Re: [squid-users] Authentication problem

[Amos Jeffries]

On 1/11/2016 6:31 a.m., Eduardo Carneiro wrote:
> Hi all.
> 
> I have a strange authentication issue in my squid 3.5.19. My workstations
> only can authenticate if they are entered into the domain. When they doesn't
> entered into the domain, I access any URL on browser (Firefox and Chrome
> tested) and I'm not able authenticate on the boxes that are shown to me.
> 
> Squid logs show me "TCP_DENIED/407".

Meaning either no credentials were give, or the ones given would not
work, or the NTLM handshake initial request happened.

> 
> Bellow is my squid.conf authentication configuration:
> 
> ---
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 140
> auth_param ntlm keep_alive on

Try with "keep_alive off" on the above line. It may prevent recent
Browsers using the Basic auth when NTLM fails (which it will for
off-domain users).

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication Problem

[Dima Ermakov]

Thank you, Amos.

I checked all, that you wrote.
It didn't help me.

I have this problem only on google chrome browser.
Before 2015-12-03 all was good.
I didn't change my configuration more than one month.

Ten minutes ago "Noel Kelly nke...@citrusnetworks.net" wrote in this list,
that google chrome v47 has broken NTLM authentication.
My clients with problems has google chrome v47 (((

Mozilla Firefox clients work good.

Thank you!

This is message from Noel Kelly:
"

Hi

For information, the latest version of Google Chrome (v47.0.2526.73M) has
broken NTLM authentication:

https://code.google.com/p/chromium/issues/detail?id=544255
https://productforums.google.com/forum/#!topic/chrome/G_9eXH9c_ns;context-place=forum/chrome

Cheers
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

"

On 4 December 2015 at 04:55, Amos Jeffries  wrote:

> On 4/12/2015 9:46 a.m., Dima Ermakov wrote:
> > Hi!
> > I have a problem with authentiation.
> >
> > I use samba ntlm authentication in my network.
> >
> > Some users ( not all ) have problems with http traffic.
> >
> > They see basic authentication request.
>
> Meaning you *dont* have NTLM authentication on your network.
>
> Or you are making the mistake of thinking a popup means Basic
> authentication.
>
> > If they enter correct domain login and password, they have auth error.
> > If this users try to open https sites: all works good, they have not any
> > type of errors.
>
> So,
>  a) they are probably not going through this proxy, or
>  b) the browser is suppressing the proxy-auth popups, or
>  c) the authentication request is not coming from *your* proxy.
>
> >
> > So we have errors only with unencrypted connections.
> >
> > I have this error on two servers:
> > debian8, squid3.4 (from repository)
> > CentOS7, squid3.3.8 (from repository).
> >
>
> Two things to try:
>
> 1) Adding a line like this before the group access controls in
> frntend.conf. This will ensure that authentiation credentials are valid
> before doing group lookups:
>  http_access deny !AuthorizedUsers
>
>
> 2) checking up on the Debian winbind issue mentioned in
> <
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions
> >
>
> Im not sure about this it is likely to be involved on Debian, but CentOS
> is not known to have that issue.
>
>
> Oh and:
>  3) remove the "acl manager" line from squid.conf.
>
>  4) change your cachemgr_passwd. Commenting it out does not hide it from
> view when you post it on this public mailing list.
>
> You should remove all the commented out directives as well, some of them
> may be leading to misunderstanding of what the config is actually doing.
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
С уважением, Дмитрий Ермаков.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication Problem

[Samuel Anderson]

Hi Amos and Dima,

I'm having the exact same problem. After updating Chrome to version
(47.0.2526.73
m) I'm no longer able to authenticate. IE and Firefox still seem to work
fine. I haven't changed anything in my config file for months.

On Fri, Dec 4, 2015 at 5:22 AM, Dima Ermakov  wrote:

> Thank you, Amos.
>
> I checked all, that you wrote.
> It didn't help me.
>
> I have this problem only on google chrome browser.
> Before 2015-12-03 all was good.
> I didn't change my configuration more than one month.
>
> Ten minutes ago "Noel Kelly nke...@citrusnetworks.net" wrote in this
> list, that google chrome v47 has broken NTLM authentication.
> My clients with problems has google chrome v47 (((
>
> Mozilla Firefox clients work good.
>
> Thank you!
>
> This is message from Noel Kelly:
> "
>
> Hi
>
> For information, the latest version of Google Chrome (v47.0.2526.73M) has
> broken NTLM authentication:
>
> https://code.google.com/p/chromium/issues/detail?id=544255
>
> https://productforums.google.com/forum/#!topic/chrome/G_9eXH9c_ns;context-place=forum/chrome
>
> Cheers
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> "
>
> On 4 December 2015 at 04:55, Amos Jeffries  wrote:
>
>> On 4/12/2015 9:46 a.m., Dima Ermakov wrote:
>> > Hi!
>> > I have a problem with authentiation.
>> >
>> > I use samba ntlm authentication in my network.
>> >
>> > Some users ( not all ) have problems with http traffic.
>> >
>> > They see basic authentication request.
>>
>> Meaning you *dont* have NTLM authentication on your network.
>>
>> Or you are making the mistake of thinking a popup means Basic
>> authentication.
>>
>> > If they enter correct domain login and password, they have auth error.
>> > If this users try to open https sites: all works good, they have not any
>> > type of errors.
>>
>> So,
>>  a) they are probably not going through this proxy, or
>>  b) the browser is suppressing the proxy-auth popups, or
>>  c) the authentication request is not coming from *your* proxy.
>>
>> >
>> > So we have errors only with unencrypted connections.
>> >
>> > I have this error on two servers:
>> > debian8, squid3.4 (from repository)
>> > CentOS7, squid3.3.8 (from repository).
>> >
>>
>> Two things to try:
>>
>> 1) Adding a line like this before the group access controls in
>> frntend.conf. This will ensure that authentiation credentials are valid
>> before doing group lookups:
>>  http_access deny !AuthorizedUsers
>>
>>
>> 2) checking up on the Debian winbind issue mentioned in
>> <
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions
>> >
>>
>> Im not sure about this it is likely to be involved on Debian, but CentOS
>> is not known to have that issue.
>>
>>
>> Oh and:
>>  3) remove the "acl manager" line from squid.conf.
>>
>>  4) change your cachemgr_passwd. Commenting it out does not hide it from
>> view when you post it on this public mailing list.
>>
>> You should remove all the commented out directives as well, some of them
>> may be leading to misunderstanding of what the config is actually doing.
>>
>>
>> Amos
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> --
> С уважением, Дмитрий Ермаков.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


-- 
Samuel Anderson  |  System Administrator  |  International Document Services

IDS  |  11629 South 700 East, Suite 200  |  Draper, UT 84020-4607

-- 
CONFIDENTIALITY NOTICE:
This e-mail and any attachments are confidential. If you are not an 
intended recipient, please contact the sender to report the error and 
delete all copies of this message from your system.  Any unauthorized 
review, use, disclosure or distribution is prohibited.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Authentication Problem

[Amos Jeffries]

On 4/12/2015 9:46 a.m., Dima Ermakov wrote:
> Hi!
> I have a problem with authentiation.
> 
> I use samba ntlm authentication in my network.
> 
> Some users ( not all ) have problems with http traffic.
> 
> They see basic authentication request.

