11.11 TCP_DENIED/407 5186 GET 
 http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html

[squid-users] Authentication with active directory (Windows Server 2008).

2012-06-15 Thread João Paulo Ferreira

Hello,

I would like an opinion of you, I'm implentando squid in the company
where I work and would like to integrate with our active directory
(windows server 2008 R2) in the same way that the ntlm but the same
was giving a little problem because the user accounts were being
blocked.

Sorry I'm a translation using Google Translate.

-- 
Atenciosamente,

João Paulo Ferreira
Computer Science Student

+ 55 (71) 9297 - 1260
+ 55 (71) 8837 - 7080
j...@joaoferreira.eti.br

Nunca diga para Deus que você tem um grande problema, diga sim, para
o seu problema que você tem um grande Deus.

Re: [squid-users] Authentication bug in 3.1.19 solved in 3.2.0.17

2012-05-27 Thread Amos Jeffries


On 25/05/2012 8:37 p.m., Alan wrote:

Hello,

I'm implementing a proxy server that authenticates users via radius,
and then based on the source ip, login and the destination, grants
access or not to the requested objects.

The relevant section of squid.conf is:

auth_param basic program /usr/lib/squid/squid_radius_auth -f
/etc/squid/radius.conf -t 5
auth_param basic children 5
auth_param basic realm Web Proxy
auth_param basic credentialsttl 1 hour
external_acl_type my_acl_type %SRC %LOGIN %DST /var/www/htdocs/acl.php
acl my_acl external my_acl_type
http_access allow my_acl
http_access deny all

Both IE and Firefox have the same behavior: they popup the
authentication prompt, then they can make requests for a while, and
randomly popup the authentication prompt again.  I type the same
username and password, and it works fine.
In Konqueror there is no popup, I guess it tries again one more time
with the last username and password before prompting the user.

A network capture reveals that the client is always sending the right
Proxy-Authentication header with it's requests, but squid randomly
replies with a 407 status code, without even asking the radius server
(the authentication result is presumably still cached).

In squid 3.2.0.17 this problem is gone and I don't get the
authentication prompts anymore, but since it is labeled Beta instead
of Stable, I wonder if this can be solved in the 3.1 series.

Has anybody else been affected by this?


Very likely.

The 3.2 code has had a near complete re-write to resolve a large number 
of mysterious little bugs in pointer reference handling. That change is 
BIG, still being debugged itself, and I'm not willing to repeat the 
years voluntary work spent on fixing 3.2. So the auth bug fixes are not 
going to be automatically ported to 3.1 like most others are. Patches 
are welcome though if you wish to spend the time or money to locate and 
fix 3.1.


Amos

[squid-users] Authentication bug in 3.1.19 solved in 3.2.0.17

2012-05-25 Thread Alan

Hello,

I'm implementing a proxy server that authenticates users via radius,
and then based on the source ip, login and the destination, grants
access or not to the requested objects.

The relevant section of squid.conf is:

auth_param basic program /usr/lib/squid/squid_radius_auth -f
/etc/squid/radius.conf -t 5
auth_param basic children 5
auth_param basic realm Web Proxy
auth_param basic credentialsttl 1 hour
external_acl_type my_acl_type %SRC %LOGIN %DST /var/www/htdocs/acl.php
acl my_acl external my_acl_type
http_access allow my_acl
http_access deny all

Both IE and Firefox have the same behavior: they popup the
authentication prompt, then they can make requests for a while, and
randomly popup the authentication prompt again.  I type the same
username and password, and it works fine.
In Konqueror there is no popup, I guess it tries again one more time
with the last username and password before prompting the user.

A network capture reveals that the client is always sending the right
Proxy-Authentication header with it's requests, but squid randomly
replies with a 407 status code, without even asking the radius server
(the authentication result is presumably still cached).

In squid 3.2.0.17 this problem is gone and I don't get the
authentication prompts anymore, but since it is labeled Beta instead
of Stable, I wonder if this can be solved in the 3.1 series.

Has anybody else been affected by this?

Best regards,

Alan

AW: AW: [squid-users] Authentication problem

2012-05-15 Thread Fuhrmann, Marcel

Image #1 appears to be a login box of some kind. Where is it coming from; the 
browser software or a web page?
 Browser

Image #2 appears to be an HTTP login which the browser is refusing to display 
popup box for. Why is the browser not finding credentials somewhere or showing 
a popup?
 The popup shown in picture one doesn't appear. For some reason, some 
 credentials are automatically used (maybe SSO) or some configuration block 
 this login popup.


-Ursprüngliche Nachricht-
Von: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Gesendet: Mittwoch, 9. Mai 2012 03:53
An: squid-users@squid-cache.org
Betreff: Re: AW: [squid-users] Authentication problem

On 09.05.2012 01:44, Fuhrmann, Marcel wrote:
 Hi Markus,

 sorry, but it doesn't work. :-(

 - Added this line in squid.conf
 - server squid3 reload
 - deleted IE cache restarted IE and open the website - same error.


Err, yeah. Leaving the headers alone only works if one was already playing with 
erasing them in the first place. If someone else was erasing them in transit 
you need to kick them about the problems.


 Any other ideas?

Finding out what the problem actually is would be a better start.

Image #1 appears to be a login box of some kind. Where is it coming from; the 
browser software or a web page?

Image #2 appears to be an HTTP login which the browser is refusing to display 
popup box for. Why is the browser not finding credentials somewhere or showing 
a popup?

Amos



 -Ursprüngliche Nachricht-
 Von: Markus Lauterbach

 Hi Marcel,

 You have to add a small piece in your config. I think, it should lool 
 somehow like this:

 header_access Authorization allow all

 And restart your squid.

 Markus

 -Ursprüngliche Nachricht-
 Von: Fuhrmann, Marcel

 Hello,

 i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a 
 website.
 Normally (without proxy) I am getting this windows to login:
 http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu

 With proxy I get this error (german; but understandable):
 http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um

 Can somebody give me advice?


 Thanks a lot!

 --
 Marcel

[squid-users] authentication issue

2012-05-10 Thread Donald Sylvester Bacha




Dear All,
 
Can you guys please advise on how to resolve authentication issue where pop up 
box keep prompting for authentication. Users are part of active directory and 
squid is set up to use ntlm for authentication. This issue is happening for all 
users. There were not any configuration changes of late. As an administrator, I 
am fairly new to squid. Your help would be extremely appreciated. 
 
Regards,
Donald

Re: [squid-users] authentication issue

2012-05-10 Thread Harry Mills


On 10/05/2012 22:31, Donald Sylvester Bacha wrote:




Dear All,

Can you guys please advise on how to resolve authentication issue where pop up 
box keep prompting for authentication. Users are part of active directory and 
squid is set up to use ntlm for authentication. This issue is happening for all 
users. There were not any configuration changes of late. As an administrator, I 
am fairly new to squid. Your help would be extremely appreciated.

Regards,
Donald  


Hi Donald,

I presume it was working and has now stopped without any config changes? 
If so, check your clock on the squid box is within 5 minutes sync of 
your domain controller clocks.


If it is not this, then you will need to provide a little more info such 
as whether you have any other authentication schemes configured in 
squid, and whether winbind is running and working:


To test that winbind is working OK you can use the following commands:

wbinfo -t
(should say succeeded)

wbinfo -u
(should list all your domain users)

etc

Regards

Harry

[squid-users] Authentication problem

2012-05-08 Thread Fuhrmann, Marcel

Hello,

i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a website.
Normally (without proxy) I am getting this windows to login:
http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu

With proxy I get this error (german; but understandable):
http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um

Can somebody give me advice?


Thanks a lot!

--
Marcel

RE: [squid-users] Authentication problem

2012-05-08 Thread Markus Lauterbach

Hi Marcel,

You have to add a small piece in your config. I think, it should lool somehow 
like this:

header_access Authorization allow all

And restart your squid.

Markus

 -Ursprüngliche Nachricht-
 Von: Fuhrmann, Marcel [mailto:marcel.fuhrm...@lux.ag]
 Gesendet: Dienstag, 8. Mai 2012 15:04
 An: squid-users@squid-cache.org
 Betreff: [squid-users] Authentication problem
 
 Hello,
 
 i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a website.
 Normally (without proxy) I am getting this windows to login:
 http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu
 
 With proxy I get this error (german; but understandable):
 http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um
 
 Can somebody give me advice?
 
 
 Thanks a lot!
 
 --
 Marcel

AW: [squid-users] Authentication problem

2012-05-08 Thread Fuhrmann, Marcel

Hi Markus,

sorry, but it doesn't work. :-(

- Added this line in squid.conf
- server squid3 reload
- deleted IE cache restarted IE and open the website - same error.

Any other ideas?

--
Marcel




-Ursprüngliche Nachricht-
Von: Markus Lauterbach [mailto:markus.lauterb...@meinestadt.de] 
Gesendet: Dienstag, 8. Mai 2012 15:32
An: squid-users@squid-cache.org
Betreff: RE: [squid-users] Authentication problem

Hi Marcel,

You have to add a small piece in your config. I think, it should lool somehow 
like this:

header_access Authorization allow all

And restart your squid.

Markus

 -Ursprüngliche Nachricht-
 Von: Fuhrmann, Marcel [mailto:marcel.fuhrm...@lux.ag]
 Gesendet: Dienstag, 8. Mai 2012 15:04
 An: squid-users@squid-cache.org
 Betreff: [squid-users] Authentication problem
 
 Hello,
 
 i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a website.
 Normally (without proxy) I am getting this windows to login:
 http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu
 
 With proxy I get this error (german; but understandable):
 http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um
 
 Can somebody give me advice?
 
 
 Thanks a lot!
 
 --
 Marcel

Re: AW: [squid-users] Authentication problem

2012-05-08 Thread Amos Jeffries


On 09.05.2012 01:44, Fuhrmann, Marcel wrote:

Hi Markus,

sorry, but it doesn't work. :-(

- Added this line in squid.conf
- server squid3 reload
- deleted IE cache restarted IE and open the website - same error.



Err, yeah. Leaving the headers alone only works if one was already 
playing with erasing them in the first place. If someone else was 
erasing them in transit you need to kick them about the problems.




Any other ideas?


Finding out what the problem actually is would be a better start.

Image #1 appears to be a login box of some kind. Where is it coming 
from; the browser software or a web page?


Image #2 appears to be an HTTP login which the browser is refusing to 
display popup box for. Why is the browser not finding credentials 
somewhere or showing a popup?


Amos




-Ursprüngliche Nachricht-
Von: Markus Lauterbach

Hi Marcel,

You have to add a small piece in your config. I think, it should lool
somehow like this:

header_access Authorization allow all

And restart your squid.

Markus


-Ursprüngliche Nachricht-
Von: Fuhrmann, Marcel

Hello,

i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a 
website.

Normally (without proxy) I am getting this windows to login:
http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu

With proxy I get this error (german; but understandable):
http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um

Can somebody give me advice?


Thanks a lot!

--
Marcel

[squid-users] Authentication Logging/Debugging

2012-04-16 Thread Chris Waters

I am working some authentication/performance issues with Squid 3.1.19 on
Ubuntu with NTLM via winbind and a filtering upstream service (proxy
chaining). Is there a method for turning on more verbose logging that
either shows the object the authentication parts are processing on or
interleaving the access log and debug log so that its apparent which
authentication request belongs to which object?  What I am trying to
determine is if there are authentication issues or if it's the upstream
causing the latency.

I am not specifically talking about turning specific logging sections on
(like 28,9 29,9 for example), but a better method of matching what's being
requested and what's being done to authenticate the request.

I am also open to suggestion as to better methods to diagnose these kinds
of issues as well, so please, if you have an idea, let's here it.

Thanks,

Chris Waters

Re: [squid-users] Authentication Logging/Debugging

2012-04-16 Thread Amos Jeffries


On 17.04.2012 09:03, Chris Waters wrote:
I am working some authentication/performance issues with Squid 3.1.19 
on

Ubuntu with NTLM via winbind and a filtering upstream service (proxy
chaining). Is there a method for turning on more verbose logging that
either shows the object the authentication parts are processing on or
interleaving the access log and debug log so that its apparent which
authentication request belongs to which object?  What I am trying to
determine is if there are authentication issues or if it's the 
upstream

causing the latency.


You can use the auth_user_request/AuthUserRequest hex IDs to determine 
creation (start) and result (finish) lookup timings. Those objects store 
the handshake and validation state info and are thus the best indicator 
available of what is going on.




I am not specifically talking about turning specific logging sections 
on
(like 28,9 29,9 for example), but a better method of matching what's 
being

requested and what's being done to authenticate the request.



NTLM does not authenticate *requests*. Please be clear on that.

It hijacks and violates the HTTP layer headers to authenticate the TCP 
connection layer packets. Then assumes (incorrectly) that all requests 
sent over the TCP connection are from the same end-user. In order to 
cope with that bad assumption Squid is forced to disable all HTTP 
multiplexing abilities on connections sighted using NTLM or Negotiate 
auth (we call this pining).


 * This pinning is #3 major cause of latency issues with NTLM in proxy 
chaining. Since it locks two socket connections per end-user at each hop 
along the HTTP chain (creating a limit of ~64K users per proxy listening 
IP).


