Chris,
I would try and move http_access allow manager localhost above
http_access deny blocked_urls. I just did this on my setup and it
worked. give it a try. I have moved them below so you can see what i
did.
On Thu, 2002-11-07 at 08:34, Chris Tatro wrote:
> Here is a cleaned up version of my squid.conf
>
> You can see exactly why I am not allowed to view the cache
> manager because it is denied from my restricted users
> rule. I there a way for me to get around not having to
> authenticate for the cache manager? If I remove the rules
> below from my squid.conf:
>
> http_access allow restricted_users
> restricted_users_websites http_ports my_network
> http_access allow unrestricted_users all http_ports
> my_network
>
> I am then allowed to go into the cache manager. So it is
> something about these rules that is causing the problem.
>
>
> I have turned the “debug_options ALL,1 28,9” on in
> squid.conf to debug my ACLs and I get the following in the
> cache.log when I try to access the Cache manager:
>
>
> 2002/11/07 05:15:51| The request GET
> http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
> is ALLOWED, because it matched 'my_network'
>
> 2002/11/07 05:15:52| The reply for GET
> http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
> is ALLOWED, because it matched 'all'
>
> 2002/11/07 05:16:56| The request GET
> cache_object://localhost/ is DENIED, because it matched
> 'restricted_users'
>
> 2002/11/07 05:16:56| The reply for GET
> cache_object://localhost/ is ALLOWED, because it matched
> 'all'
>
> So the problem is definetly a ACL prbelm but I for the
> life of me can’t figure it out. Thank you so much for your
> help so far it has helped me pin point the problem further
> but only if I could fix it now . Do you have any
> further ideas?
>
> Below i have pasted my entire squid.conf and i have also
> attached the file for your convince.
>
>
>
>
>
>
>
>
>
>
>
>
>
> http_port 8080
> icp_port 0
> hierarchy_stoplist cgi-bin ?
>
> acl QUERY urlpath_regex cgi-bin \?
> acl squidserver dst 172.16.1.226/255.255.255.255
> no_cache deny QUERY squidserver
>
> maximum_object_size 50 MB
>
> cache_dir ufs /var/spool/squid 5000 16 256
>
> debug_options ALL,1 33,2
>
> auth_param ntlm program /usr/lib/squid/wb_ntlmauth
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> auth_param basic program /usr/lib/squid/wb_auth
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
>
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> positive_dns_ttl 2 day
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl http_ports port 80 443 563 10000
>
>
> acl CONNECT method CONNECT
> acl proxy_server dst 172.16.1.226/255.255.255.255
> acl restricted_users_websites dstdomain
> "/etc/squid/restricted_users_websites.txt"
> acl my_network src 172.16.0.0-172.25.0.0/255.255.0.0
>
> acl unrestricted_users proxy_auth
> "/etc/squid/unrestricted_users.txt"
> acl restricted_users proxy_auth
> "/etc/squid/restricted_users.txt"
>
> acl downloads rep_mime_type
> "/etc/squid/mime_type_blocked_download.txt"
> acl blocked_urls url_regex "/etc/squid/blocked_urls.txt"
> acl available_download_websites dstdomain
> "/etc/squid/available_download_websites.txt"
http_access allow manager localhost
> http_access deny blocked_urls
>
> http_access allow restricted_users
> restricted_users_websites http_ports my_network
> http_access allow unrestricted_users all http_ports
> my_network
> http_access allow proxy_server http_ports my_network
>
>
> miss_access allow all
>
> http_access allow localhost
> http_access deny all
>
>
> http_reply_access allow available_download_websites
> http_reply_access deny downloads
> http_reply_access allow all
>
> icp_access allow all
> cache_mgr
> JacobsA@WausauHomes.com;WizaB@WausauHomes.com;TatroC@WausauHomes.com
> visible_hostname SQUID
> memory_pools off
> coredump_dir /var/spool/squid
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Edward Mann [mailto:edward@arctechnology.com]
> Sent: Wednesday, November 06, 2002 5:53 PM
> To: Chris Tatro
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] proxy_auth help
>
>
> Chris,
>
> wb_group you don't need, that was just something out of my
> setup.
>
> Can you send me your entire config file. I have re-ordered
> things to work the way that i have mine setup.
>
> auth_param ntlm program /usr/lib/squid/wb_ntlmauth
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> auth_param basic program /usr/lib/squid/wb_auth
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl http_ports port 1-65000
>
> #acl CONNECT method CONNECT
> acl proxy_server dst 172.16.1.226/255.255.255.255
> acl restricted_users_websites dstdomain
> "/etc/squid/restricted_users_websites.txt"
> acl my_network src 172.16.0.0-172.25.0.0/255.255.0.0
>
> external_acl_type NT_auth %LOGIN /usr/lib/squid/wb_auth
> acl FullAccess external NT_auth all
>
> acl unrestricted_users proxy_auth
> "/etc/squid/unrestricted_users.txt"
> acl restricted_users proxy_auth
> "/etc/squid/restricted_users.txt"
>
> acl downloads rep_mime_type
> "/etc/squid/mime_type_blocked_download.txt"
> acl blocked_urls url_regex "/etc/squid/blocked_urls.txt"
> acl available_download_websites dstdomain
> "/etc/squid/available_download_websites.txt"
>
> http_access deny blocked_urls
> http_access allow restricted_users
> restricted_users_websites http_ports my_network
> http_access allow unrestricted_users all http_ports
> my_network http_access allow proxy_server http_ports
> my_network http_access allow FullAccess
>
> http_access allow manager localhost
> http_access allow manager FullAccess
>
>
> Okay this is all i can think of right now. I am in the
> middle of re-ip addressing our network, so my brain is a
> little scattered. Talk to you later.