Meaning you *dont* have NTLM authentication on your network.

Or you are making the mistake of thinking a popup means Basic
authentication.

> If they enter correct domain login and password, they have auth error.
> If this users try to open https sites: all works good, they have not any
> type of errors.

So,
 a) they are probably not going through this proxy, or
 b) the browser is suppressing the proxy-auth popups, or
 c) the authentication request is not coming from *your* proxy.

> 
> So we have errors only with unencrypted connections.
> 
> I have this error on two servers:
> debian8, squid3.4 (from repository)
> CentOS7, squid3.3.8 (from repository).
> 

Two things to try:

1) Adding a line like this before the group access controls in
frntend.conf. This will ensure that authentiation credentials are valid
before doing group lookups:
 http_access deny !AuthorizedUsers


2) checking up on the Debian winbind issue mentioned in


Im not sure about this it is likely to be involved on Debian, but CentOS
is not known to have that issue.


Oh and:
 3) remove the "acl manager" line from squid.conf.

 4) change your cachemgr_passwd. Commenting it out does not hide it from
view when you post it on this public mailing list.

You should remove all the commented out directives as well, some of them
may be leading to misunderstanding of what the config is actually doing.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

RE: [squid-users] Authentication problem

[Markus Lauterbach]

Hi Marcel,

You have to add a small piece in your config. I think, it should lool somehow 
like this:

header_access Authorization allow all

And restart your squid.

Markus

 -Ursprüngliche Nachricht-
 Von: Fuhrmann, Marcel [mailto:marcel.fuhrm...@lux.ag]
 Gesendet: Dienstag, 8. Mai 2012 15:04
 An: squid-users@squid-cache.org
 Betreff: [squid-users] Authentication problem
 
 Hello,
 
 i am using 3.0.STABLE19-1ubuntu0.2 and I have a problem accessing a website.
 Normally (without proxy) I am getting this windows to login:
 http://ubuntuone.com/5fEJKKTenjJuAjJm9AJjSu
 
 With proxy I get this error (german; but understandable):
 http://ubuntuone.com/6zbxnmZevYWiDDqPMG24Um
 
 Can somebody give me advice?
 
 
 Thanks a lot!
 
 --
 Marcel

Re: [squid-users] Authentication problem

[Mohamed Amine Kadimi]

 The designed purpose of these redirect tricks in commercial proxies (and
 Squid captive portals too) is to get the client to make a request to a
 controlled web service. That server pulls details such as the cient IP
 address and user-agent header (maybe other things) which the proxy can use
 as the things it checks for in external_acl_type script to guess at which
 later requests are coming from this same client and allow them through. If
 you do login at that point (optional!) it is merely to associate the browser
 signature with a username for recording/billing purposes.

Thank you for clearing that up for me.

So when a client requests a web page, I'll check some session table
which should return OK to let the user go to the internet or ERR to
redirect him to my portal and recheck for cookie presence.

The problem now is this session table. Is there any squid session
helper which is able to bound the session info to additional data
beside the user's IP?



--
Mohamed Amine Kadimi

Tél     : +212 (0) 675 72 36 45

Re: [squid-users] Authentication problem

[Amos Jeffries]

On 4/04/2012 3:54 a.m., Mohamed Amine Kadimi wrote:
OK, so here's another pseudo code that comes to my mind, this is 
somehow similar to some commercial products (Ironport, bluecoat):


- The user connects to http://www.somesite.com http://www.a.com/ via 
the proxy
- The Proxy redirects to 
http://authenticationportal/http://www.somesite.com 
http://authenticationportal/http://www.A.com with 302 return code.
- User is verified/authenticated on the authentication portal. This 
authentication portal sets a cookie and redirects to 
http://www.somesite.com http://www.a.com/
- User connects to http://www.somesite.com http://www.a.com/ via 
proxy. Proxy knows user is authenticated (cookie).


The problem is with the last step since the cookie is bound to 
http://authenticationportal 
http://authenticationportal/http://www.A.com so the user may 
encounter an endless loop.


Exactly. The browser authenticated against your website. It did not 
authenticate against the proxy or against somesite.com.


The designed purpose of these redirect tricks in commercial proxies (and 
Squid captive portals too) is to get the client to make a request to a 
controlled web service. That server pulls details such as the cient IP 
address and user-agent header (maybe other things) which the proxy can 
use as the things it checks for in external_acl_type script to guess at 
which later requests are coming from this same client and allow them 
through. If you do login at that point (optional!) it is merely to 
associate the browser signature with a username for recording/billing 
purposes.
  Notice how there is nothing required for the browser to do except 
visit. Basically: no authentication.





Do you know the solution for letting this authenticated user go to the 
target after being authenticated


I think you are getting closer to understanding the boundary between 
possible and impossible.


The whole point of traffic interception is that the browser is *not* 
aware of the proxy. You might as well try to drink water out of an empty 
cup,  as to get the browser to do something special for the proxy.



I like your example. somesite.com happens to actually be a real 
website owned by an actual dodgy company.  Go on; visit it. See the ads, 
see the script errors, read the no-privacy policy, notice how the 
opt-out from their user tracking systems is not working.


Now consider what would happen if authenticationportal was your own 
banks website. What details about your login to the bank would you want 
to send to that dodgy website? the username? the password? the session 
cookies? some other detail used to link you and your accounts?


You are asking us how to make the browser spread exactly those private 
informations to websites which have no business receiving it.


Amos



On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:

Dear Developpers and Community,

I would like to set up the following configuration using squid:

When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the
user
with content.


Please read

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F





However, users IP are being NATed before going to the proxy.
So the
solution would be to use an application-layer verification:
cookies or
http headers

So, I come across the following solutions:

1. Use an ICAP server which checks if a cookie is set,
otherwise set
it for an authenticated user
 the problem is: cookies are bound to domains + each http
request must
be validated

2. Use a php splash page which sets the cookie then redirect
to destination
 same problem as ICAP

3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
  problem: sessions are associated to the IP by squid

I'm using squid 3.1

Thank you for any idea


The whole point of transparent interception is that the browser is
*completely unaware it is talking to a proxy*. It contacted some
web server, and *all* of its communications are with that server.
If you can find a way to trick it into storing security
credentials of any kind set by your proxy it will consider those
credentials safe to use when contacting the same server via other
non-HTTP methods as well, causing great deal of problems. The good
thing to do at that point is to report the zero-day security
vulnerability you just found.