As a side effect; other than the first-request rejections there is 
nothing to correlate access.log records with NTLM authentication. You 
need to create a custom log format with both %a and %p to get the 
client IP:port details about the TCP connection and see what requests 
are taking place on it. Then map those requests to a particular state 
order for the credentials contained within, then to the AuthUserRequest 
object managing those credentials. Fun times.




I am also open to suggestion as to better methods to diagnose these 
kinds

of issues as well, so please, if you have an idea, let's here it.


Also look at the size of body/entity/data in requests taking part in 
the NTLM handshake. NTLM requires the HTTP request to be repeated for 
each of the handshake steps. This is not too bad on a high speed link, 
or with small fetch request. But when uploading say a multi-MB (or GB) 
object it can take down a network.


 * bandwidth + CPU + time wasted discarding POST/PUT bodies is #1 major 
cause of latency from NTLM.



Also, look at winbind concurrent lookup load when latency is observed. 
Winbind has an absolute limit somewhere around 256 concurrent 
authentications. Each authentication takes the *full* handshake worth of 
HTTP request round trips to complete. Additional lookups (TCP 
connections) are blocked until winbind can service them.


 * winbind queue limits is #2 major cause of latency with NTLM.



Two additional things to be aware of:
 * NTLM is officially been obsoleted by MS for some years now, to be 
completely End-of-Lifed with WindowsXP and none of their new software 
supports it by default.
 * Negotiate/Kerberos is supported by all the new software and was 
designed to avoid the above latency and bandwidth waste issues.
   When comparing auth speeds between MS software from before and after 
2007, default use of Kerberos is often the reason newer ones work far 
faster and more reliably.



Amos

Re: [squid-users] Authentication problem

2012-04-06 Thread Mohamed Amine Kadimi

 The designed purpose of these redirect tricks in commercial proxies (and
 Squid captive portals too) is to get the client to make a request to a
 controlled web service. That server pulls details such as the cient IP
 address and user-agent header (maybe other things) which the proxy can use
 as the things it checks for in external_acl_type script to guess at which
 later requests are coming from this same client and allow them through. If
 you do login at that point (optional!) it is merely to associate the browser
 signature with a username for recording/billing purposes.

Thank you for clearing that up for me.

So when a client requests a web page, I'll check some session table
which should return OK to let the user go to the internet or ERR to
redirect him to my portal and recheck for cookie presence.

The problem now is this session table. Is there any squid session
helper which is able to bound the session info to additional data
beside the user's IP?



--
Mohamed Amine Kadimi

Tél     : +212 (0) 675 72 36 45

Re: [squid-users] Authentication problem

2012-04-04 Thread Amos Jeffries

On 4/04/2012 3:54 a.m., Mohamed Amine Kadimi wrote:
OK, so here's another pseudo code that comes to my mind, this is
somehow similar to some commercial products (Ironport, bluecoat):

- The user connects to http://www.somesite.com http://www.a.com/ via
the proxy
- The Proxy redirects to
http://authenticationportal/http://www.somesite.com
http://authenticationportal/http://www.A.com with 302 return code.
- User is verified/authenticated on the authentication portal. This
authentication portal sets a cookie and redirects to
http://www.somesite.com http://www.a.com/
- User connects to http://www.somesite.com http://www.a.com/ via
proxy. Proxy knows user is authenticated (cookie).

The problem is with the last step since the cookie is bound to
http://authenticationportal
http://authenticationportal/http://www.A.com so the user may
encounter an endless loop.

Exactly. The browser authenticated against your website. It did not
authenticate against the proxy or against somesite.com.

The designed purpose of these redirect tricks in commercial proxies (and
Squid captive portals too) is to get the client to make a request to a
controlled web service. That server pulls details such as the cient IP
address and user-agent header (maybe other things) which the proxy can
use as the things it checks for in external_acl_type script to guess at
which later requests are coming from this same client and allow them
through. If you do login at that point (optional!) it is merely to
associate the browser signature with a username for recording/billing
purposes.
Notice how there is nothing required for the browser to do except
visit. Basically: no authentication.

Do you know the solution for letting this authenticated user go to the
target after being authenticated

I think you are getting closer to understanding the boundary between
possible and impossible.

The whole point of traffic interception is that the browser is *not*
aware of the proxy. You might as well try to drink water out of an empty
cup, as to get the browser to do something special for the proxy.

I like your example. somesite.com happens to actually be a real
website owned by an actual dodgy company. Go on; visit it. See the ads,
see the script errors, read the no-privacy policy, notice how the
opt-out from their user tracking systems is not working.

Now consider what would happen if authenticationportal was your own
banks website. What details about your login to the bank would you want
to send to that dodgy website? the username? the password? the session
cookies? some other detail used to link you and your accounts?

You are asking us how to make the browser spread exactly those private
informations to websites which have no business receiving it.

Amos

On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:

Dear Developpers and Community,

I would like to set up the following configuration using squid:

When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the
user
with content.

Please read

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F

However, users IP are being NATed before going to the proxy.
So the
solution would be to use an application-layer verification:
cookies or
http headers

So, I come across the following solutions:

1. Use an ICAP server which checks if a cookie is set,
otherwise set
it for an authenticated user
the problem is: cookies are bound to domains + each http
request must
be validated

2. Use a php splash page which sets the cookie then redirect
to destination
same problem as ICAP

3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
problem: sessions are associated to the IP by squid

I'm using squid 3.1

Thank you for any idea

The whole point of transparent interception is that the browser is
*completely unaware it is talking to a proxy*. It contacted some
web server, and *all* of its communications are with that server.
If you can find a way to trick it into storing security
credentials of any kind set by your proxy it will consider those
credentials safe to use when contacting the same server via other
non-HTTP methods as well, causing great deal of problems. The good
thing to do at that point is to report the zero-day security
vulnerability you just found.

You might be able to use details gleaned from the browsers request
to *guess* what user it is and have a external_acl_type script
inform Squid of the guessed username. Or the authorize (*not*
authenticate) the request to happen.

Amos

Re: [squid-users] Authentication problem

2012-04-03 Thread Amos Jeffries

On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:

Dear Developpers and Community,

I would like to set up the following configuration using squid:

When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the user
with content.

Please read
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F

However, users IP are being NATed before going to the proxy. So the
solution would be to use an application-layer verification: cookies or
http headers

So, I come across the following solutions:

1. Use an ICAP server which checks if a cookie is set, otherwise set
it for an authenticated user
the problem is: cookies are bound to domains + each http request must
be validated

2. Use a php splash page which sets the cookie then redirect to destination
same problem as ICAP

3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
problem: sessions are associated to the IP by squid

I'm using squid 3.1

Thank you for any idea

The whole point of transparent interception is that the browser is
*completely unaware it is talking to a proxy*. It contacted some web
server, and *all* of its communications are with that server. If you can
find a way to trick it into storing security credentials of any kind set
by your proxy it will consider those credentials safe to use when
contacting the same server via other non-HTTP methods as well, causing
great deal of problems. The good thing to do at that point is to report
the zero-day security vulnerability you just found.

You might be able to use details gleaned from the browsers request to
*guess* what user it is and have a external_acl_type script inform Squid
of the guessed username. Or the authorize (*not* authenticate) the
request to happen.

Amos

Re: [squid-users] Authentication problem

2012-04-03 Thread Mohamed Amine Kadimi

OK, so here's another pseudo code that comes to my mind, this is
somehow similar to some commercial products (Ironport, bluecoat):

- The user connects to http://www.somesite.com via the proxy
- The Proxy redirects to
http://authenticationportal/http://www.somesite.com with 302 return
code.
- User is verified/authenticated on the authentication portal. This
authentication portal sets a cookie and redirects to
http://www.somesite.com
- User connects to http://www.somesite.com via proxy. Proxy knows user
is authenticated (cookie).

The problem is with the last step since the cookie is bound to
http://authenticationportal so the user may encounter an endless loop.

Do you know the solution for letting this authenticated user go to the
target after being authenticated

2012/4/3 Amos Jeffries squ...@treenet.co.nz

On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:

Dear Developpers and Community,

I would like to set up the following configuration using squid:

When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the user
with content.

Please read
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F

However, users IP are being NATed before going to the proxy. So the
solution would be to use an application-layer verification: cookies or
http headers

So, I come across the following solutions:

1. Use an ICAP server which checks if a cookie is set, otherwise set
it for an authenticated user
the problem is: cookies are bound to domains + each http request must
be validated

2. Use a php splash page which sets the cookie then redirect to destination
same problem as ICAP

3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
problem: sessions are associated to the IP by squid

I'm using squid 3.1

Thank you for any idea

The whole point of transparent interception is that the browser is
*completely unaware it is talking to a proxy*. It contacted some web server,
and *all* of its communications are with that server. If you can find a way
to trick it into storing security credentials of any kind set by your proxy
it will consider those credentials safe to use when contacting the same
server via other non-HTTP methods as well, causing great deal of problems.
The good thing to do at that point is to report the zero-day security
vulnerability you just found.

You might be able to use details gleaned from the browsers request to *guess*
what user it is and have a external_acl_type script inform Squid of the
guessed username. Or the authorize (*not* authenticate) the request to happen.

Amos

--
Mohamed Amine Kadimi

Tél : +212 (0) 675 72 36 45

[squid-users] Authentication problem

2012-04-02 Thread Mohamed Amine Kadimi

Dear Developpers and Community,

I would like to set up the following configuration using squid:

When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the user
with content.

However, users IP are being NATed before going to the proxy. So the
solution would be to use an application-layer verification: cookies or
http headers

So, I come across the following solutions:

1. Use an ICAP server which checks if a cookie is set, otherwise set
it for an authenticated user
 the problem is: cookies are bound to domains + each http request must
be validated

2. Use a php splash page which sets the cookie then redirect to destination
 same problem as ICAP

3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
  problem: sessions are associated to the IP by squid

I'm using squid 3.1

Thank you for any idea

RE: [squid-users] Authentication Prompts

2011-09-09 Thread Jenny Lee

 Date: Fri, 9 Sep 2011 12:50:24 +1200
 From: squ...@treenet.co.nz
 To: squid-users@squid-cache.org
 Subject: Re: [squid-users] Authentication Prompts

 On 09/09/11 06:28, Matt Cochran wrote:
  I've been trying to model two different kinds of users in ACLs, where the 
  kids are authenticated by one account, and the adults another. The kids are 
  allowed to go only to a whitelist of websites, but I'd like the adults to 
  be able to override this behavior for a while if they enter their 
  credentials. I was also trying to wire this into a db-auth environment so I 
  can alter the accounts from my desktop.

  Following the guide at 
  http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F,
   I can keep the kids restricted to a site but the parents get stuck in an 
  authentication loop or just denied access. Here's my config - can anyone 
  help me figure this out?

 Notice that would allow the kids to get a popup and re-try with parents 
 login to restricted sites without the parent being present.

 What you are asking for is this:

 # login required to go anywhere at all
 http_access deny !db-auth

 # kids to their sites
 http_access allow !parents kids_sites

 # parents anywhere
 http_access allow parents

 # challenge if not logged in with parents credentials
 http_access deny !parents

 # everything else is blocked.
 http_access deny all

Can't we simplify this to:

http_access deny !db-auth
http_access allow kids_sites
http_access deny all !parents

Jenny

Re: [squid-users] Authentication Prompts

2011-09-09 Thread Amos Jeffries

On 10/09/11 01:52, Jenny Lee wrote:

Date: Fri, 9 Sep 2011 12:50:24 +1200
From: squ...@treenet.co.nz
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication Prompts

On 09/09/11 06:28, Matt Cochran wrote:

I've been trying to model two different kinds of users in ACLs, where the kids 
are authenticated by one account, and the adults another. The kids are allowed 
to go only to a whitelist of websites, but I'd like the adults to be able to 
override this behavior for a while if they enter their credentials. I was also 
trying to wire this into a db-auth environment so I can alter the accounts from 
my desktop.

Following the guide at 
http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F,
 I can keep the kids restricted to a site but the parents get stuck in an 
authentication loop or just denied access. Here's my config - can anyone help 
me figure this out?

Notice that would allow the kids to get a popup and re-try with parents
login to restricted sites without the parent being present.

What you are asking for is this:

# login required to go anywhere at all
http_access deny !db-auth

# kids to their sites
http_access allow !parents kids_sites

# parents anywhere
http_access allow parents

# challenge if not logged in with parents credentials
http_access deny !parents

# everything else is blocked.
http_access deny all

Can't we simplify this to:

http_access deny !db-auth
http_access allow kids_sites
http_access deny all !parents

Jenny   

Yes you could. Thanks.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.15
  Beta testers wanted for 3.2.0.11

[squid-users] Authentication Prompts

2011-09-08 Thread Matt Cochran

I've been trying to model two different kinds of users in ACLs, where the kids 
are authenticated by one account, and the adults another. The kids are allowed 
to go only to a whitelist of websites, but I'd like the adults to be able to 
override this behavior for a while if they enter their credentials. I was also 
trying to wire this into a db-auth environment so I can alter the accounts from 
my desktop.