>
>
>
> On Wed, 2002-11-06 at 13:43, Chris Tatro wrote:
> > Below I have pasted my acls, http_access and auth_param lines. I tried
> > what you suggested Edward but I am still not having any luck. Do I
> > need to type some kind of password and user name in to get at the
> > Cache Manger through Webmin? Before I turned proxy_auth on I never had
> > to type in a password and user name to get at the Cache
> > manager I simply changed the port and number to 8080. I
> > know it has to be something simple I am doing wrong but I
> > for the life of me can˘t figure it out.
> > Also Edward I do not have a wb_group module I have a
> > wb_auth module I am running samba 2.2.6. Am I suppose to
> > have a wb_group module?
> >
> > Thanks for the help so far it is very appreciated.
> >
> >
> >
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl http_ports port 1-65000
> >
> > acl CONNECT method CONNECT
> > acl proxy_server dst 172.16.1.226/255.255.255.255
> > acl restricted_users_websites dstdomain
> > "/etc/squid/restricted_users_websites.txt"
> > acl my_network src 172.16.0.0-172.25.0.0/255.255.0.0
> >
> > external_acl_type NT_auth %LOGIN /usr/lib/squid/wb_auth
> > acl FullAccess external NT_auth all
> >
> > acl unrestricted_users proxy_auth "/etc/squid/unrestricted_users.txt"
> > acl restricted_users proxy_auth
> > "/etc/squid/restricted_users.txt"
> >
> > acl downloads rep_mime_type
> > "/etc/squid/mime_type_blocked_download.txt"
> > acl blocked_urls url_regex "/etc/squid/blocked_urls.txt"
> > acl available_download_websites dstdomain
> > "/etc/squid/available_download_websites.txt"
> >
> >
> >
> >
> > http_access deny blocked_urls
> > http_access allow restricted_users
> > restricted_users_websites http_ports my_network
> > http_access allow unrestricted_users all http_ports my_network
> > http_access allow proxy_server http_ports my_network
> > http_access allow FullAccess
> >
> > http_access allow manager localhost
> > http_access allow manager FullAccess
> >
> > auth_param ntlm program /usr/lib/squid/wb_ntlmauth
> > auth_param ntlm children 5
> > auth_param ntlm max_challenge_reuses 0
> > auth_param ntlm max_challenge_lifetime 2 minutes
> >
> > auth_param basic program /usr/lib/squid/wb_auth
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server auth_param basic
> > credentialsttl 2 hours
> >
> >
> >
> >
> > On 06 Nov 2002 08:58:38 -0600
> > Edward Mann <edward@arctechnology.com> wrote:
> > >ACL run in order. Using the ip address, something like
> > >this should do
> > >the trick.
> > >
> > >acl nopasswd src 10.251.0.38/255.255.0.0 10.251.0.39/255.255.0.0
> > >
> > >external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
> > >acl FullAccess external NT_global_group internet
> > >
> > >
> > >http_access allow nopasswd
> > >http_access allow FullAccess
> > >
> > >
> > >See if that works.
> > >
> > >On Wed, 2002-11-06 at 05:48, Chris Tatro wrote:
> > >> I have all the users authenticating through the NT
> > >>domain
> > >> controller via winbind from samba. How do I write a ACL with
> > >>proxy_auth to allow 2 computer to get through without
> > >> authenticating?
> > >> Is this possible?
> > >>
> > >> Thanks
> > >>
> > >> >PS I found this post which says what I need to do to
> > >>get my cachemgr.cgi working.
> > >>
> > >>
> > >> >You need to allow the host where cachemgr.cgi runs
> > >>access without
> > >> >proxy_auth.
> > >>
> > >> >I have a small patch to cachemgr.cgi to allow it to be
> > >>used in
> > >> >proxy_auth environments.
> > >>
> > >> ---
> > >> >Henrik Nordstrom
> > >> >Spare time Squid hacker
> > >>
> > >> >Alex Pikus wrote:
> > >
> >
> > <TEXTAREA NAME="Signature" ROWS="4" COLS="60"><TEXTAREA
> > NAME="Signature" ROWS="4" COLS="60">
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.408 / Virus Database: 230 - Release Date:
> 10/24/2002
> failure
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.408 / Virus Database: 230 - Release Date:
> 10/24/2002
>
>
>
>
>
>
>
>
> You can see exactly why I am not allowed to view the cache
> manager because it is denied from my restricted users
> rule. I there a way for me to get around not having to
> authenticate for the cache manager? If I remove the rules
> below from my squid.conf:
>
> http_access allow restricted_users
> restricted_users_websites http_ports my_network
> http_access allow unrestricted_users all http_ports
> my_network
>
> I am then allowed to go into the cache manager. So it is
> something about these rules that is causing the problem.
>
>
> I have turned the “debug_options ALL,1 28,9” on in
> squid.conf to debug my ACLs and I get the following in the
> cache.log when I try to access the Cache manager:
>
>
> 2002/11/07 05:15:51| The request GET
> http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
> is ALLOWED, because it matched 'my_network'
>
> 2002/11/07 05:15:52| The reply for GET
> http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
> is ALLOWED, because it matched 'all'
>
> 2002/11/07 05:16:56| The request GET
> cache_object://localhost/ is DENIED, because it matched
> 'restricted_users'
>
> 2002/11/07 05:16:56| The reply for GET
> cache_object://localhost/ is ALLOWED, because it matched
> 'all'
>
> So the problem is definetly a ACL prbelm but I for the
> life of me can’t figure it out. Thank you so much for your
> help so far it has helped me pin point the problem further
> but only if I could fix it now . Do you have any
> further ideas?
>
>
>
>
>
Received on Thu Nov 07 2002 - 08:18:42 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:12 MST