You might be able to use details gleaned from the browsers request
to *guess* what user it is and have a external_acl_type script
inform Squid of the guessed username. Or the authorize (*not*
authenticate) the request to happen.

Amos

Re: [squid-users] Authentication problem

[Amos Jeffries]

On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:

Dear Developpers and Community,

I would like to set up the following configuration using squid:

When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the user
with content.


Please read
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F




However, users IP are being NATed before going to the proxy. So the
solution would be to use an application-layer verification: cookies or
http headers

So, I come across the following solutions:

1. Use an ICAP server which checks if a cookie is set, otherwise set
it for an authenticated user
  the problem is: cookies are bound to domains + each http request must
be validated

2. Use a php splash page which sets the cookie then redirect to destination
  same problem as ICAP

3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
   problem: sessions are associated to the IP by squid

I'm using squid 3.1

Thank you for any idea


The whole point of transparent interception is that the browser is 
*completely unaware it is talking to a proxy*. It contacted some web 
server, and *all* of its communications are with that server. If you can 
find a way to trick it into storing security credentials of any kind set 
by your proxy it will consider those credentials safe to use when 
contacting the same server via other non-HTTP methods as well, causing 
great deal of problems. The good thing to do at that point is to report 
the zero-day security vulnerability you just found.



You might be able to use details gleaned from the browsers request to 
*guess* what user it is and have a external_acl_type script inform Squid 
of the guessed username. Or the authorize (*not* authenticate) the 
request to happen.


Amos

Re: [squid-users] Authentication problem

[Mohamed Amine Kadimi]

OK, so here's another pseudo code that comes to my mind, this is
somehow similar to some commercial products (Ironport, bluecoat):

- The user connects to http://www.somesite.com via the proxy
- The Proxy redirects to
http://authenticationportal/http://www.somesite.com with 302 return
code.
- User is verified/authenticated on the authentication portal. This
authentication portal sets a cookie and redirects to
http://www.somesite.com
- User connects to http://www.somesite.com via proxy. Proxy knows user
is authenticated (cookie).

The problem is with the last step since the cookie is bound to
http://authenticationportal so the user may encounter an endless loop.

Do you know the solution for letting this authenticated user go to the
target after being authenticated

2012/4/3 Amos Jeffries squ...@treenet.co.nz

 On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:

 Dear Developpers and Community,

 I would like to set up the following configuration using squid:

 When a user asks for a web page he is transparently redirected to
 squid, where an authentication must be done before serving the user
 with content.


 Please read
 http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F




 However, users IP are being NATed before going to the proxy. So the
 solution would be to use an application-layer verification: cookies or
 http headers

 So, I come across the following solutions:

 1. Use an ICAP server which checks if a cookie is set, otherwise set
 it for an authenticated user
  the problem is: cookies are bound to domains + each http request must
 be validated

 2. Use a php splash page which sets the cookie then redirect to destination
  same problem as ICAP

 3. using squid authentication and checking if Proxy-Authorization
 header is set before serving the client
   problem: sessions are associated to the IP by squid

 I'm using squid 3.1

 Thank you for any idea


 The whole point of transparent interception is that the browser is 
 *completely unaware it is talking to a proxy*. It contacted some web server, 
 and *all* of its communications are with that server. If you can find a way 
 to trick it into storing security credentials of any kind set by your proxy 
 it will consider those credentials safe to use when contacting the same 
 server via other non-HTTP methods as well, causing great deal of problems. 
 The good thing to do at that point is to report the zero-day security 
 vulnerability you just found.


 You might be able to use details gleaned from the browsers request to *guess* 
 what user it is and have a external_acl_type script inform Squid of the 
 guessed username. Or the authorize (*not* authenticate) the request to happen.

 Amos




--
Mohamed Amine Kadimi

Tél     : +212 (0) 675 72 36 45

Re: [squid-users] Authentication problem. Squid3+ntlm_auth+Firefox.

[Amos Jeffries]

xor wrote:

Hello,
I have installed squid3 with authorisation in the windows2003 domain, with 
libraries kerberos5 and samba + winbind. OS Debian Lenny 5.0.1.
Packages squid3, samba, krb and winbind are taken from official repositories 
(http://ftp.ru.debian.org/debian/).

The proxy clients working under WinXP with browser IE6 or IE7 pass 
authorisation normally, without superfluous requests of a login/password.

But those who uses Mozilla Firefox browser, at visiting of the sites especially containing 
JavaScript scenaries, often receive request of a login, password and domain for authorisation in 
proxy. If this request to reject (with pressed cancel), the client receives standard 
page of cache access denied. But if after that to press to refresh, the page is loaded 
without login/password request, and all works normally before occurrence of the next of 
authorisation request.
This effect observed on the firefox browsers only.
Incr. or decr. of auth_param ntlm children parameters don't helped.


Please define what you mean by containing JavaScript scenaries? how is 
this relevant to the HTTP requests?


Check that firefox has not saved previous passwords for the user or 
another. This can cause issues as the known passwords are used first 
every time.


With debug_options ALL,1 29,6 28,6 cache.log gets a trace of the auth 
and ACL actions. Check that to see what is going on.
 You can expect to see some holdup while auth details are requested 
from the browser whether or not the popup appears. You can see for those 
checks whether is right to be needed or not though.



Some unrelated notes inline to the config...



Configs:

###squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on
authenticate_cache_garbage_interval 1 minute
authenticate_ttl 2 minutes
authenticate_ip_ttl 2 minutes
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 81 8080 8081 # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 5222
acl Safe_ports port 443 # https
acl PURGE method PURGE
acl CONNECT method CONNECT
acl bad_pat_servers_ip src /etc/squid3/acl/bad_pat_servers_ip


I find it rather confusing that you call this a servers_ip and indeed 
a pattern list yet use src which tests _client_ IP.