Following the guide 
at http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F,
 I can keep the kids restricted to a site but the parents get stuck in an 
authentication loop or just denied access. Here's my config - can anyone help 
me figure this out? 

auth_param basic program /usr/lib64/squid/squid_db_auth --user squid --password 
squidward --plaintext --persist
auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 20 minute
auth_param basic casesensitive off


acl kids_sites dstdomain /etc/squid/kids_sites.txt
acl parents proxy_auth sigmondMom
acl db-auth proxy_auth REQUIRED
http_access allow db-auth kids_sites
http_access deny !parents all
http_access allow db-auth

# And finally deny all other access to this proxy
http_access deny all

Re: [squid-users] Authentication Prompts

2011-09-08 Thread Amos Jeffries


On 09/09/11 06:28, Matt Cochran wrote:

I've been trying to model two different kinds of users in ACLs, where the kids 
are authenticated by one account, and the adults another. The kids are allowed 
to go only to a whitelist of websites, but I'd like the adults to be able to 
override this behavior for a while if they enter their credentials. I was also 
trying to wire this into a db-auth environment so I can alter the accounts from 
my desktop.

Following the guide at 
http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F,
 I can keep the kids restricted to a site but the parents get stuck in an 
authentication loop or just denied access. Here's my config - can anyone help 
me figure this out?




Notice that would allow the kids to get a popup and re-try with parents 
login to restricted sites without the parent being present.



What you are asking for is this:

 # login required to go anywhere at all
 http_access deny !db-auth

 # kids to their sites
 http_access allow !parents kids_sites

 # parents anywhere
 http_access allow parents

 # challenge if not logged in with parents credentials
 http_access deny !parents

 # everything else is blocked.
 http_access deny all

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.15
  Beta testers wanted for 3.2.0.11

RE: [squid-users] Authentication infinite loop

2011-08-10 Thread David Parks

I just verified that 3.2.0.10 exhibits this digest authentication problem, and 
I've updated the bug report you (Amos) referenced accordingly.

I also verified that 3.1.14 does *NOT* have this problem (and noted it in the 
same bug report).

Thanks for the response, that's good enough for me for now.

Dave

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, July 26, 2011 3:41 PM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] Authentication infinite loop

 On Tue, 26 Jul 2011 15:05:22 -0700, David Parks wrote:
 After some more testing I'm finding more cause for concern here. I'm 
 using
 3.2.0.9 in this test.

 Please use 3.2.0.10. .9 has some big issues.


 Digest authentication is configured. I am now just using a simple 
 auth
 helper script which sits in a loop and outputs ERR (as per the 
 docs, this
 output indicates user not found, though in another test I found 
 that
 outputting an incorrect password hash has the same effect).
 Nothing interesting shows up in cache.log during any of this.

 Here is the behavior I see:

 - Run squid
 - Open the browser w/ squid instance configured as proxy
 - Browser indicates that it's trying to make a connection to the 
 default
 home page (google in this case), waiting
 - Squid auth helper receives nothing (I've got it copying output to a 
 debug
 file for viewing)

 - Timeout in around 75 seconds

 - Logs show user - received TCP_DENIED status (I believe this means 
 a 407
 went back to the browser, but I wasn't monitoring for this 
 specifically)

 Don't assume. Unless the log shows 407 as the status (ie 
 TCP_DENIED/407) there are other things from explicit ACLs, too-big 
 headers and bodies, mangled credentials, or unparsable header values 
 which can cause DENIED.

 - Still auth helper log shows that it received nothing
 - Browser requests user/pass popup

 - Entering user/pass sends the entry to the auth helper which replies 
 with
 ERR
 - Browser pops up the authentication dialogue again
 - Entering the same user/pass again causes the logs to spam user 
 username
 with status TCP_DENIED as quickly as possible (notice that the log 
 now shows
 the username, not -)


 Example auth helper script used:
 #!/bin/bash
 while read LINE; do
 echo $LINE /tmp/output
 echo ERR
 done


 Sounds like http://bugs.squid-cache.org/show_bug.cgi?id=3186

 There is a workaround posted, but it is not a nice one.

 We need to ensure that unchecked is ONLY set if the browser actually 
 sent whole new details. If the TTL has expired a background check needs 
 to be kicked without altering the existing ok/err state of the 
 credentials. There is a grace period where the old value may be used 
 while an background revalidate with the helper is done.

 Amos


 -Original Message-
 From: David Parks

 In doing some dev work I see a situation where squid gets into an 
 infinite
 loop with the browser. The situation:

 1) Browser attempts digest authentication against squid (running with 
 a
 custom auth helper)
 2) auth helper fails user authentication
 3) I believe squid caches the authentication failure
 4) Browser requests a page using the above authentication
 5) Squid replies with 407 - authentication required
 6) INFINITE LOOP: (Browser retries request : squid replies with 407)

 The above loop running locally can rack up a meg of data transfer in 
 just
 seconds.

 I remember dealing with this issue some time back in some other work 
 and
 just don't recall what I did about it.

 I'm running a custom auth helper, log daemon, and url rewrite helper.

 -
 No virus found in this message.
 Checked by AVG - www.avg.com
 Version: 10.0.1390 / Virus Database: 1518/3788 - Release Date: 
 07/25/11

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1390 / Virus Database: 1518/3789 - Release Date: 07/26/11

RE: [squid-users] Authentication infinite loop

2011-07-26 Thread David Parks

After some more testing I'm finding more cause for concern here. I'm using
3.2.0.9 in this test.

Digest authentication is configured. I am now just using a simple auth
helper script which sits in a loop and outputs ERR (as per the docs, this
output indicates user not found, though in another test I found that
outputting an incorrect password hash has the same effect).
Nothing interesting shows up in cache.log during any of this.

Here is the behavior I see:

- Run squid
- Open the browser w/ squid instance configured as proxy
- Browser indicates that it's trying to make a connection to the default
home page (google in this case), waiting
- Squid auth helper receives nothing (I've got it copying output to a debug
file for viewing)

- Timeout in around 75 seconds

- Logs show user - received TCP_DENIED status (I believe this means a 407
went back to the browser, but I wasn't monitoring for this specifically)
- Still auth helper log shows that it received nothing
- Browser requests user/pass popup

- Entering user/pass sends the entry to the auth helper which replies with
ERR
- Browser pops up the authentication dialogue again
- Entering the same user/pass again causes the logs to spam user username
with status TCP_DENIED as quickly as possible (notice that the log now shows
the username, not -)


Example auth helper script used:
#!/bin/bash
while read LINE; do
echo $LINE /tmp/output
echo ERR
done


-Original Message-
From: David Parks [mailto:davidpark...@yahoo.com] 
Sent: Monday, July 25, 2011 7:11 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Authentication infinite loop

In doing some dev work I see a situation where squid gets into an infinite
loop with the browser. The situation:

1) Browser attempts digest authentication against squid (running with a
custom auth helper)
2) auth helper fails user authentication
3) I believe squid caches the authentication failure
4) Browser requests a page using the above authentication
5) Squid replies with 407 - authentication required
6) INFINITE LOOP: (Browser retries request : squid replies with 407)

The above loop running locally can rack up a meg of data transfer in just
seconds.

I remember dealing with this issue some time back in some other work and
just don't recall what I did about it.

I'm running a custom auth helper, log daemon, and url rewrite helper.

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1390 / Virus Database: 1518/3788 - Release Date: 07/25/11

RE: [squid-users] Authentication infinite loop

2011-07-26 Thread Amos Jeffries


On Tue, 26 Jul 2011 15:05:22 -0700, David Parks wrote:
After some more testing I'm finding more cause for concern here. I'm 
using

3.2.0.9 in this test.


Please use 3.2.0.10. .9 has some big issues.



Digest authentication is configured. I am now just using a simple 
auth
helper script which sits in a loop and outputs ERR (as per the 
docs, this
output indicates user not found, though in another test I found 
that

outputting an incorrect password hash has the same effect).
Nothing interesting shows up in cache.log during any of this.

Here is the behavior I see:

- Run squid
- Open the browser w/ squid instance configured as proxy
- Browser indicates that it's trying to make a connection to the 
default

home page (google in this case), waiting
- Squid auth helper receives nothing (I've got it copying output to a 
debug

file for viewing)

- Timeout in around 75 seconds

- Logs show user - received TCP_DENIED status (I believe this means 
a 407
went back to the browser, but I wasn't monitoring for this 
specifically)


Don't assume. Unless the log shows 407 as the status (ie 
TCP_DENIED/407) there are other things from explicit ACLs, too-big 
headers and bodies, mangled credentials, or unparsable header values 
which can cause DENIED.



- Still auth helper log shows that it received nothing
- Browser requests user/pass popup

- Entering user/pass sends the entry to the auth helper which replies 
with

ERR
- Browser pops up the authentication dialogue again
- Entering the same user/pass again causes the logs to spam user 
username
with status TCP_DENIED as quickly as possible (notice that the log 
now shows

the username, not -)


Example auth helper script used:
#!/bin/bash
while read LINE; do
echo $LINE /tmp/output
echo ERR
done



Sounds like http://bugs.squid-cache.org/show_bug.cgi?id=3186

There is a workaround posted, but it is not a nice one.

We need to ensure that unchecked is ONLY set if the browser actually 
sent whole new details. If the TTL has expired a background check needs 
to be kicked without altering the existing ok/err state of the 
credentials. There is a grace period where the old value may be used 
while an background revalidate with the helper is done.


Amos



-Original Message-
From: David Parks

In doing some dev work I see a situation where squid gets into an 
infinite

loop with the browser. The situation:

1) Browser attempts digest authentication against squid (running with 
a

custom auth helper)
2) auth helper fails user authentication
3) I believe squid caches the authentication failure
4) Browser requests a page using the above authentication
5) Squid replies with 407 - authentication required
6) INFINITE LOOP: (Browser retries request : squid replies with 407)

The above loop running locally can rack up a meg of data transfer in 
just

seconds.

I remember dealing with this issue some time back in some other work 
and

just don't recall what I did about it.

I'm running a custom auth helper, log daemon, and url rewrite helper.

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1390 / Virus Database: 1518/3788 - Release Date: 
07/25/11

[squid-users] Authentication infinite loop

2011-07-25 Thread David Parks

In doing some dev work I see a situation where squid gets into an infinite
loop with the browser. The situation:

1) Browser attempts digest authentication against squid (running with a
custom auth helper)
2) auth helper fails user authentication
3) I believe squid caches the authentication failure
4) Browser requests a page using the above authentication
5) Squid replies with 407 - authentication required
6) INFINITE LOOP: (Browser retries request : squid replies with 407)

The above loop running locally can rack up a meg of data transfer in just
seconds.

I remember dealing with this issue some time back in some other work and
just don't recall what I did about it.

I'm running a custom auth helper, log daemon, and url rewrite helper.

[squid-users] Authentication/Authorization Challenge

2011-07-06 Thread Robert Velter

Hi all,

i have a (nice?) squid authentication/authorization challenge.

I already have a working authentication configuration using negiotiate
with squid_kerb_auth and ntlm using ntlm_auth. Authorization is done
using an external_acl_type with squid_ldap_group.

Now i want that users can authenticate/authorize using basic auth when
the squid_ldap_group check fails. Resulting in the following logic:

grant access if ((logged in windowsuser is in group internet) or
 (given credentials authenticate for group internet))

As far as i understand i cant solve this with auth_param modifications
because the external_acl ldap_group already gets a validated username
from kerberos/ntlm (all clients are microsoft windows). I think i need
an additional external_acl helper with integrated basic auth. Right?

Is there any external_acl helper out there with the needed
functionality?

Regards, Robert

-- 
Robert Velter rob...@velter.de

Re: [squid-users] Authentication/Authorization Challenge

2011-07-06 Thread Amos Jeffries

On 06/07/11 23:19, Robert Velter wrote:

Hi all,

i have a (nice?) squid authentication/authorization challenge.

I already have a working authentication configuration using negiotiate
with squid_kerb_auth and ntlm using ntlm_auth. Authorization is done
using an external_acl_type with squid_ldap_group.

Now i want that users can authenticate/authorize using basic auth when
the squid_ldap_group check fails. Resulting in the following logic:

grant access if ((logged in windowsuser is in group internet) or
(given credentials authenticate for group internet))

As far as i understand i cant solve this with auth_param modifications
because the external_acl ldap_group already gets a validated username
from kerberos/ntlm (all clients are microsoft windows). I think i need
an additional external_acl helper with integrated basic auth. Right?

Is there any external_acl helper out there with the needed
functionality?

Regards, Robert

That will probably die horribly. NTLM Negotiate both hijack HTTP to
try and authenticate the TCP-level. Once credentials are accepted a
change in auth requires the TCP link itself to be terminated.

You can cause a re-auth challenge, but Squid will still offer the same
set of Negotaiate,NTLM,Basic as available. The sane browsers should move
on to the next available choice they have not tried (most agents are not
that sane though).

Details of how to re-auth are in the FAQ:

http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F

Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.9

Re: [squid-users] Authentication/Authorization Challenge

2011-07-06 Thread Robert Velter

Hi Amos,

thanks for your clarification and the link. So i try now the following:

1) Add a working basic auth to auth_param (probably ldap_auth).
2) Modify the access list from
  http_access allow ldapgroup-access
  http_access deny all
   to
  http_access deny !ldapgroup-access
  http_access allow all

This should trigger then the mentioned authentication loop mentioned in
the FAQ and hope that at least the used browsers work sane...

I dont care about update agents (adobe, java, ...), they should be
disabled in this environment anyway.