The name of the ACL sounds like you mean it to be a destination check of 
some sort.



acl microsoft_activation dstdomain /etc/squid3/acl/microsoft_activation
acl ip_symantec_ftp src 192.168.2.11
acl ftp_symantec dstdomain ftp.symantec.com liveupdate.symantec.com 
liveupdate.symantecliveupdate.com
acl good_sites dstdomain /etc/squid3/acl/good_sites
acl bad_pattern url_regex /etc/squid3/acl/bad_pattern
acl bad_sites dstdomain /etc/squid3/acl/bad_sites
acl odvk url_regex /etc/squid3/acl/odvk
acl odnokl_sites dstdomain /etc/squid3/acl/odnokl_sites
acl odnokl_users proxy_auth /etc/squid3/acl/odnokl_users
acl ip_users src /etc/squid3/acl/ip_users
acl AuthUsers proxy_auth /etc/squid3/acl/users
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow microsoft_activation
http_access deny bad_pat_servers_ip
http_access allow ip_symantec_ftp ftp_symantec
http_access allow good_sites ip_users
http_access allow good_sites AuthUsers
http_access allow odnokl_sites odnokl_users
http_access deny bad_pattern
http_access deny bad_sites
http_access deny odvk
http_access allow ip_users
http_access allow AuthUsers
http_access allow localhost
http_access deny all
htcp_access deny all
http_port 192.168.60.60:3128
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_dir ufs /var/spool/squid3 1024 16 256
access_log /var/log/squid3/access.log squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern (cgi-bin|\?)0   0%  0
refresh_pattern .   0   20% 4320



icp_access deny all
icp_port 3130


Combined with the icp_access deny all I find this really weird.

The default action in Squid-3 is not to listen for ICP at all and to 
deny all as well. I think you want to remove the icp_* configuration 
entirely.


Same for the htcp_access line further up.


forwarded_for off
coredump_dir /var/spool/squid3

###smb.conf
[global]
   workgroup = PATERSON
   realm = PATERSON.RU
   password server = SRV-MSK11 SRV-MSK12
   server string = %h server
   wins support = yes
   wins server = 192.168.2.11
   dns proxy = no
   interfaces = 192.168.60.60 eth0
   log file = /var/log/samba/log.%m
   log level = 3
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   

Re: [squid-users] Authentication problem/oddity/ignorance

[Rob Asher]

 Chris Robertson [EMAIL PROTECTED] 5/28/2008 5:03 PM 
 Proxies.  Plural.  How are you spreading the traffic among the proxies.  
 A number of authentication requiring websites associate login 
 credentials with a source IP.  Using a round robin load balancer 
 (without source NATing the outgoing requests from the multiple proxies) 
 can cause issues with such sites.  As well, using authentication on a 
 intercepting (also called a transparent) proxy can cause issues such as 
 this.

The traffic isn't being balanced among the proxies.  I have multiple locations, 
4 to be exact, all trying to access the same site with the same results.  Each 
location uses it's own proxy.  None of them are transparent and they all 
require authentication back to a single central LDAP server.


 TCP_MISS/401 indicates the website returned a Not Authorized response, 
 which should cause your browser to prompt for authentication.

With IE7, I get one prompt and then the cannot display the webpage message.  
With FF2, the prompt keeps popping up even with a valid login entry for the 
site until it's canceled.  


 Wow.  Not a single TCP_MISS/200 or TCP_HIT/200.  The only requests that 
 succeeded were cached content (TCP_MISS/304, with a parent of NONE).  
 So, from the evidence given, the machine that is working only appears 
 to be working because it is able to wrest a response from the cache that 
 allows it to use its locally cached copy...

OK.here's another bit from access.log with the TCP_MISS/200 from the 
working machine.  My fault on the previous one in that all I visited was 
things that I'd already been to and cached.  There are a lot of 401's in this 
but I only had to authenticate to the proxy itself and then once for the site.  

[EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 
1212065905.682182 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1212065923.714699 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1212065923.738 24 170.211.125.31 TCP_MISS/304 414 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
1212065923.793 54 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.818 24 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.856 38 170.211.125.31 TCP_MISS/404 1991 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065924.027 41 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.051 23 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.064 39 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 
text/html
1212065924.073 21 170.211.125.31 TCP_MISS/304 413 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- -
1212065924.088 23 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 
text/html
1212065924.105 38 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
1212065924.109 21 170.211.125.31 TCP_MISS/304 412 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- -
1212065924.128 23 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- text/html
1212065924.154 26 170.211.125.31 TCP_MISS/304 413 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- -
1212065933.702855 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher 
DIRECT/165.29.214.2 text/html
1212065933.726 24 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher 
NONE/- text/html
1212065936.319   2593 170.211.125.31 TCP_MISS/200 96327 GET 
http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher 
NONE/- application/pdf
1212065961.927 79 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- text/html
1212065961.952 23 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
DIRECT/165.29.214.2 text/html
1212065962.164212 170.211.125.31 TCP_MISS/200 48057 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- application/pdf
1212065962.236 71 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- text/html
1212065962.260 24 170.211.125.31 TCP_MISS/401 2277 GET 

Re: [squid-users] Authentication problem/oddity/ignorance

[Chris Robertson]

Rob Asher wrote:


Chris Robertson [EMAIL PROTECTED] 5/28/2008 5:03 PM


The traffic isn't being balanced among the proxies.  I have multiple locations, 
4 to be exact, all trying to access the same site with the same results.  Each 
location uses it's own proxy.  None of them are transparent and they all 
require authentication back to a single central LDAP server.
  


Fair enough.  Two possibilities out of the way.

TCP_MISS/401 indicates the website returned a Not Authorized response, 
which should cause your browser to prompt for authentication.



With IE7, I get one prompt and then the cannot display the webpage message.  With FF2, the prompt keeps popping up even with a valid login entry for the site until it's canceled.  
  


Further investigation shows that the site in question is requesting NTLM 
authentication, which any version of Squid 2.6 should handle.  Hmmm...  
Perhaps this is related to the broken-ness of IIS passing chunked 
encoding to non HTTP1.1 compliant clients.  But it looks like the fixes 
for that were added in 2.6S8 and 2.6S10.  Given you have at least one 
2.6S13 server (and not all clients using it work) the fix might not be 
enough.  Well, you can try adding the following lines in your squid.conf 
(on any of the servers) and see if it helps...


acl chunked dstdomain .k12.ar.us
header_access Accept-Encoding deny chunked

Wow.  Not a single TCP_MISS/200 or TCP_HIT/200.  The only requests that 
succeeded were cached content (TCP_MISS/304, with a parent of NONE).  
So, from the evidence given, the machine that is working only appears 
to be working because it is able to wrest a response from the cache that 
allows it to use its locally cached copy...



OK.here's another bit from access.log with the TCP_MISS/200 from the working machine.  My fault on the previous one in that all I visited was things that I'd already been to and cached.  There are a lot of 401's in this but I only had to authenticate to the proxy itself and then once for the site.  

[EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 
1212065905.682182 170.211.125.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html

1212065923.714699 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1212065923.738 24 170.211.125.31 TCP_MISS/304 414 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
1212065923.793 54 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.818 24 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065923.856 38 170.211.125.31 TCP_MISS/404 1991 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1212065924.027 41 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
  

SNIP

1212065933.726 24 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher 
NONE/- text/html
1212065936.319   2593 170.211.125.31 TCP_MISS/200 96327 GET 
http://www.k12.ar.us/secure/smspo/caja/PrepareForNextYearScheduling.pdf rasher 
NONE/- application/pdf
  


Huh?  This line doesn't make sense.  It's a TCP_MISS/200, which means 
the request was successful, but the parent server is NONE.  Color me 
confused.



1212065961.927 79 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- text/html
1212065961.952 23 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
DIRECT/165.29.214.2 text/html
1212065962.164212 170.211.125.31 TCP_MISS/200 48057 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- application/pdf
1212065962.236 71 170.211.125.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- text/html
1212065962.260 24 170.211.125.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- text/html
1212065962.661400 170.211.125.31 TCP_MISS/206 176993 GET 
http://www.k12.ar.us/secure/smspo/caja/SystemAdministratorGuide.pdf rasher 
NONE/- multipart/byteranges


If you have any suggestions on what else to look for, I'm willing to try about 
anything.  I captured some of the headers in FF on both the working and a 
nonworking machine but I can't make any sense of them.  Also, if running 
tcpdump would help, I'm game to try that as well?
  


Well, Squid 2.7 Stable 1 is out, which appears to have more support for 
HTTP 1.1.  You could set it up on one of your machines (instructions for 
running multiple instances of Squid on one box are at 

Re: [squid-users] Authentication problem/oddity/ignorance

[Chris Robertson]

Rob Asher wrote:

I have an external site that requires authentication that's not working through 
my proxies.


Proxies.  Plural.  How are you spreading the traffic among the proxies.  
A number of authentication requiring websites associate login 
credentials with a source IP.  Using a round robin load balancer 
(without source NATing the outgoing requests from the multiple proxies) 
can cause issues with such sites.  As well, using authentication on a 
intercepting (also called a transparent) proxy can cause issues such as 
this.



The squid versions vary from 2.6.STABLE6 to 2.6.STABLE13 with the same results.  With IE7, all 
that's returned is cannot display the webpage even with show friendly http error 
messages turned off.  With FF2, the login box keeps popping up until you cancel.  Here's the 
oddity though, I have one XP machine that is able to authenticate through the proxy without any 
problems with both IE7 and FF2.   Same user, same proxy, same passwords just different machines.  
If I bypass the proxy, everything works fine on all machines.  I read something in the archives 
about configuring the browser to keep authentication details longer.  Could that be the difference? 
 If so, I have no idea how to change that??  Below are the two relevant portions from access.log.  
I have the live http header add-on for FF also but I'm ignorant on reading and using it 
effectively.  Any help or ideas are appreciated!

Does NOT connect:
[EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 
1211985315.277 53 170.211.xxx.30 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html

1211985326.697 25 170.211.xxx.30 TCP_MISS/401 2272 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1211985326.760 42 170.211.xxx.30 TCP_MISS/401 2028 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
  


TCP_MISS/401 indicates the website returned a Not Authorized response, 
which should cause your browser to prompt for authentication.




Does connect:
[EMAIL PROTECTED] squid]# tail -f access.log | grep www.k12.ar.us 
1211985582.423 71 170.211.xxx.31 TCP_MISS/401 2145 GET http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html

1211985605.978 27 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher DIRECT/165.29.214.2 text/html
1211985606.002 25 170.211.xxx.31 TCP_MISS/304 414 GET 
http://www.k12.ar.us/secure/smspo/smspo.htm rasher NONE/- -
1211985606.077 61 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher DIRECT/165.29.214.2 
text/html
1211985606.103 26 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1211985606.130 26 170.211.xxx.31 TCP_MISS/404 1991 GET 
http://www.k12.ar.us/secure/smspo/awmmenupath.gif rasher NONE/- text/html
1211985606.234 71 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.259 24 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.263 49 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 
text/html
1211985606.267 53 170.211.xxx.31 TCP_MISS/401 2145 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.281 21 170.211.xxx.31 TCP_MISS/304 413 GET 
http://www.k12.ar.us/secure/smspo/bg.jpg rasher NONE/- -
1211985606.286 23 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher DIRECT/165.29.214.2 
text/html
1211985606.291 23 170.211.xxx.31 TCP_MISS/401 2277 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher DIRECT/165.29.214.2 text/html
1211985606.314 26 170.211.xxx.31 TCP_MISS/304 412 GET 
http://www.k12.ar.us/secure/smspo/topmenu.jpg rasher NONE/- -
1211985606.314 22 170.211.xxx.31 TCP_MISS/304 413 GET 
http://www.k12.ar.us/secure/smspo/mid.jpg rasher NONE/- -
  


Wow.  Not a single TCP_MISS/200 or TCP_HIT/200.  The only requests that 
succeeded were cached content (TCP_MISS/304, with a parent of NONE).  
So, from the evidence given, the machine that is working only appears 
to be working because it is able to wrest a response from the cache that 
allows it to use its locally cached copy...



Thanks,
Rob


-
Rob Asher
Network Systems Technician
Paragould School District
(870)236-7744 Ext. 169
  


Chris

Re: [squid-users] Authentication problem

[Henrik Nordstrom]

mån 2007-01-08 klockan 12:19 -0500 skrev Nick Duda:

 First off, 2.6 did fix my problems, so thanks again. The problem I have
 now is we decided to use SmartFilter by Secure Computing which fixes all
 the ACL issues I have. The only problem is that they only support up to
 2.5stable13 (they say 2.6 by Q2 this year). I've tried to use it with
 2.6 and it's a no go.

Sorry, no help there. Can't support vendor modified Squid versions
where the vendor of the modifications does not provide source.

 Is there anyway to load via a patch the fixes that allow NTLM to work
 (as in my older post below) with 2.5stable13? We really want to use
 SmartFilter right away but this running only on 2.5stable13 is a real
 bummer.

You are welcome to try backporting this. All the changes is at
http://www.squid-cache.org/Versions/v2/2.6/changesets/ (look for
connection pinning) but it's probably not going to be easy.. certainly
not with the SmartFilter modifications also in the mix.. 

I think it will be easier and more productive to forward-port the
SmartFilter changes.. Doing so would also give you valuable insight into
just how modified your SmartFilter Squid really is.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] Authentication problem

[Henrik Nordstrom]

On Fri, 2006-09-01 at 12:42 +0300, Strandell, Ralf wrote:
 Hi
 
 I try to access a page that requires a username and a password. The page
 is hosted on IIS.