Robert

Am Donnerstag, den 07.07.2011, 00:39 +1200 schrieb Amos Jeffries:
 
 That will probably die horribly. NTLM  Negotiate both hijack HTTP to 
 try and authenticate the TCP-level. Once credentials are accepted a 
 change in auth requires the TCP link itself to be terminated.
 
 You can cause a re-auth challenge, but Squid will still offer the same 
 set of Negotaiate,NTLM,Basic as available. The sane browsers should move 
 on to the next available choice they have not tried (most agents are not 
 that sane though).
 
 Details of how to re-auth are in the FAQ:
  
 http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F
 
 Amos

-- 
Robert Velter rob...@velter.de

Re: [squid-users] Authentication/Authorization Challenge

2011-07-06 Thread Amos Jeffries


On Wed, 06 Jul 2011 15:42:18 +0200, Robert Velter wrote:

Hi Amos,

thanks for your clarification and the link. So i try now the 
following:


1) Add a working basic auth to auth_param (probably ldap_auth).
2) Modify the access list from
  http_access allow ldapgroup-access
  http_access deny all
   to
  http_access deny !ldapgroup-access
  http_access allow all



Its not clear from your original post if you need the group checking on 
Basic auth'ed users. You might want something like this to require *a* 
login, but not block basic auth user with the group-check:



  acl authed proxy_auth REQUIRED
  acl authBasic req_header Proxy-Authenticate ^Basic

  # if NOT logged in as basic do the group check. re-auth if that 
fails.

  http_access deny !authBasic !ldapgroup-access

  # only gets here if (a) auth via Basic, or (b) auth via 
NTLM/Negotiate with group checked OK.

  http_access allow authed

  # for config clarity. Should not actually be reachable.
  http_access deny all


Amos

RE: [squid-users] Authentication to Sharepoint not happening

2011-02-02 Thread Saurabh Agarwal

I used pipeline_prefetch off setting in squid.conf and it works.

Regards,
Saurabh

-Original Message-
From: Senthilkumar [mailto:senthilkumaar2...@gmail.com] 
Sent: Wednesday, February 02, 2011 12:48 PM
To: Saurabh Agarwal
Subject: Re: [squid-users] Authentication to Sharepoint not happening

Hi Saurabh Agarwal,

We have also have the same issue. Could you please share us the steps to 
be followed to make it to work.

Thanks
Senthil

Saurabh Agarwal wrote:
 It works now! I followed the code and then turned off pipeline_prefetch. In 
 code there was this check which was setting no_connection_auth flag to 1.

 if (Config.onoff.pipeline_prefetch)
 request-flags.no_connection_auth = 1;

 I don't understand it completely but I can move forward. Thank You Amos!

 Regards,
 Saurabh

 -Original Message-
 From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
 Sent: Tuesday, February 01, 2011 6:30 PM
 To: squid-users@squid-cache.org
 Subject: Re: [squid-users] Authentication to Sharepoint not happening

 On 02/02/11 00:43, Saurabh Agarwal wrote:

 Looks like we are making progress. Yeah there is a condition in the code 
 client_side.c that relates to when WWW-Authenticate header is being 
 deleted. Condition checks for no_connection_auth flag in the request.

 This is the code. It checks if there is no_connection_auth in incoming 
 request then that header is being deleted. I think it relates to pinning 
 connections as you said earlier.

  if (request-flags.no_connection_auth) {
  httpHeaderDelAt(hdr, pos);
  connection_auth_blocked = 1;
  continue;
  }

 But in Squid-2.7.Stable7 there is support only for specifying 
 no-connection-auth in http_port directive. In Squid 3.1 we can turn it 
 on|off using connection-auth=[on|off].

 How to not set the no_connection_auth flag in Squid-2.7.Stable.7?

 It is supposed to be on by default in both versions and the 
 configuration option there to turn it off and turn on stripping of the 
 header.

 Amos

RE: [squid-users] Authentication to Sharepoint not happening

2011-02-01 Thread Saurabh Agarwal

Hi Amos

I am using squid.2.7.STABLE7. Following is my configuration. I want to allow 
everything.

http_port 192.168.11.35:3128 transparent
acl from_localhost src 192.168.11.35
http_port 10.102.79.82:3128 transparent
acl from_localhost src 10.102.79.82
http_port 10.102.79.82:3128 transparent
acl from_localhost src 10.102.79.82
visible_hostname hostname
acl foreign_networksAux1 dst
acl foreign_networksapA dst 0.0.0.0/0
tcp_outgoing_address 192.168.11.35 foreign_networksAux1
tcp_outgoing_address 10.102.79.82 foreign_networksapA
access_log none
cache_log /dev/null

cache_mem 8 MB
cache_dir aufs /squid/var/cache/small 1500 9 256 max-size=1
cache_dir aufs /squid/var/cache/medium 4500 6 256 max-size=100
cache_dir aufs /squid/var/cache/large 4000 3 256
maximum_object_size 1000 MB
log_mime_hdrs off
max_open_disk_fds 400
maximum_object_size_in_memory 16 KB
debug_options ALL,1

cache_store_log none
pid_filename /squid/logs/squid.pid
debug_options ALL,1

acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl all_dst dst 0.0.0.0/0.0.0.0
http_access allow manager from_localhost
http_access deny manager
http_access allow all all_dst
icp_access deny all

icp_port 0
htcp_port 0

#this is the directory where core-dump from squid will be kept
coredump_dir /squid/var

log_fqdn off
fqdncache_size 8192
ipcache_size 8192

minimum_object_size 512 bytes
quick_abort_min -1 KB

hierarchy_stoplist cgi-bin ?
acl store_rewrite_list urlpath_regex 
\/(get_video\?|videodownload\?|videoplayback.*id)
acl store_rewrite_list1 dstdomain .youtube.com .video.google.com 
\/(get_video\?|videodownload\?|videoplayback.*id)
storeurl_access allow store_rewrite_list store_rewrite_list1
storeurl_rewrite_program /orbital/current/squid/storeurl.pl
storeurl_rewrite_children 1
storeurl_rewrite_concurrency 10

redirector_bypass on

#this refresh_pattern is for caching youtube videos
refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 % 
5259487 ignore-private ignore-no-cache override-expire

refresh_pattern ^ftp:   1   50% 10080
refresh_pattern ^gopher:1   0%  1440
refresh_pattern -i \.(gif|jpg|jpeg|tif|png|ico|bmp)$  0 50% 6000 ignore-no-cache
refresh_pattern -i \.(wma|wmv|avi|mpeg|ram|mp3|mpg|flv)$ 60 200% 10080 
ignore-no-cache override-expire ignore-private
refresh_pattern -i \.(3gp|mp4|rm|ram|mov|m4v|qt)$ 60 200% 10080 ignore-no-cache 
override-expire ignore-private
refresh_pattern -i \.(cab|exe|gzip|gz|zip|rpm|bin|dat|psf|bz2)$ 0 20% 14400
refresh_pattern -i \.(swf|css|js)$ 0 50% 1
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll)  1 20% 1440
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 1 20% 1440
refresh_pattern -i \.(htm|html|asp|jsp|shtml|dhtml|php)$ 0 0% 0

refresh_pattern -i (/cgi-bin/|\?)  0 0% 0
refresh_pattern .  0 20% 4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

#extension_methods dddxxx

cache_effective_user squid
cache_effective_group squid

client_persistent_connections on
server_persistent_connections on

logfile_rotate 0
ie_refresh on
request_entities on
pipeline_prefetch on
strip_query_terms off
minimum_direct_hops 0
minimum_direct_rtt 0
log_icp_queries off

# Shorten timeouts
negative_ttl 5 minutes
connect_timeout 1 minute
peer_connect_timeout 30 seconds
read_timeout 15 minutes
request_timeout 5 minutes
half_closed_clients off
pconn_timeout 1 minute

Regards,
Saurabh

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, February 01, 2011 12:12 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication to Sharepoint not happening

On 01/02/11 19:27, Saurabh Agarwal wrote:
 Hi All

 I am running Squid as a transparent proxy and can't authenticate to 
 sharepoint server. If I bypass squid then everything works fine.

 I have not compiled Squid with any of the authentication related configurables

 --enable-auth=basic,digest,ntlm,negotiate 
 --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL
  --enable-negotiate-auth-helpers=squid_kerb_auth --enable-cache-digests 
 --enable-ntlm-auth-helpers=SMB,fakeauth 
 --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group.

 I see that sharepoint sends squid the following http headers in HTTP 401 
 response

 WWW-Authenticate: Negotiate\r\n
 WWW-Authenticate: NTLM\r\n

 But squid is not forwarding these headers to the client? If I bypass squid 
 then everything works fine.

 Can someone please help here?

Negotiate and NTLM both require HTTP/1.1 persistent connections and also 
some major hacks called connection pinning. Not all Squid support these 
equally.

What version of Squid are you using? and with what configuration?

Amos
-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

Re: [squid-users] Authentication to Sharepoint not happening

2011-02-01 Thread Amos Jeffries


On 01/02/11 21:29, Saurabh Agarwal wrote:

Hi Amos

I am using squid.2.7.STABLE7. Following is my configuration. I want to allow 
everything.

http_port 192.168.11.35:3128 transparent
acl from_localhost src 192.168.11.35



http_port 10.102.79.82:3128 transparent
acl from_localhost src 10.102.79.82
http_port 10.102.79.82:3128 transparent
acl from_localhost src 10.102.79.82


cut-n-paste error? http_port and ACL is defined twice.


visible_hostname hostname
acl foreign_networksAux1 dst
acl foreign_networksapA dst 0.0.0.0/0


above ACL collapses to acl foreign_networksapA dst all


tcp_outgoing_address 192.168.11.35 foreign_networksAux1
tcp_outgoing_address 10.102.79.82 foreign_networksapA


May as well drop foreign_networksapA off that tcp_outgoing. It has no 
meaning.



access_log none
cache_log /dev/null


cache_log is not optional for very good reasons. If you are that worried 
about stuff being logged set debug_options ALL,0 to receive only the 
critical failure events.


snip

debug_options ALL,1


snip

debug_options ALL,1

acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl all_dst dst 0.0.0.0/0.0.0.0


Easier to read and forward-portable:
  acl all src all
  acl all_dst dst all

Note that dst all means that all domains with DNS resolvable 
destinations. src all means coming from a machine via IP protocol.



http_access allow manager from_localhost
http_access deny manager
http_access allow all all_dst


Translation:
  allow a request if it arrives from a machine with an IP address and 
is destined to a machine which has an IP address.


Nice...  Open proxy with no logging and transparent hijacking on a 
standard port 3128 :).

Good thing your public IP is a little bit obscured.


This looks like a slightly confused configuration based on a loose 
explanation of the tcp_outgoing_address dst hack.


The real hack is to place this above any http_access allow lines:
  http_access deny all_dst !all

meaning: perform DNS lookup on the destination (thus caching the result 
for tcp_outgoing_address to use) then skip to the next http_access line 
due to an impossible test.


After doing that hack you *still* have to setup permissions as to who is 
allowed to access the proxy.


snip


hierarchy_stoplist cgi-bin ?
acl store_rewrite_list urlpath_regex 
\/(get_video\?|videodownload\?|videoplayback.*id)
acl store_rewrite_list1 dstdomain .youtube.com .video.google.com 
\/(get_video\?|videodownload\?|videoplayback.*id)


cut-n-paste error?  \/(get_video\?|vi... is not a valid domain name.
snip


client_persistent_connections on
server_persistent_connections on


Good.

snip


# Shorten timeouts
negative_ttl 5 minutes


Bad. This means: DoS all clients of a URL whenever a 4xx or 5xx happens 
on it.


This may be related to the 401 followup not working well.

Recommended value:
  negative_ttl 0 seconds



connect_timeout 1 minute
peer_connect_timeout 30 seconds
read_timeout 15 minutes
request_timeout 5 minutes
half_closed_clients off
pconn_timeout 1 minute


NTLM and Negotiate require two pconn pinned together to operate. This 
timeout will directly affect how often those paired TCP links are 
discarded and require new auth handshakes.



So in summary, other than negative_ttl and a small pconn_timeout 
possibly affecting things this config looks like it should pass the auth 
headers just fine.



One other possibility you could try since this is 2.7 is the HTTP/1.1 
options.

  http_port ... http11

and these two:
http://www.squid-cache.org/Versions/v2/2.7/cfgman/server_http11.html
http://www.squid-cache.org/Versions/v2/2.7/cfgman/ignore_expect_100.html

The server_http11 is safest with no known problem side effects. The 
http_port change may require ignore_expect_100 to fix broken clients. 
Though such broken client apps are slowly disappearing now.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.10
  Beta testers wanted for 3.2.0.4

RE: [squid-users] Authentication to Sharepoint not happening

2011-02-01 Thread Saurabh Agarwal

Thanks Amos. Yeah they were cut and paste errors. Other than that I have tried 
using http11 with http_port and ignore_expect and it still doesn't work.

I think this is by design in Squid. Following code in client_side.c suggests 
that it will always filter the WWW-Authenticate header from HTTP Headers by 
treating it as unproxyable auth type.

   /* Filter unproxyable authentication types */
if (http-log_type != LOG_TCP_DENIED 
(httpHeaderHas(hdr, HDR_WWW_AUTHENTICATE))) {
HttpHeaderPos pos = HttpHeaderInitPos;


...code here removes the WWW-Authenticate from HTTP Header.