Which Squid version? Should work with current STABLE release
(2.6.STABLE3).

Squid-2.5 can only forward HTTP compliant authentication schemes (Basic
and Digest), not Microsoft broken authentication schemes (NTLM,
Negotiate and Kerberos).

Regards
Henrik

RE: [squid-users] Authentication problem

[Nick Duda]

Are you saying 2.6 can work with the microsoft broken authentication
schemes? This would be so nice...and solve lots of my problems.

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED]
Sent: Friday, September 01, 2006 10:44 AM
To: Strandell, Ralf
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Authentication problem

On Fri, 2006-09-01 at 12:42 +0300, Strandell, Ralf wrote:
 Hi

 I try to access a page that requires a username and a password. The
 page is hosted on IIS.

Which Squid version? Should work with current STABLE release
(2.6.STABLE3).

Squid-2.5 can only forward HTTP compliant authentication schemes (Basic
and Digest), not Microsoft broken authentication schemes (NTLM,
Negotiate and Kerberos).

Regards
Henrik


-
Confidentiality note
The information in this email and any attachment may contain confidential and 
proprietary information of VistaPrint and/or its affiliates and may be 
privileged or otherwise protected from disclosure. If you are not the intended 
recipient, you are hereby notified that any review, reliance or distribution by 
others or forwarding without express permission is strictly prohibited and may 
cause liability. In case you have received this message due to an error in 
transmission, please notify the sender immediately and delete this email and 
any attachment from your system.
-

RE: [squid-users] Authentication problem

[Henrik Nordstrom]

On Fri, 2006-09-01 at 10:47 -0400, Nick Duda wrote:
 Are you saying 2.6 can work with the microsoft broken authentication
 schemes?

Yes.

Regards
Henrik

Re: [squid-users] Authentication problem

[Chris Robertson]

Scott Jarkoff wrote:


I have Squid setup so that it performs NTLM authentication from a
Windows 2003 Active Directory domain controller.  It currently works
without issue, allowing only properly authenticated users web browsing
access and denying others.

What I would like to do is block certain accounts from web browsing.
When I implement such a block the users are presented with an
authentication dialog box, and then ultimately receive the proper deny
message in the browser.  The problem is that I do not want them to be
prompted for valid credentials; they should be immediately denied
access.

Here is the appropriate areas of my configuration:

acl authenticated_users proxy_auth REQUIRED
acl denied_admin proxy_auth_regex -i /etc/squid/denied_admin
acl denied_users proxy_auth_regex -i /etc/squid/denied_users

http_access deny denied_users
http_access deny denied_admin
deny_info ERR_ACCESS_DENIED_ADMIN denied_admin

http_access allow authenticated_users
http_access allow localhost
http_access allow local_network
http_access deny all

Any ideas how I can get rid of the authentication dialog box that pops
up and just have the deny message issued immediately?

See http://www.squid-cache.org/mail-archive/squid-users/200603/0845.html 
and http://www.squid-cache.org/mail-archive/squid-users/200603/0851.html


Chris

Re: [squid-users] Authentication problem

[Scott Jarkoff]

On 5/24/06, Chris Robertson [EMAIL PROTECTED] wrote:


See http://www.squid-cache.org/mail-archive/squid-users/200603/0845.html
and http://www.squid-cache.org/mail-archive/squid-users/200603/0851.html


Thanks very much Chris.  Those links were exactly what I was looking
for.  Much appreciated!

--
Scott Jarkoff

Re: [squid-users] Authentication problem

[Mark Elsen]

 I am running CentOS 4.1 with squid-2.5.STABLE6-3.4E.5

 I am able to go and do as I please, except for one site.

 http://usarmy.skillport.com

 I am able to get to the site, and do my sign-in, but as the site is
 trying to log me in, I continually get a pop-up from my proxy server
 wanting me to authenticate and I cannot get beyond the authentication. I
 put my information in, and it will come back up after about 15-30
 seconds.  From what I can see, it does not recognize the information I
 am putting in.  Normally I would see *Doman\*username, but I don't, and
 I am sure this is why I cannot get beyond authentication, but again.
 This is the only site I am having an issue with. Here is what my log
 looks like:


 1139498358.467  1 172.16.12.219 TCP_DENIED/407 1741 CONNECT
 usarmy.skillport.com:443 - NONE/- text/html
 1139498358.490  1 172.16.12.219 TCP_DENIED/407 1740 CONNECT
 usarmy.skillport.com:443 - NONE/- text/html
 1139498358.499  1 172.16.12.219 TCP_DENIED/407 1740 CONNECT
 usarmy.skillport.com:443 - NONE/- text/html
 1139498358.505  0 172.16.12.219 TCP_DENIED/407 413 HEAD
 http://usarmy.skillport.com:443/rkusarmy/APPLET/snifferSimple/class.clas
 s - NONE/- text/html
 1139498358.508  0 172.16.12.219 TCP_DENIED/407 417 HEAD
 http://usarmy.skillport.com:443/rkusarmy/APPLET/snifferSimple/class.clas
 s - NONE/- text/html




  The site, probably uses the NTLM auth. scheme, which  is not proxyable.
  Even MS advices against using NTLM on internet-targeted webservers.

  M.

RE: [squid-users] Authentication problem

[Casey King]

Okay thanks for the information.  Guess I will mess around with this
site from home then.

-Original Message-
From: Mark Elsen [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 10, 2006 11:06 AM
To: Casey King
Cc: Squid Mailing List
Subject: Re: [squid-users] Authentication problem


 I am running CentOS 4.1 with squid-2.5.STABLE6-3.4E.5

 I am able to go and do as I please, except for one site.

 http://usarmy.skillport.com

 I am able to get to the site, and do my sign-in, but as the site is 
 trying to log me in, I continually get a pop-up from my proxy server 
 wanting me to authenticate and I cannot get beyond the authentication.

 I put my information in, and it will come back up after about 15-30 
 seconds.  From what I can see, it does not recognize the information I

 am putting in.  Normally I would see *Doman\*username, but I don't, 
 and I am sure this is why I cannot get beyond authentication, but 
 again. This is the only site I am having an issue with. Here is what 
 my log looks like:


 1139498358.467  1 172.16.12.219 TCP_DENIED/407 1741 CONNECT
 usarmy.skillport.com:443 - NONE/- text/html
 1139498358.490  1 172.16.12.219 TCP_DENIED/407 1740 CONNECT
 usarmy.skillport.com:443 - NONE/- text/html
 1139498358.499  1 172.16.12.219 TCP_DENIED/407 1740 CONNECT
 usarmy.skillport.com:443 - NONE/- text/html
 1139498358.505  0 172.16.12.219 TCP_DENIED/407 413 HEAD
 http://usarmy.skillport.com:443/rkusarmy/APPLET/snifferSimple/class.cl
 as
 s - NONE/- text/html
 1139498358.508  0 172.16.12.219 TCP_DENIED/407 417 HEAD

http://usarmy.skillport.com:443/rkusarmy/APPLET/snifferSimple/class.clas
 s - NONE/- text/html




  The site, probably uses the NTLM auth. scheme, which  is not
proxyable.
  Even MS advices against using NTLM on internet-targeted webservers.

  M.

Re: [squid-users] authentication problem with squid_ldap_group

[Henrik Nordstrom]

On Wed, 12 Jan 2005, Oliver Hookins wrote:
The only thing I could suggest is trying the -S parameter anyway. I don't 
know any really good ways to find out what is happening, unless you can write 
a test-program to replace squid_ldap_group that logs what options and input 
were passed to it. It either works or it doesn't!
The -d flag to squid_ldap_group makes it more verbose about it's 
operations.

Regards
Henrik

Re: [squid-users] authentication problem with squid_ldap_group

[Oliver Hookins]

Joachim JS. Schuster wrote:
Joachim JS. Schuster wrote:
Dear squid users,
I need help about my authentifaction problem with squid_ldap_group.
first i create a entry for squid_ldap_auth. i can login and i have web 
access and it works fine.

auth_param basic program /usr/sbin/squid_ldap_auth -P -R -b 
dc=mb,dc=local -D cn=squid,cn=users,dc=mb,dc=local -w secret1998 
-f ((sAMAccountName=%s)(objectClass=Person)) -h 192.168.3.1 acl 
USERS proxy_auth REQUIRED

http_access allow USERS
in the next step i create this lines for my ldap group access.
external_acl_type ldapgroup concurrency=15 %LOGIN 
/usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f 
((cn=%g)(member=%u)) -F 
((sAMAccountName=%s)(objectClass=Person)) -D 
cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1

acl ldapproxygroup external ldapgroup webaccess
http_access allow ldapproxygroup
i can login but i have no webaccess. i see the 407 error access denied 
in squid conf.

when i execute
heins:~ # /usr/sbin/squid_ldap_group -P -R -b 
ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F 
((sAMAccountName=%s)(objectClass=Person)) -D 
cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1 cwm 
webaccess OK

i get ok but the user cwm can´t use the proxy.

Can you quote some of the logs that shows the problem? Is the username 
in the logs exactly as you are typing it on the command line? What I am 
getting at is that it might have the domain name attached to the 
username in which case you need the -S option for squid_ldap_group.

Regards,
Oliver
Sorry im am new in this list. On wich way i must contact you ?
By your mail adresse or over a squid-users@squid-cache.org ?
The access.log entries:
1105494666.537  0 192.168.5.2 TCP_DENIED/407 2470 GET http://www.google.de/ 
- NONE/- text/html
1105494675.258 24 192.168.5.2 TCP_DENIED/403 2217 GET http://www.google.de/ 
cwm NONE/- text/html
The username cwm ist correct. I can add more users to the webaccess. I checked all the new users with the comandline below and the test ist ok.
/usr/sbin/squid_ldap_group -P -R -b ou=intern,dc=mb,dc=local -f ((cn=%g)(member=%u)) -F ((sAMAccountName=%s)(objectClass=Person)) -D 
 cn=squid,cn=users,dc=mb,dc=local -w secret1998 -h 192.168.3.1

Regards
Joachim
Sorry, my mail program doesn't automatically reply to the list - yes you 
 should reply to the list unless you want to converse directly with one 
of the members.

The only thing I could suggest is trying the -S parameter anyway. I 
don't know any really good ways to find out what is happening, unless 
you can write a test-program to replace squid_ldap_group that logs what 
options and input were passed to it. It either works or it doesn't!

Regards,
Oliver

Re: [squid-users] authentication problem

[Henrik Nordstrom]

On Thu, 11 Dec 2003, Victor Souza Menezes wrote:

 following domain: tre-pb.gov.br. I didn't create any organization unit, so the
 users that i created stays under the standard organization unit (Users).
 
 this is the line that i have in squid.conf to define the external helper:
 
 auth_param basic program /usr/lib/squid/squid_ldap_auth -b ou=Users,
 dc=tre-pb, dc=gov, dc=br -h 10.12.1.15

You still need to use the search mode of the helper. See the 
squid_ldap_auth manual. You can also find a couple of MSAD examples in the 
squid_ldap_auth manual.

Regards
Henrik

Re: [squid-users] authentication problem and Server redirected too many times (20) error message

[Henrik Nordstrom]

Then check your acl and http_access lines related to authentication.

Regards
Henrik


On Tue, 2 Dec 2003, Rami Jaamour wrote:

 I ran this test again as 'rjaamour' the cache effective user (as you can 
 notice from my conf file) and it still succeeds on correct 
 username/password pairs.
 
 Thank you for your help.
 Rami
 
 
 Henrik Nordstrom wrote:
 
 Did you run this test as the cache_effective_user or as root?
 
 If as root, make sure to run the test as your cache_effective_user.
 
 Regards
 Henrik
 
 On Tue, 2 Dec 2003, Rami Jaamour wrote:
 
   
 
 I did that already.  It gives ERR on wrong username/password pairs and 
 OK on the correct one.
 
 Henrik Nordstrom wrote:
 
 
 
 On Mon, 1 Dec 2003, Rami Jaamour wrote:
 
  
 
   
 
 I do configure Mozilla to use the proxy, giving it the host name and 
 port and it worked in the past before I did the authentication, but when 
 Squid is configured to require authentication, then the browser (both 
 mozilla and IE) keep prompting for username and password.  Is my 
 squid.conf correct to do the proxy authentication?

 
 
 
 Then most likely there is a configuration error.
 
 First test is if the password file is correcly created.  Start the 
 auth_param basic program command manually and then type a username password 
 pair as input.
 
 Regards
 Henrik
 
 
 
  
 
   
 
 
 
 
 
   
 
 
 

Re: [squid-users] authentication problem and Server redirected too many times (20) error message

[Rami Jaamour]

I did that already.  It gives ERR on wrong username/password pairs and 
OK on the correct one.

Henrik Nordstrom wrote:

On Mon, 1 Dec 2003, Rami Jaamour wrote:

 

I do configure Mozilla to use the proxy, giving it the host name and 
port and it worked in the past before I did the authentication, but when 
Squid is configured to require authentication, then the browser (both 
mozilla and IE) keep prompting for username and password.  Is my 
squid.conf correct to do the proxy authentication?
   

Then most likely there is a configuration error.