Also the following link 
http://www.visolve.com/squid/Squid_tutorial.php#Authentication_;  suggests 
that Proxy Auth can't work in transparent mode.

Can you please comment on this?

Regards,
Saurabh

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, February 01, 2011 3:34 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication to Sharepoint not happening

On 01/02/11 21:29, Saurabh Agarwal wrote:
 Hi Amos

 I am using squid.2.7.STABLE7. Following is my configuration. I want to allow 
 everything.

 http_port 192.168.11.35:3128 transparent
 acl from_localhost src 192.168.11.35

 http_port 10.102.79.82:3128 transparent
 acl from_localhost src 10.102.79.82
 http_port 10.102.79.82:3128 transparent
 acl from_localhost src 10.102.79.82

cut-n-paste error? http_port and ACL is defined twice.

 visible_hostname hostname
 acl foreign_networksAux1 dst
 acl foreign_networksapA dst 0.0.0.0/0

above ACL collapses to acl foreign_networksapA dst all

 tcp_outgoing_address 192.168.11.35 foreign_networksAux1
 tcp_outgoing_address 10.102.79.82 foreign_networksapA

May as well drop foreign_networksapA off that tcp_outgoing. It has no 
meaning.

 access_log none
 cache_log /dev/null

cache_log is not optional for very good reasons. If you are that worried 
about stuff being logged set debug_options ALL,0 to receive only the 
critical failure events.

snip
 debug_options ALL,1

snip
 debug_options ALL,1

 acl manager proto cache_object
 acl all src 0.0.0.0/0.0.0.0
 acl all_dst dst 0.0.0.0/0.0.0.0

Easier to read and forward-portable:
   acl all src all
   acl all_dst dst all

Note that dst all means that all domains with DNS resolvable 
destinations. src all means coming from a machine via IP protocol.

 http_access allow manager from_localhost
 http_access deny manager
 http_access allow all all_dst

Translation:
   allow a request if it arrives from a machine with an IP address and 
is destined to a machine which has an IP address.

Nice...  Open proxy with no logging and transparent hijacking on a 
standard port 3128 :).
Good thing your public IP is a little bit obscured.


This looks like a slightly confused configuration based on a loose 
explanation of the tcp_outgoing_address dst hack.

The real hack is to place this above any http_access allow lines:
   http_access deny all_dst !all

meaning: perform DNS lookup on the destination (thus caching the result 
for tcp_outgoing_address to use) then skip to the next http_access line 
due to an impossible test.

After doing that hack you *still* have to setup permissions as to who is 
allowed to access the proxy.

snip

 hierarchy_stoplist cgi-bin ?
 acl store_rewrite_list urlpath_regex 
 \/(get_video\?|videodownload\?|videoplayback.*id)
 acl store_rewrite_list1 dstdomain .youtube.com .video.google.com 
 \/(get_video\?|videodownload\?|videoplayback.*id)

cut-n-paste error?  \/(get_video\?|vi... is not a valid domain name.
snip

 client_persistent_connections on
 server_persistent_connections on

Good.

snip

 # Shorten timeouts
 negative_ttl 5 minutes

Bad. This means: DoS all clients of a URL whenever a 4xx or 5xx happens 
on it.

This may be related to the 401 followup not working well.

Recommended value:
   negative_ttl 0 seconds


 connect_timeout 1 minute
 peer_connect_timeout 30 seconds
 read_timeout 15 minutes
 request_timeout 5 minutes
 half_closed_clients off
 pconn_timeout 1 minute

NTLM and Negotiate require two pconn pinned together to operate. This 
timeout will directly affect how often those paired TCP links are 
discarded and require new auth handshakes.


So in summary, other than negative_ttl and a small pconn_timeout 
possibly affecting things this config looks like it should pass the auth 
headers just fine.


One other possibility you could try since this is 2.7 is the HTTP/1.1 
options.
   http_port ... http11

and these two:
http://www.squid-cache.org/Versions/v2/2.7/cfgman/server_http11.html
http://www.squid-cache.org/Versions/v2/2.7/cfgman/ignore_expect_100.html

The server_http11 is safest with no known problem side effects. The 
http_port change may require ignore_expect_100 to fix broken clients. 
Though such broken client apps are slowly disappearing now.

Amos
-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

Re: [squid-users] Authentication to Sharepoint not happening

2011-02-01 Thread Amos Jeffries


On 01/02/11 23:57, Saurabh Agarwal wrote:

Thanks Amos. Yeah they were cut and paste errors. Other than that I have tried 
using http11 with http_port and ignore_expect and it still doesn't work.

I think this is by design in Squid. Following code in client_side.c suggests that it 
will always filter the WWW-Authenticate header from HTTP Headers by treating it as 
unproxyable auth type.

/* Filter unproxyable authentication types */
 if (http-log_type != LOG_TCP_DENIED
 (httpHeaderHas(hdr, HDR_WWW_AUTHENTICATE))) {
 HttpHeaderPos pos = HttpHeaderInitPos;
 
 
 ...code here removes the WWW-Authenticate from HTTP Header.


There should be some conditions skipping removal on must_keepalive or 
proxy_keepalive flags in there.


I would expect pinning to be in effect at this point. If not that is a 
problem someone might find worth fixing one day. For Negotiate auth type 
at minimum.




Also the following link 
http://www.visolve.com/squid/Squid_tutorial.php#Authentication_;  suggests 
that Proxy Auth can't work in transparent mode.

Can you please comment on this?


Yes Proxy-Authenticate: will not work in transparent mode. There is no 
reason why WWW-Authenticate: with the origin cannot.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.10
  Beta testers wanted for 3.2.0.4

RE: [squid-users] Authentication to Sharepoint not happening

2011-02-01 Thread Saurabh Agarwal

Looks like we are making progress. Yeah there is a condition in the code 
client_side.c that relates to when WWW-Authenticate header is being deleted. 
Condition checks for no_connection_auth flag in the request.

This is the code. It checks if there is no_connection_auth in incoming request 
then that header is being deleted. I think it relates to pinning connections as 
you said earlier.

if (request-flags.no_connection_auth) {
httpHeaderDelAt(hdr, pos);
connection_auth_blocked = 1;
continue;
}

But in Squid-2.7.Stable7 there is support only for specifying 
no-connection-auth in http_port directive. In Squid 3.1 we can turn it on|off 
using connection-auth=[on|off].

How to not set the no_connection_auth flag in Squid-2.7.Stable.7?

Regards,
Saurabh

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, February 01, 2011 4:39 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication to Sharepoint not happening

On 01/02/11 23:57, Saurabh Agarwal wrote:
 Thanks Amos. Yeah they were cut and paste errors. Other than that I have 
 tried using http11 with http_port and ignore_expect and it still doesn't work.

 I think this is by design in Squid. Following code in client_side.c 
 suggests that it will always filter the WWW-Authenticate header from HTTP 
 Headers by treating it as unproxyable auth type.

 /* Filter unproxyable authentication types */
  if (http-log_type != LOG_TCP_DENIED
  (httpHeaderHas(hdr, HDR_WWW_AUTHENTICATE))) {
  HttpHeaderPos pos = HttpHeaderInitPos;
  
  
  ...code here removes the WWW-Authenticate from HTTP Header.

There should be some conditions skipping removal on must_keepalive or 
proxy_keepalive flags in there.

I would expect pinning to be in effect at this point. If not that is a 
problem someone might find worth fixing one day. For Negotiate auth type 
at minimum.


 Also the following link 
 http://www.visolve.com/squid/Squid_tutorial.php#Authentication_;  suggests 
 that Proxy Auth can't work in transparent mode.

 Can you please comment on this?

Yes Proxy-Authenticate: will not work in transparent mode. There is no 
reason why WWW-Authenticate: with the origin cannot.


Amos
-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

Re: [squid-users] Authentication to Sharepoint not happening

2011-02-01 Thread Amos Jeffries


On 02/02/11 00:43, Saurabh Agarwal wrote:

Looks like we are making progress. Yeah there is a condition in the code client_side.c 
that relates to when WWW-Authenticate header is being deleted. Condition 
checks for no_connection_auth flag in the request.

This is the code. It checks if there is no_connection_auth in incoming request 
then that header is being deleted. I think it relates to pinning connections as 
you said earlier.

if (request-flags.no_connection_auth) {
 httpHeaderDelAt(hdr, pos);
 connection_auth_blocked = 1;
 continue;
 }

But in Squid-2.7.Stable7 there is support only for specifying 
no-connection-auth in http_port directive. In Squid 3.1 we can turn it on|off 
using connection-auth=[on|off].

How to not set the no_connection_auth flag in Squid-2.7.Stable.7?


It is supposed to be on by default in both versions and the 
configuration option there to turn it off and turn on stripping of the 
header.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.10
  Beta testers wanted for 3.2.0.4

RE: [squid-users] Authentication to Sharepoint not happening

2011-02-01 Thread Saurabh Agarwal

It works now! I followed the code and then turned off pipeline_prefetch. In 
code there was this check which was setting no_connection_auth flag to 1.

if (Config.onoff.pipeline_prefetch)
request-flags.no_connection_auth = 1;

I don't understand it completely but I can move forward. Thank You Amos!

Regards,
Saurabh

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Tuesday, February 01, 2011 6:30 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication to Sharepoint not happening

On 02/02/11 00:43, Saurabh Agarwal wrote:
 Looks like we are making progress. Yeah there is a condition in the code 
 client_side.c that relates to when WWW-Authenticate header is being 
 deleted. Condition checks for no_connection_auth flag in the request.

 This is the code. It checks if there is no_connection_auth in incoming 
 request then that header is being deleted. I think it relates to pinning 
 connections as you said earlier.

   if (request-flags.no_connection_auth) {
  httpHeaderDelAt(hdr, pos);
  connection_auth_blocked = 1;
  continue;
  }

 But in Squid-2.7.Stable7 there is support only for specifying 
 no-connection-auth in http_port directive. In Squid 3.1 we can turn it on|off 
 using connection-auth=[on|off].

 How to not set the no_connection_auth flag in Squid-2.7.Stable.7?

It is supposed to be on by default in both versions and the 
configuration option there to turn it off and turn on stripping of the 
header.

Amos
-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

RE: [squid-users] Authentication to Sharepoint not happening

2011-02-01 Thread Amos Jeffries

On Tue, 1 Feb 2011 20:25:42 +0530, Saurabh Agarwal
saurabh.agar...@citrix.com wrote:
 It works now! I followed the code and then turned off
pipeline_prefetch.
 In code there was this check which was setting no_connection_auth flag
to
 1.
 
 if (Config.onoff.pipeline_prefetch)
 request-flags.no_connection_auth = 1;
 
 I don't understand it completely but I can move forward. Thank You Amos!

Aha, Thank you!  This has led me to find a bug.

Squid-3 checks and overrides pipelining when auth_param are set to prevent
request race conditions. But I see that if the pipline is manually
configured after the auth_param it will be turned back on. Fixing now.

Amos

Re: [squid-users] Authentication to Sharepoint not happening

2011-02-01 Thread Senthilkumar


Hi Amos,

We are also having trouble in accessing share point site which uses NTLM 
authentication.
We have configured squid with NTLM scheme. Whether the below fix 
(pipeline_prefetch on ) works for the squid which is configured with 
NTLM proxy authentication.



Thanks
Senthil

Amos Jeffries wrote:

On Tue, 1 Feb 2011 20:25:42 +0530, Saurabh Agarwal
saurabh.agar...@citrix.com wrote:
  

It works now! I followed the code and then turned off


pipeline_prefetch.
  

In code there was this check which was setting no_connection_auth flag


to
  

1.

if (Config.onoff.pipeline_prefetch)
request-flags.no_connection_auth = 1;

I don't understand it completely but I can move forward. Thank You Amos!



Aha, Thank you!  This has led me to find a bug.

Squid-3 checks and overrides pipelining when auth_param are set to prevent
request race conditions. But I see that if the pipline is manually
configured after the auth_param it will be turned back on. Fixing now.

Amos

[squid-users] Authentication to Sharepoint not happening

2011-01-31 Thread Saurabh Agarwal

Hi All

I am running Squid as a transparent proxy and can't authenticate to sharepoint 
server. If I bypass squid then everything works fine.

I have not compiled Squid with any of the authentication related configurables

--enable-auth=basic,digest,ntlm,negotiate 
--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL
 --enable-negotiate-auth-helpers=squid_kerb_auth --enable-cache-digests 
--enable-ntlm-auth-helpers=SMB,fakeauth 
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group.

I see that sharepoint sends squid the following http headers in HTTP 401 
response

WWW-Authenticate: Negotiate\r\n 
WWW-Authenticate: NTLM\r\n

But squid is not forwarding these headers to the client? If I bypass squid then 
everything works fine.

Can someone please help here?

Regards,
Saurabh

Re: [squid-users] Authentication to Sharepoint not happening

2011-01-31 Thread Amos Jeffries


On 01/02/11 19:27, Saurabh Agarwal wrote:

Hi All

I am running Squid as a transparent proxy and can't authenticate to sharepoint 
server. If I bypass squid then everything works fine.