First test is if the password file is correcly created.  Start the 
auth_param basic program command manually and then type a username password 
pair as input.

Regards
Henrik


 

--
Rami Jaamour
SOAPtest http://www.parasoft.com/jsp/products/home.jsp?product=SOAP 
Development
ParaSoft Corporation http://www.parasoft.com
(626) 256-3680 ext. 1217

Re: [squid-users] authentication problem and Server redirected too many times (20) error message

[Henrik Nordstrom]

Did you run this test as the cache_effective_user or as root?

If as root, make sure to run the test as your cache_effective_user.

Regards
Henrik

On Tue, 2 Dec 2003, Rami Jaamour wrote:

 I did that already.  It gives ERR on wrong username/password pairs and 
 OK on the correct one.
 
 Henrik Nordstrom wrote:
 
 On Mon, 1 Dec 2003, Rami Jaamour wrote:
 
   
 
 I do configure Mozilla to use the proxy, giving it the host name and 
 port and it worked in the past before I did the authentication, but when 
 Squid is configured to require authentication, then the browser (both 
 mozilla and IE) keep prompting for username and password.  Is my 
 squid.conf correct to do the proxy authentication?
 
 
 
 Then most likely there is a configuration error.
 
 First test is if the password file is correcly created.  Start the 
 auth_param basic program command manually and then type a username password 
 pair as input.
 
 Regards
 Henrik
 
 
 
   
 
 
 

Re: [squid-users] authentication problem and Server redirected too many times (20) error message

[Rami Jaamour]

I ran this test again as 'rjaamour' the cache effective user (as you can 
notice from my conf file) and it still succeeds on correct 
username/password pairs.

Thank you for your help.
Rami
Henrik Nordstrom wrote:

Did you run this test as the cache_effective_user or as root?

If as root, make sure to run the test as your cache_effective_user.

Regards
Henrik
On Tue, 2 Dec 2003, Rami Jaamour wrote:

 

I did that already.  It gives ERR on wrong username/password pairs and 
OK on the correct one.

Henrik Nordstrom wrote:

   

On Mon, 1 Dec 2003, Rami Jaamour wrote:



 

I do configure Mozilla to use the proxy, giving it the host name and 
port and it worked in the past before I did the authentication, but when 
Squid is configured to require authentication, then the browser (both 
mozilla and IE) keep prompting for username and password.  Is my 
squid.conf correct to do the proxy authentication?
  

   

Then most likely there is a configuration error.

First test is if the password file is correcly created.  Start the 
auth_param basic program command manually and then type a username password 
pair as input.

Regards
Henrik




 

   



 

--
Rami Jaamour
SOAPtest http://www.parasoft.com/jsp/products/home.jsp?product=SOAP 
Development
ParaSoft Corporation http://www.parasoft.com

Re: [squid-users] authentication problem and Server redirected too many times (20) error message

[Henrik Nordstrom]

On Mon, 1 Dec 2003, Rami Jaamour wrote:

 My Squid works fine without authentication but when I try to use
 ncsa_auth I get problems.
 
 When I use mozilla with the proxy settings configured to my squid, it
 keeps infinitely prompting for the username and password even though I
 give it the correct username and password.

Are you running Squid as a transparently intercepting proxy?

To use proxy authentication your browser MUST be configured to use a 
proxy.

Regards
Henrik

Re: [squid-users] authentication problem and Server redirected too many times (20) error message

[Rami Jaamour]

I do configure Mozilla to use the proxy, giving it the host name and 
port and it worked in the past before I did the authentication, but when 
Squid is configured to require authentication, then the browser (both 
mozilla and IE) keep prompting for username and password.  Is my 
squid.conf correct to do the proxy authentication?  When I hit cancel, I 
get the following HTML error page:

 ERROR

   Cache Access Denied

While trying to retrieve the URL: 
http://soaptest.parasoft.com/calculator.wsdl

The following error was encountered:

   * Cache Access Denied.

Sorry, you are not currently allowed to request:

   http://soaptest.parasoft.com/calculator.wsdl

from this cache until you have authenticated yourself.

You need to use Netscape version 2.0 or greater, or Microsoft Internet 
Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please 
contact the cache administrator mailto:webmaster if you have 
difficulties authenticating yourself or change 
http://katze.parasoft.com/cgi-bin/chpasswd.cgi your default password.

Generated Tue, 02 Dec 2003 03:19:40 GMT by katze.parasoft.com 
(squid/2.5.STABLE4)



Henrik Nordstrom wrote:

On Mon, 1 Dec 2003, Rami Jaamour wrote:

 

My Squid works fine without authentication but when I try to use
ncsa_auth I get problems.
When I use mozilla with the proxy settings configured to my squid, it
keeps infinitely prompting for the username and password even though I
give it the correct username and password.
   

Are you running Squid as a transparently intercepting proxy?

To use proxy authentication your browser MUST be configured to use a 
proxy.

Regards
Henrik
 

--
Rami Jaamour
SOAPtest http://www.parasoft.com/jsp/products/home.jsp?product=SOAP 
Development
ParaSoft Corporation http://www.parasoft.com
(626) 256-3680 ext. 1217

Re: [squid-users] Authentication problem in squid

[Henrik Nordstrom]

On Thu, 20 Nov 2003, Chaman Rana wrote:

 through samba. My configuration  are as follows
 
 auth_param basic program /usr/lib/squid/smb_auth  /etc/samba/smbpasswd

Please see the smb_auth documentation.
url:http://www.hacom.nl/~richard/software/smb_auth.html

Regards
Henrik

RE: [squid-users] Authentication problem

[Deepa D]

Hi,
   Yes, we need to screen all the url requests even if
the client machines are not configured to use a proxy.
Kindly mail me any solutions that we could use to
overcome this problem.
  Regards and TIA,
  Deepa
 
 --- Adam Aube [EMAIL PROTECTED] wrote:  
   The browsers are not configured to use the
 proxy -
  hence the pam_auth of the squid proxy cannot be
 used
  for authentication.
 
 Is there a particular reason you're using a
 transparent proxy?
 
 Adam 


Yahoo! India Matrimony: Find your partner online.
Go to http://yahoo.shaadi.com

Re: [squid-users] authentication problem

[Henrik Nordstrom]

On Thursday 24 July 2003 23.42, Wes Crabtree wrote:
 Greetings,

 I am authenticating using group ldap.  Works great as long as I
 don't use special characters in my password.Any password works
 when I test the group ldap program from a command line, it only
 fails when it passes thru Squid.  Any help would be greatly
 apprecitated.

Which LDAP helper program are you using?

For Squid-2.5 you should be using the helper shipped with Squid-2.5. 
Using another LDAP helper will give problems with special characters.

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]