I have not compiled Squid with any of the authentication related configurables

--enable-auth=basic,digest,ntlm,negotiate 
--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL 
--enable-negotiate-auth-helpers=squid_kerb_auth --enable-cache-digests 
--enable-ntlm-auth-helpers=SMB,fakeauth 
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group.

I see that sharepoint sends squid the following http headers in HTTP 401 
response

WWW-Authenticate: Negotiate\r\n
WWW-Authenticate: NTLM\r\n

But squid is not forwarding these headers to the client? If I bypass squid then 
everything works fine.

Can someone please help here?


Negotiate and NTLM both require HTTP/1.1 persistent connections and also 
some major hacks called connection pinning. Not all Squid support these 
equally.


What version of Squid are you using? and with what configuration?

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.10
  Beta testers wanted for 3.2.0.4

[squid-users] authentication problems

2010-12-04 Thread ant2ne


I want to use squid and dansguardign to filter by groups. It is working, sort
of.

Problem 1, after launching the web browser it takes a very long time (a
minute or 2) before the authentication dialog pops up. This needs to be
instant. What am I doing wrong? Once it does finally pop up, I can
authenticate and dansguardian does assign the proper filtering groups.

Problem 2, I would like anyone who fails to authenticate to be assigned a
user creditials; default-user. How would I do this?

Problem 3, Can I edit the text of the authentication dialog box?


Below this point is my squid.conf file...
http_port 3128
# acl QUERY urlpath_regex cgi-bin \? #Removed by Amos, suggested to speed up
web sites using media
#cache_mem 512 MB# May need to set lower if I run low on RAM
#maximum_object_size_in_memory 4096 KB #Increased by Amos, suggested to
speed up web sites using media
#maximum_object_size 1 GB
#cache_dir aufs /cache 50 256 256
redirect_rewrites_host_header off
cache_replacement_policy lru

#auth_param basic program /usr/lib/squid/getpwnam_auth /etc/passwd
# above may require this at the end - /etc/passwd
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm blocker
auth_param basic credentialsttl 12 hours
auth_param basic casesensitive off
#auth_param basic max_challenge_lifetime 2 minutes
# above line fails

acl ncsa_users proxy_auth REQUIRED
acl all src all
acl localnet src 192.168.0.0/255.255.0.0
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/8
acl Safe_ports port 80 81 443 210 119 70 21 1025-65535
acl SSL_Ports port 443
acl AUTH_users proxy_auth ant2ne xbox mandi


#acl internalSite1 dstdomain eaplus.altonschools.org
#acl internalSite2 dstdomain reports.altonschools.org
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
http_access allow ncsa_users
http_access allow AUTH_users
#http_access allow reports_Printing
#http_access allow internalSite1
#http_access allow internalSite2
http_access allow localnet
http_access allow localhost
http_access deny all

icp_port 0
refresh_pattern \.jpg$ 3600 50% 60
refresh_pattern \.gif$ 3600 50% 60
refresh_pattern \.css$ 3600 50% 60
refresh_pattern \.js$ 3600 50% 60
refresh_pattern \.html$ 300 50% 10
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#access_log /var/log/squid/access.log squid
visible_hostname BLOCKER


-- 
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/authentication-problems-tp3072735p3072735.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] authentication problems

2010-12-04 Thread Amos Jeffries


On 05/12/10 09:45, ant2ne wrote:


I want to use squid and dansguardign to filter by groups. It is working, sort
of.

Problem 1, after launching the web browser it takes a very long time (a
minute or 2) before the authentication dialog pops up. This needs to be
instant. What am I doing wrong? Once it does finally pop up, I can
authenticate and dansguardian does assign the proper filtering groups.


The config below does not contain any reason for this slowness. Unless 
you have an abnormally large NCSA users file to be checked the problem 
is outside of Squid.




Problem 2, I would like anyone who fails to authenticate to be assigned a
user creditials; default-user. How would I do this?


No reasonably secure browser sends credentials by default. Anyone who 
fails to authenticate is requested to send credentials.




Problem 3, Can I edit the text of the authentication dialog box?



Only the realm string. There are security attacks which can be done by 
sending dialog box text and modern browsers are closing even that 
limited ability down.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

Re: [squid-users] authentication switching

2010-11-18 Thread Mikio Kishi

Hi, Amos

 Squid can offer both types. Configure two sets of auth_param in the
 order you would prefer them to be used.

I know that.

 auth_param ntlm program .
 auth_param basic program .

The above parameters return the follwoing http reply.

 HTTP/1.0 407 Proxy Authentication Required
 .
 Proxy-Authenticate: NTLM
 Proxy-Authenticate: Basic realm=XXX
 

It looks ok. But, InternetExplorer8 has never been trying Basic
authentication...
How can I let IE try Basic auth after NTLM auth failed ?

Squid version: 3.1.9

Sincerely,

--
Mikio Kishi

On Thu, Nov 18, 2010 at 6:01 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 18/11/10 18:48, Mikio Kishi wrote:

 Hi, all

 Now, I'm using NTLM authentication (auth_param ntlm ..).
 However, we can not browse some sites (windows update or adobe's one)
 bacause activex control is not supported NTLM authentication.

 So, I'd like to browse via Basic auth when NTLM auth is failed.
 Is it possible to configure such an authentication switching ?


 Squid can offer both types. Configure two sets of auth_param in the order
 you would prefer them to be used.

 It is completely up to the agent to pick the one it wants reply with. Some
 agents use the order offered as a hint. Others pick the strongest encryption
 they support.

 This is as good as it gets at present. In all Squid 2.6+.

 Amos
 --
 Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

Re: [squid-users] authentication switching

2010-11-18 Thread Amos Jeffries


On 18/11/10 22:49, Mikio Kishi wrote:

Hi, Amos


Squid can offer both types. Configure two sets of auth_param in the
order you would prefer them to be used.


I know that.


auth_param ntlm program .
auth_param basic program .


The above parameters return the follwoing http reply.


HTTP/1.0 407 Proxy Authentication Required
.
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm=XXX



It looks ok. But, InternetExplorer8 has never been trying Basic
authentication...
How can I let IE try Basic auth after NTLM auth failed ?


At the moment you can't, sorry.  We don't have any patches of the 
feature needed to workaround the bugs in IE8 for this.


If you (or anyone) feels up to coding that feature I can spec out the 
requirements and audit the code produced, but don't have time myself yet 
to dedicate to it.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3

[squid-users] authentication switching

2010-11-17 Thread Mikio Kishi

Hi, all

Now, I'm using NTLM authentication (auth_param ntlm ..).
However, we can not browse some sites (windows update or adobe's one)
bacause activex control is not supported NTLM authentication.

So, I'd like to browse via Basic auth when NTLM auth is failed.
Is it possible to configure such an authentication switching ?

Sincerely,

--
Mikio Kishi

Re: [squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

2010-10-26 Thread Nick Cairncross


On 26/10/2010 03:56, Paul Freeman paul.free...@eml.com.au wrote:


Hi.
I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have
enabled
Kerberos/NTLM authentication using the squid_kerb_auth helper.  This
setup is
working well and successfully authenticates Windows domain users when they
are logged in using their domain credentials on Windows XP workstations
using
Internet Explorer (v6,7 and 8) and Firefox.

Squid is configured with two helpers, the first, squid_kerb_auth and the
second, the Samba ntlm helper.

However, today I came across a problem when using Internet Explorer 8 on a
server running Windows Server 2008 R2.  The IE8 enhanced security mode is
disabled and the logged in user is a standard domain user.  The Windows
server is joined to the domain and is not a domain controller.  The
Windows
server is up to date with Microsoft patches and updates.

Authentication is failing for some reason.  Instead of authenticating
silently, the user is prompted for a username and password 6 times before
receiving the Cache Access Denied message.

If I disable the squid_kerb_auth helper in squid.conf and restart squid,
leaving only the Samba NTLM helper, authentication works successfully.

In cache.log I find:
squid_kerb_auth: DEBUG: Got 'YR YII...
squid_kerb_auth: DEBUG: Decode 'YII...
squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS
failure.  Minor code may provide more information.
squid_kerb_auth: INFO: User not authenticated
authenticateNegotiateHandleReply: Error validating user via Negotiate.
Error
returned 'BH gss_accept_sec_contect() failed:  Unspecified GSS failure.
Minor code may provide more information. '

Has anyone else found this with IE8 on Windows Server 2008 R2?  Is it due
to
the 64-bit version of IE8 or some unusual interaction between the IE8
version
shipped with Windows Server 2008 R2 and the squid_kerb_auth module?

I have a Wireshark capture of the traffic between the browser session on
Windows Server 2008 R2 and the proxy server during authentication and
would
like to assist with investigating the problem further if someone can
provide
some advice as to where to look.

Regards

Paul


Hi Paul, 
Just my thoughts (which are minor in relation to the power of other
listers..!): Are you specifically running the 64-bit version of IE? How
does your DNS look? A/PTR records all in order? What does kerbtray show?
What encoding for kerberos are you using? What does klist -ekt keytab
show? Correct FQDN in your browser?
Cheers
Nick




The information contained in this e-mail is of a confidential nature and is 
intended only for the addressee.  If you are not the intended addressee, any 
disclosure, copying or distribution by you is prohibited and may be unlawful.  
Disclosure to any party other than the addressee, whether inadvertent or 
otherwise, is not intended to waive privilege or confidentiality.  Internet 
communications are not secure and therefore Conde Nast does not accept legal 
responsibility for the contents of this message.  Any views or opinions 
expressed are those of the author.

The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, 
London W1S 1JU

RE: [squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

2010-10-26 Thread Paul Freeman

Hi Nick
Thanks for looking at this.  I appreciate your help.

My answers to your questions are in line below

 -Original Message-
 From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk]
 Sent: Tuesday, 26 October 2010 8:36 PM
 To: Paul Freeman; Squid Users
 Subject: Re: [squid-users] Authentication using squid_kerb_auth with
 Internet Explorer 8 on Windows Server 2008 R2

 On 26/10/2010 03:56, Paul Freeman paul.free...@eml.com.au wrote:

 Hi.
 I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have
 enabled
 Kerberos/NTLM authentication using the squid_kerb_auth helper.  This
 setup is
 working well and successfully authenticates Windows domain users when
 they
 are logged in using their domain credentials on Windows XP
 workstations
 using
 Internet Explorer (v6,7 and 8) and Firefox.

 Squid is configured with two helpers, the first, squid_kerb_auth and
 the
 second, the Samba ntlm helper.

 However, today I came across a problem when using Internet Explorer 8
 on a
 server running Windows Server 2008 R2.  The IE8 enhanced security mode
 is
 disabled and the logged in user is a standard domain user.  The
 Windows
 server is joined to the domain and is not a domain controller.  The
 Windows
 server is up to date with Microsoft patches and updates.

 Authentication is failing for some reason.  Instead of authenticating
 silently, the user is prompted for a username and password 6 times
 before
 receiving the Cache Access Denied message.

 If I disable the squid_kerb_auth helper in squid.conf and restart
 squid,
 leaving only the Samba NTLM helper, authentication works successfully.

 In cache.log I find:
 squid_kerb_auth: DEBUG: Got 'YR YII...
 squid_kerb_auth: DEBUG: Decode 'YII...
 squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified
 GSS
 failure.  Minor code may provide more information.
 squid_kerb_auth: INFO: User not authenticated
 authenticateNegotiateHandleReply: Error validating user via Negotiate.
 Error
 returned 'BH gss_accept_sec_contect() failed:  Unspecified GSS failure.
 Minor code may provide more information. '

 Has anyone else found this with IE8 on Windows Server 2008 R2?  Is it
 due
 to
 the 64-bit version of IE8 or some unusual interaction between the IE8
 version
 shipped with Windows Server 2008 R2 and the squid_kerb_auth module?

 I have a Wireshark capture of the traffic between the browser session
 on
 Windows Server 2008 R2 and the proxy server during authentication and
 would
 like to assist with investigating the problem further if someone can
 provide
 some advice as to where to look.

 Regards

 Paul

 Hi Paul,
 Just my thoughts (which are minor in relation to the power of other
 listers..!): Are you specifically running the 64-bit version of IE? How
 does your DNS look? A/PTR records all in order? What does kerbtray show?
 What encoding for kerberos are you using? What does klist -ekt keytab
 show? Correct FQDN in your browser?
 Cheers
 Nick

I presumed IE8 was the 64-bit version but on further checking I have found it
is the 32-bit version.  The 64-bit version is also installed and I have tried
that with the same result.

As far as I know (I set DNS up :-) ), DNS is configured correctly with
forward and reverse records.

I checked the Kerberos tickets on a Windows XP workstation that authenticates
correctly to squid using IE8 (32-bit) and the Windows 2008 R2 server using
IE8 (32-bit and 64-bit) and found tickets for the proxy server as follows:

Win XP Workstation:
Server: HTTP/my-proxy-server.my.dom...@my.domain
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 10/27/2010 17:37:35
Renew Time: 11/3/2010 7:37:35

Win 2008 R2 server:
Client my.login @ MY.DOMAIN
Server: HTTP/my-proxy-server.my.domain @ MY.DOMAIN
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a0 - forwardable renewable pre_authent
Start Time: 10/27/2010 7:30:13 (local)
End Time: 10/27/2010 17:17:38 (local)
Renew Time: 11/3/2010 7:17:38 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96

The key difference is the ticket encryption type: RC4-HMAC for Win XP vs
AES-256-HMAC-SHA1 for Win 2008 R2.

On the proxy server, klist -ekt ticket_file shows:
KVNOTimestamp   Principal
2   09/24/10 12:54:16   HTTP/my-proxy-server.my.dom...@my.domain
(ArcFour with HMAC/md5)
2   09/24/10 12:54:16   HTTP/my-proxy-server.my.dom...@my.domain
(AES-128 CTS mode with 96-bit SHA-1 HMAC)
2   09/24/10 12:54:16   HTTP/my-proxy-server.my.dom...@my.domain
(AES-256 CTS mode with 96-bit SHA-1 HMAC)

I have just remembered that I recently came across a problem with AES-256
encryption on Ubuntu 10.04LTS.  I discovered this when I found I could not
establish a https session to a Linux web server which was using a certificate
I had issued from the Windows Certificate Service on Windows 2008 R2.  The
problem turned out

RE: [squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

2010-10-26 Thread Paul Freeman

Sorry to reply to my own email but I realised I have not properly described
the encryption type problem I had with https which may mean my theory about
it being similar to the Kerberos problem is incorrect.

The certificate encryption problem I had on Ubuntu 10.04 LTS was due to the
Windows Root CA issuing the web server certificate with the sha256RSA
signature algorithm.  Apparently OpenSSL on ubuntu cannot manage this.

Sorry for any confusion.

Regards

Paul

 -Original Message-
 From: Paul Freeman [mailto:paul.free...@eml.com.au]
 Sent: Wednesday, 27 October 2010 8:13 AM
 To: Nick Cairncross; Squid Users
 Subject: RE: [squid-users] Authentication using squid_kerb_auth with
 Internet Explorer 8 on Windows Server 2008 R2
 
 Hi Nick
 Thanks for looking at this.  I appreciate your help.
 
 My answers to your questions are in line below
 
  -Original Message-
  From: Nick Cairncross [mailto:nick.cairncr...@condenast.co.uk]
  Sent: Tuesday, 26 October 2010 8:36 PM
  To: Paul Freeman; Squid Users
  Subject: Re: [squid-users] Authentication using squid_kerb_auth with
  Internet Explorer 8 on Windows Server 2008 R2
 
 
  On 26/10/2010 03:56, Paul Freeman paul.free...@eml.com.au wrote:
 
 
  Hi.
  I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and
 have
  enabled
  Kerberos/NTLM authentication using the squid_kerb_auth helper.  This
  setup is
  working well and successfully authenticates Windows domain users
 when
  they
  are logged in using their domain credentials on Windows XP
  workstations
  using
  Internet Explorer (v6,7 and 8) and Firefox.
  
  Squid is configured with two helpers, the first, squid_kerb_auth and
  the
  second, the Samba ntlm helper.
  
  However, today I came across a problem when using Internet Explorer
 8
  on a
  server running Windows Server 2008 R2.  The IE8 enhanced security
 mode
  is
  disabled and the logged in user is a standard domain user.  The
  Windows
  server is joined to the domain and is not a domain controller.  The
  Windows
  server is up to date with Microsoft patches and updates.
  
  Authentication is failing for some reason.  Instead of
 authenticating
  silently, the user is prompted for a username and password 6 times
  before
  receiving the Cache Access Denied message.
  
  If I disable the squid_kerb_auth helper in squid.conf and restart
  squid,
  leaving only the Samba NTLM helper, authentication works
 successfully.
  
  In cache.log I find:
  squid_kerb_auth: DEBUG: Got 'YR YII...
  squid_kerb_auth: DEBUG: Decode 'YII...
  squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified
  GSS
  failure.  Minor code may provide more information.
  squid_kerb_auth: INFO: User not authenticated
  authenticateNegotiateHandleReply: Error validating user via
 Negotiate.
  Error
  returned 'BH gss_accept_sec_contect() failed:  Unspecified GSS
 failure.
  Minor code may provide more information. '
  
  Has anyone else found this with IE8 on Windows Server 2008 R2?  Is
 it
  due
  to
  the 64-bit version of IE8 or some unusual interaction between the
 IE8
  version
  shipped with Windows Server 2008 R2 and the squid_kerb_auth module?
  
  I have a Wireshark capture of the traffic between the browser
 session
  on
  Windows Server 2008 R2 and the proxy server during authentication
 and
  would
  like to assist with investigating the problem further if someone can
  provide
  some advice as to where to look.
  
  Regards
  
  Paul
 
 
  Hi Paul,
  Just my thoughts (which are minor in relation to the power of other
  listers..!): Are you specifically running the 64-bit version of IE?
 How
  does your DNS look? A/PTR records all in order? What does kerbtray
 show?
  What encoding for kerberos are you using? What does klist -ekt
 keytab
  show? Correct FQDN in your browser?
  Cheers
  Nick
 
 I presumed IE8 was the 64-bit version but on further checking I have
 found it
 is the 32-bit version.  The 64-bit version is also installed and I have
 tried
 that with the same result.
 
 As far as I know (I set DNS up :-) ), DNS is configured correctly with
 forward and reverse records.
 
 I checked the Kerberos tickets on a Windows XP workstation that
 authenticates
 correctly to squid using IE8 (32-bit) and the Windows 2008 R2 server
 using
 IE8 (32-bit and 64-bit) and found tickets for the proxy server as
 follows:
 
 Win XP Workstation:
 Server: HTTP/my-proxy-server.my.dom...@my.domain
   KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
   End Time: 10/27/2010 17:37:35
   Renew Time: 11/3/2010 7:37:35
 
 Win 2008 R2 server:
   Client my.login @ MY.DOMAIN
   Server: HTTP/my-proxy-server.my.domain @ MY.DOMAIN
   KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
   Ticket Flags 0x40a0 - forwardable renewable pre_authent
   Start Time: 10/27/2010 7:30:13 (local)
   End Time: 10/27/2010 17:17:38 (local)
   Renew Time: 11/3/2010 7:17:38 (local)
   Session Key Type: AES-256-CTS-HMAC-SHA1-96

[squid-users] Authentication using squid_kerb_auth with Internet Explorer 8 on Windows Server 2008 R2

2010-10-25 Thread Paul Freeman

Hi.
I have successfully installed Squid 3.1.8 on Ubuntu 10.04LTS and have enabled
Kerberos/NTLM authentication using the squid_kerb_auth helper.  This setup is
working well and successfully authenticates Windows domain users when they
are logged in using their domain credentials on Windows XP workstations using
Internet Explorer (v6,7 and 8) and Firefox.

Squid is configured with two helpers, the first, squid_kerb_auth and the
second, the Samba ntlm helper.

However, today I came across a problem when using Internet Explorer 8 on a
server running Windows Server 2008 R2.  The IE8 enhanced security mode is
disabled and the logged in user is a standard domain user.  The Windows
server is joined to the domain and is not a domain controller.  The Windows
server is up to date with Microsoft patches and updates.

Authentication is failing for some reason.  Instead of authenticating
silently, the user is prompted for a username and password 6 times before
receiving the Cache Access Denied message.

If I disable the squid_kerb_auth helper in squid.conf and restart squid,
leaving only the Samba NTLM helper, authentication works successfully.

In cache.log I find:
squid_kerb_auth: DEBUG: Got 'YR YII...
squid_kerb_auth: DEBUG: Decode 'YII...
squid_kerb_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS
failure.  Minor code may provide more information.
squid_kerb_auth: INFO: User not authenticated
authenticateNegotiateHandleReply: Error validating user via Negotiate.  Error
returned 'BH gss_accept_sec_contect() failed:  Unspecified GSS failure.
Minor code may provide more information. '

Has anyone else found this with IE8 on Windows Server 2008 R2?  Is it due to
the 64-bit version of IE8 or some unusual interaction between the IE8 version
shipped with Windows Server 2008 R2 and the squid_kerb_auth module?

I have a Wireshark capture of the traffic between the browser session on
Windows Server 2008 R2 and the proxy server during authentication and would
like to assist with investigating the problem further if someone can provide
some advice as to where to look.

Regards

Paul

Re: [squid-users] Authentication Reverse Proxy

2010-05-03 Thread Amos Jeffries


GIGO . wrote:

Hi,

What is the behaviour/mechanism of authentication if using squid
proxy for both as forward proxy and reverse proxy.

I have successfully setup it for a forward proxy using the Helper
files by Markus and the following tutorial; 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos



Now comming in my mind two scenarios. One is that squid is being used
for authentication and the second one is that web server is providing
the authenticaiton/authorization and squid is just forwarding the
requests to the web server? Please guide/suggest/comment about it.



Requests arriving in the reverse-proxy port uses WWW-Auth identical to a 
origin web server. Ignoring any Proxy-Auth headers.


Requests arriving in the forward-proxy port use Proxy-Auth like a proper 
proxy. Passing WWW-Auth headers through untouched.


These are separate mechanisms and can exist side by side in HTTP headers 
for separate use by middle proxies and origin server.




However what my pan is that I want that web server(outlookwebacess)
should be the one taking care of auhentication part and squid should
simply have given the role of forwarder. However i am not sure which
approach to adopt and what are any special configurations that are
required? what are the implications of each approach?



The cache_peer login=PASS logics are smart enough to pass 
WWW-Auth/Proxy-Auth on in the right way relative to the originserver 
setting.


Note: That OWA is quite sensitive to the traffic sent to it. Deviating 
from the recommended config example leads most times to trouble:

http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.3

[squid-users] Authentication Reverse Proxy

2010-05-02 Thread GIGO .


Hi,
 
What is the behaviour/mechanism of authentication if using squid proxy for both 
as forward proxy and reverse proxy.
 
I have successfully setup it for a forward proxy using the Helper files by 
Markus and the following tutorial;
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
 
 
Now comming in my mind two scenarios. One is that squid is being used for 
authentication and the second one is that web server is providing the 
authenticaiton/authorization and squid is just forwarding the requests to the 
web server? Please guide/suggest/comment about it.
 
 
However what my pan is that I want that web server(outlookwebacess) should be 
the one taking care of auhentication part and squid should simply have given 
the role of forwarder. However i am not sure which approach to adopt and what 
are any special configurations that are required? what are the implications of 
each approach?
 
 
 
regards,
 
Bilal 
_
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969

[squid-users] Authentication in squid windows

2010-04-15 Thread ondemandemails

dear frnds,

i m looking forward to deploy squid on windows server 2003 for my wireless 
users. can some 1 help me in this case as i dnt want to make a domain because 
this will render the users unable to work on laptops out of the premises. other 
option is to make a username  password file which can be more effective in my 
case.
also i want to apply the acl of max download per day of 200 MB.

help needed.

bye

[squid-users] Authentication logging

2010-04-08 Thread John Horne

Hello,

Using squid 2.7 stable 9, I have set the debug_options to 29,2 which
logs authenticated users, e.g:

   user 'xxx' has been seen at a new IP address (11.22.33.44)

However, is there a way I can log unsuccessful authentication attempts?
I have increased the debug level to 6, but it still doesn't log
authentication failures. Is this possible in the squid 3.x series?



Thanks,

John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001

Re: [squid-users] Authentication logging

2010-04-08 Thread John Horne

On Thu, 2010-04-08 at 21:43 +0100, John Horne wrote:
 Hello,
 
 Using squid 2.7 stable 9, I have set the debug_options to 29,2 which
 logs authenticated users, e.g:
 
user 'xxx' has been seen at a new IP address (11.22.33.44)
 
 However, is there a way I can log unsuccessful authentication attempts?
 I have increased the debug level to 6, but it still doesn't log
 authentication failures. Is this possible in the squid 3.x series?
 
Ha! I have just seen that someone else asked the same question a couple
of days ago! I see that failures are logged as a 407 response (which I
can see in our log files).

Apologies for the list noise.



John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001

[squid-users] Authentication helpers not shut down

2010-04-06 Thread David Parks

I noticed that running squid -k reconfigure starts a new authentication 
helper, but does not shut down the old one.
Is this normal behavior? Do I just need to monitor for the closing of the input 
stream and shut down on that cue?

Just wanna make sure I'm on track. 

Dave

p.s. if there are any good guides on the various types of helpers, and the 
protocol used with them I haven't come across it yet and would love a link.

Re: [squid-users] Authentication helpers not shut down

2010-04-06 Thread Henrik Nordström

tis 2010-04-06 klockan 13:49 -0700 skrev David Parks:
 I noticed that running squid -k reconfigure starts a new authentication 
 helper, but does not shut down the old one.

It does.

 Is this normal behavior? Do I just need to monitor for the closing of the 
 input stream and shut down on that cue?

Correct. All Squid helpers need to monitor their input and shut down on
eof.

 p.s. if there are any good guides on the various types of helpers, and the 
 protocol used with them I haven't come across it yet and would love a link.

The helpers and their protocols are documented in the squid.conf notes.

- url rewriters, url_rewrite_program
- basic auth helpers, auth_param basic program
- digest auth helpers, auth_param digest program
- negotiate auth helpers, auth_param negotiate program
- external acl helpers, external_acl_type

Other helpers not so well documented outside source:

- log daemon helper, logfile_daemon, access_log)
- dns helper, ache_dns_program ((deprecated in favor for internal dns
client)


Regards
Henrik

Re: [squid-users] Authentication caching

2010-04-03 Thread Henrik Nordström

lör 2010-03-27 klockan 18:42 +0100 skrev Khaled Blah:
 Hi all,
 
 I'm developing an authentication helper (Negotiate/NTLM) for squid and
 I am trying to understand more how squid handles this process
 internally. Most of all I'd like to know how and how long squid caches
 authentication results. I have looked at the debug logs and they show
 that squid seems to do less caching for Negotiate/NTLM than it does
 for Basic/Digest authentication.

Due to the nature of NTLM  Negotate authentication it's the helper
performing the Negotiate/NTLM handshake, and because of this there is no
cache in Squid for these schemes as there is nothing to use as cache
key.

basic  digest auth is handled internally by Squid, and enables Squid to
cache the credentials validity.

In theory we could implement NTLM in similar manner, but it would then
not be possible to integrate with Windows domain controllers / active
directory.

Don't know enough of Kerberos to tell what possibilities there may be to
cache in Negotiate auth.

 I am wondering whether I can do
 something about this so that a once verified user will only get his
 credentials re-verified after a certain time and not all during. I am
 grateful to any insight the list can give me. Thanks in advance!

In 2.7 there is a generic auth cache based on source IP, useful when the
clients are single-user workstations.

Regards
Henrik

[squid-users] Authentication caching

2010-03-27 Thread Khaled Blah

Hi all,

I'm developing an authentication helper (Negotiate/NTLM) for squid and
I am trying to understand more how squid handles this process
internally. Most of all I'd like to know how and how long squid caches
authentication results. I have looked at the debug logs and they show
that squid seems to do less caching for Negotiate/NTLM than it does
for Basic/Digest authentication. I am wondering whether I can do
something about this so that a once verified user will only get his
credentials re-verified after a certain time and not all during. I am
grateful to any insight the list can give me. Thanks in advance!

Khaled

[squid-users] Authentication caching

2010-03-27 Thread Khaled Blah

Hi all,

I'm developing an authentication helper (Negotiate/NTLM) for squid and
I am trying to understand more how squid handles this process
internally. Most of all I'd like to know how and how long squid caches
authentication results. I have looked at the debug logs and they show
that squid seems to do less caching for Negotiate/NTLM than it does
for Basic/Digest authentication. I am wondering whether I can do
something about this so that a once verified user will only get his
credentials re-verified after a certain time and not all during. I am
grateful to any insight the list can give me. Thanks in advance!

Khaled

Re: [squid-users] authentication pass through upstream server

2010-02-23 Thread Amos Jeffries


Mark Engels wrote:

Mark Engels wrote:

Hello all,

Im hopeing this is the place to come when seeking some assistance with a squid 
proxy configuration issue thats giving myself a little grief, and i certainly 
hope nothing like this has been asked before.

The general idea of what im trying to accomplish is to have a end user enter 
their username and password credentials as they normaly would do, (there is 
quota enforcement and site blocking higher up that i have limited control over) 
and have it so that when a user say goes to www.educationalmaterial.com the 
local squid proxy users a pre defined username and password to access the 
material thus not charging the user quota download costs for accessing the 
material.

The proxy server was supplied to us from head office with pre configured rules 
to work as a local cache. I hope to leave all the existing rules in place. also 
all our internet service must filter through this 1 provided proxy, we cannot 
source external internet or alternet proxies..

A portion of the configuration file is as below.

#

cache_peer proxy.site.com parent 8080 3130 no-query default login=PASS
auth_param digest children 5
auth_param digest realm Squid proxy-caching web server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl block url_regex -i d:/squid/var/logs/block.conf
acl unblock url_regex -i d:/squid/var/logs/unblock.conf
acl nocache url_regex -i d:/squid/var/logs/nocache.conf
no_cache deny nocache
http_access deny block !unblock
http_access allow all
http_access deny all
http_reply_access allow all


#
i thought it would be a simple thing to make the required changes and started 
to aproach with adding the following
#

cache_peer proxy.site.com parent 8080 3130 no-query login=free user:pa$$word 
name=free
cache_peer_access free allow free_sites
cache_peer_access free deny all
acl free_sites url_regex -i d:/squid/var/logs/freesites.conf

#

unfortunately this seemed to break the local cache and im not too sure where 
ive gone wrong. any help in this or even an alternate solution would be greatly 
apreciated.



You have the right idea. Thats how its done.
But whitespace is not permitted in the parameter.

What you have there is no password with username  free .



note: changed proxy name and user credentials for privacy reasons, and running 
squid 2.5 on local and upstream server.



Please see my sig... :)

Your HQ provider may need to be made aware that there is no longer any
official support for 2.5. The oldest fully supported version is now 2.7.

Amos


Thankyou for your help amos :)

unfortunately i doubt HQ will even consider changing this system under the 
current management as it effects tens of thousands of users... education ;-)

perhaps you might be able to help again, all of our users must have a space in 
their account name. it is mandatory in account creation. would there be a way 
arround this? (perhaps %20 like in html?) i hope the solution isnt in the 3.0 
version of squid or that a work arround for 2.5 might be available?


Um. I don't have a copy of 2.5 code to check, but 2.6 will accept %20 
with no  quotes. So your chances of that are good.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
  Current Beta Squid 3.1.0.16

[squid-users] authentication pass through upstream server

2010-02-22 Thread Mark Engels

Hello all,

Im hopeing this is the place to come when seeking some assistance with a squid 
proxy configuration issue thats giving myself a little grief, and i certainly 
hope nothing like this has been asked before.

The general idea of what im trying to accomplish is to have a end user enter 
their username and password credentials as they normaly would do, (there is 
quota enforcement and site blocking higher up that i have limited control over) 
and have it so that when a user say goes to www.educationalmaterial.com the 
local squid proxy users a pre defined username and password to access the 
material thus not charging the user quota download costs for accessing the 
material.

The proxy server was supplied to us from head office with pre configured rules 
to work as a local cache. I hope to leave all the existing rules in place. also 
all our internet service must filter through this 1 provided proxy, we cannot 
source external internet or alternet proxies..

A portion of the configuration file is as below.

#

cache_peer proxy.site.com parent 8080 3130 no-query default login=PASS
auth_param digest children 5
auth_param digest realm Squid proxy-caching web server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl block url_regex -i d:/squid/var/logs/block.conf
acl unblock url_regex -i d:/squid/var/logs/unblock.conf
acl nocache url_regex -i d:/squid/var/logs/nocache.conf
no_cache deny nocache
http_access deny block !unblock
http_access allow all
http_access deny all
http_reply_access allow all


#
i thought it would be a simple thing to make the required changes and started 
to aproach with adding the following
#

cache_peer proxy.site.com parent 8080 3130 no-query login=free user:pa$$word 
name=free
cache_peer_access free allow free_sites
cache_peer_access free deny all
acl free_sites url_regex -i d:/squid/var/logs/freesites.conf

#

unfortunately this seemed to break the local cache and im not too sure where 
ive gone wrong. any help in this or even an alternate solution would be greatly 
apreciated.

note: changed proxy name and user credentials for privacy reasons, and running 
squid 2.5 on local and upstream server.



Mark Engels
ICT Support

Mark Oliphant College
e: mark.eng...@moc.sa.edu.au

Re: [squid-users] authentication pass through upstream server

2010-02-22 Thread Amos Jeffries


Mark Engels wrote:

Hello all,

Im hopeing this is the place to come when seeking some assistance with a squid 
proxy configuration issue thats giving myself a little grief, and i certainly 
hope nothing like this has been asked before.

The general idea of what im trying to accomplish is to have a end user enter 
their username and password credentials as they normaly would do, (there is 
quota enforcement and site blocking higher up that i have limited control over) 
and have it so that when a user say goes to www.educationalmaterial.com the 
local squid proxy users a pre defined username and password to access the 
material thus not charging the user quota download costs for accessing the 
material.

The proxy server was supplied to us from head office with pre configured rules 
to work as a local cache. I hope to leave all the existing rules in place. also 
all our internet service must filter through this 1 provided proxy, we cannot 
source external internet or alternet proxies..

A portion of the configuration file is as below.

#

cache_peer proxy.site.com parent 8080 3130 no-query default login=PASS
auth_param digest children 5
auth_param digest realm Squid proxy-caching web server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl block url_regex -i d:/squid/var/logs/block.conf
acl unblock url_regex -i d:/squid/var/logs/unblock.conf
acl nocache url_regex -i d:/squid/var/logs/nocache.conf
no_cache deny nocache
http_access deny block !unblock
http_access allow all
http_access deny all
http_reply_access allow all


#
i thought it would be a simple thing to make the required changes and started 
to aproach with adding the following
#

cache_peer proxy.site.com parent 8080 3130 no-query login=free user:pa$$word 
name=free
cache_peer_access free allow free_sites
cache_peer_access free deny all
acl free_sites url_regex -i d:/squid/var/logs/freesites.conf

#

unfortunately this seemed to break the local cache and im not too sure where 
ive gone wrong. any help in this or even an alternate solution would be greatly 
apreciated.



You have the right idea. Thats how its done.
But whitespace is not permitted in the parameter.

What you have there is no password with username  free .



note: changed proxy name and user credentials for privacy reasons, and running 
squid 2.5 on local and upstream server.



Please see my sig... :)

Your HQ provider may need to be made aware that there is no longer any 
official support for 2.5. The oldest fully supported version is now 2.7.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
  Current Beta Squid 3.1.0.16

RE: [squid-users] authentication pass through upstream server

2010-02-22 Thread Mark Engels

Mark Engels wrote:
 Hello all,

 Im hopeing this is the place to come when seeking some assistance with a 
 squid proxy configuration issue thats giving myself a little grief, and i 
 certainly hope nothing like this has been asked before.

 The general idea of what im trying to accomplish is to have a end user enter 
 their username and password credentials as they normaly would do, (there is 
 quota enforcement and site blocking higher up that i have limited control 
 over) and have it so that when a user say goes to www.educationalmaterial.com 
 the local squid proxy users a pre defined username and password to access the 
 material thus not charging the user quota download costs for accessing the 
 material.

 The proxy server was supplied to us from head office with pre configured 
 rules to work as a local cache. I hope to leave all the existing rules in 
 place. also all our internet service must filter through this 1 provided 
 proxy, we cannot source external internet or alternet proxies..

 A portion of the configuration file is as below.

 #

 cache_peer proxy.site.com parent 8080 3130 no-query default login=PASS
 auth_param digest children 5
 auth_param digest realm Squid proxy-caching web server
 auth_param digest nonce_garbage_interval 5 minutes
 auth_param digest nonce_max_duration 30 minutes
 auth_param digest nonce_max_count 50
 auth_param basic children 5
 auth_param basic realm Squid proxy-caching web server
 auth_param basic credentialsttl 2 hours
 auth_param basic casesensitive off
 acl all src 0.0.0.0/0.0.0.0
 acl manager proto cache_object
 acl localhost src 127.0.0.1/255.255.255.255
 acl to_localhost dst 127.0.0.0/8
 acl SSL_ports port 443 563
 acl Safe_ports port 80  # http
 acl Safe_ports port 21  # ftp
 acl Safe_ports port 443 563 # https, snews
 acl Safe_ports port 70  # gopher
 acl Safe_ports port 210  # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Safe_ports port 280  # http-mgmt
 acl Safe_ports port 488  # gss-http
 acl Safe_ports port 591  # filemaker
 acl Safe_ports port 777  # multiling http
 acl CONNECT method CONNECT
 http_access allow manager localhost
 http_access deny manager
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 acl block url_regex -i d:/squid/var/logs/block.conf
 acl unblock url_regex -i d:/squid/var/logs/unblock.conf
 acl nocache url_regex -i d:/squid/var/logs/nocache.conf
 no_cache deny nocache
 http_access deny block !unblock
 http_access allow all
 http_access deny all
 http_reply_access allow all


 #
 i thought it would be a simple thing to make the required changes and started 
 to aproach with adding the following
 #

 cache_peer proxy.site.com parent 8080 3130 no-query login=free 
 user:pa$$word name=free
 cache_peer_access free allow free_sites
 cache_peer_access free deny all
 acl free_sites url_regex -i d:/squid/var/logs/freesites.conf

 #

 unfortunately this seemed to break the local cache and im not too sure where 
 ive gone wrong. any help in this or even an alternate solution would be 
 greatly apreciated.


You have the right idea. Thats how its done.
But whitespace is not permitted in the parameter.

What you have there is no password with username  free .


 note: changed proxy name and user credentials for privacy reasons, and 
 running squid 2.5 on local and upstream server.


Please see my sig... :)

Your HQ provider may need to be made aware that there is no longer any
official support for 2.5. The oldest fully supported version is now 2.7.

Amos
--
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
   Current Beta Squid 3.1.0.16


Thankyou for your help amos :)

unfortunately i doubt HQ will even consider changing this system under the 
current management as it effects tens of thousands of users... education ;-)

perhaps you might be able to help again, all of our users must have a space in 
their account name. it is mandatory in account creation. would there be a way 
arround this? (perhaps %20 like in html?) i hope the solution isnt in the 3.0 
version of squid or that a work arround for 2.5 might be available?

1 2 3 4 5 6 >

1 - 100 of 509 matches

Mail list logo