Re: FW: [squid-users] proxy_auth help

From: Chris Tatro <k0rnshell@dont-contact.us>
Date: Thu, 07 Nov 2002 10:50:12 -0500

I did what you suggested and it works now! Thanks for all
the help you have been great, I don&#8217;t understand why
moving that line would make it work. Do you?

On 07 Nov 2002 09:19:27 -0600
  Edward Mann <edward@arctechnology.com> wrote:
>Chris,
>I would try and move http_access allow manager localhost
>above
>http_access deny blocked_urls. I just did this on my
>setup and it
>worked. give it a try. I have moved them below so you can
>see what i
>did.
>
>
>On Thu, 2002-11-07 at 08:34, Chris Tatro wrote:
>> Here is a cleaned up version of my squid.conf
>>
>> You can see exactly why I am not allowed to view the
>>cache
>> manager because it is denied from my restricted users
>> rule. I there a way for me to get around not having to
>> authenticate for the cache manager? If I remove the
>>rules
>> below from my squid.conf:
>>
>> http_access allow restricted_users
>> restricted_users_websites http_ports my_network
>> http_access allow unrestricted_users all http_ports
>> my_network
>>
>> I am then allowed to go into the cache manager. So it is
>> something about these rules that is causing the problem.
>>
>>
>> I have turned the “debug_options ALL,1 28,9” on in
>> squid.conf to debug my ACLs and I get the following in
>>the
>> cache.log when I try to access the Cache manager:
>>
>>
>> 2002/11/07 05:15:51| The request GET
>> http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
>> is ALLOWED, because it matched 'my_network'
>>
>> 2002/11/07 05:15:52| The reply for GET
>> http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
>> is ALLOWED, because it matched 'all'
>>
>> 2002/11/07 05:16:56| The request GET
>> cache_object://localhost/ is DENIED, because it matched
>> 'restricted_users'
>>
>> 2002/11/07 05:16:56| The reply for GET
>> cache_object://localhost/ is ALLOWED, because it matched
>> 'all'
>>
>> So the problem is definetly a ACL prbelm but I for the
>> life of me can’t figure it out. Thank you so much for
>>your
>> help so far it has helped me pin point the problem
>>further
>> but only if I could fix it now &#61514;. Do you have any
>> further ideas?
>>
>> Below i have pasted my entire squid.conf and i have also
>> attached the file for your convince.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> http_port 8080
>> icp_port 0
>> hierarchy_stoplist cgi-bin ?
>>
>> acl QUERY urlpath_regex cgi-bin \?
>> acl squidserver dst 172.16.1.226/255.255.255.255
>> no_cache deny QUERY squidserver
>>
>> maximum_object_size 50 MB
>>
>> cache_dir ufs /var/spool/squid 5000 16 256
>>
>> debug_options ALL,1 33,2
>>
>> auth_param ntlm program /usr/lib/squid/wb_ntlmauth
>> auth_param ntlm children 5
>> auth_param ntlm max_challenge_reuses 0
>> auth_param ntlm max_challenge_lifetime 2 minutes
>>
>> auth_param basic program /usr/lib/squid/wb_auth
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>>
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>>
>> positive_dns_ttl 2 day
>>
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl http_ports port 80 443 563 10000
>>
>>
>> acl CONNECT method CONNECT
>> acl proxy_server dst 172.16.1.226/255.255.255.255
>> acl restricted_users_websites dstdomain
>> "/etc/squid/restricted_users_websites.txt"
>> acl my_network src 172.16.0.0-172.25.0.0/255.255.0.0
>>
>> acl unrestricted_users proxy_auth
>> "/etc/squid/unrestricted_users.txt"
>> acl restricted_users proxy_auth
>> "/etc/squid/restricted_users.txt"
>>
>> acl downloads rep_mime_type
>> "/etc/squid/mime_type_blocked_download.txt"
>> acl blocked_urls url_regex "/etc/squid/blocked_urls.txt"
>> acl available_download_websites dstdomain
>> "/etc/squid/available_download_websites.txt"
>
>http_access allow manager localhost
>> http_access deny blocked_urls
>>
>> http_access allow restricted_users
>> restricted_users_websites http_ports my_network
>> http_access allow unrestricted_users all http_ports
>> my_network
>> http_access allow proxy_server http_ports my_network
>>
>>
>
>> miss_access allow all
>>
>> http_access allow localhost
>> http_access deny all
>>
>>
>> http_reply_access allow available_download_websites
>> http_reply_access deny downloads
>> http_reply_access allow all
>>
>> icp_access allow all
>> cache_mgr
>> JacobsA@WausauHomes.com;WizaB@WausauHomes.com;TatroC@WausauHomes.com
>> visible_hostname SQUID
>> memory_pools off
>> coredump_dir /var/spool/squid
>>
>>
>>
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: Edward Mann [mailto:edward@arctechnology.com]
>> Sent: Wednesday, November 06, 2002 5:53 PM
>> To: Chris Tatro
>> Cc: squid-users@squid-cache.org
>> Subject: Re: [squid-users] proxy_auth help
>>
>>
>> Chris,
>>
>> wb_group you don't need, that was just something out of
>>my
>> setup.
>>
>> Can you send me your entire config file. I have
>>re-ordered
>> things to work the way that i have mine setup.
>>
>> auth_param ntlm program /usr/lib/squid/wb_ntlmauth
>> auth_param ntlm children 5
>> auth_param ntlm max_challenge_reuses 0
>> auth_param ntlm max_challenge_lifetime 2 minutes
>>
>> auth_param basic program /usr/lib/squid/wb_auth
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl http_ports port 1-65000
>>
>> #acl CONNECT method CONNECT
>> acl proxy_server dst 172.16.1.226/255.255.255.255
>> acl restricted_users_websites dstdomain
>> "/etc/squid/restricted_users_websites.txt"
>> acl my_network src 172.16.0.0-172.25.0.0/255.255.0.0
>>
>> external_acl_type NT_auth %LOGIN /usr/lib/squid/wb_auth
>> acl FullAccess external NT_auth all
>>
>> acl unrestricted_users proxy_auth
>> "/etc/squid/unrestricted_users.txt"
>> acl restricted_users proxy_auth
>> "/etc/squid/restricted_users.txt"
>>
>> acl downloads rep_mime_type
>> "/etc/squid/mime_type_blocked_download.txt"
>> acl blocked_urls url_regex "/etc/squid/blocked_urls.txt"
>> acl available_download_websites dstdomain
>> "/etc/squid/available_download_websites.txt"
>>
>> http_access deny blocked_urls
>> http_access allow restricted_users
>> restricted_users_websites http_ports my_network
>> http_access allow unrestricted_users all http_ports
>> my_network http_access allow proxy_server http_ports
>> my_network http_access allow FullAccess
>>
>> http_access allow manager localhost
>> http_access allow manager FullAccess
>>
>>
>> Okay this is all i can think of right now. I am in the
>> middle of re-ip addressing our network, so my brain is a
>> little scattered. Talk to you later.
>>
>>
>>
>> On Wed, 2002-11-06 at 13:43, Chris Tatro wrote:
>> > Below I have pasted my acls, http_access and
>>auth_param lines. I tried
>> > what you suggested Edward but I am still not having
>>any luck. Do I
>> > need to type some kind of password and user name in to
>>get at the
>> > Cache Manger through Webmin? Before I turned
>>proxy_auth on I never had
>> > to type in a password and user name to get at the
>>Cache
>> > manager I simply changed the port and number to 8080.
>>I
>> > know it has to be something simple I am doing wrong
>>but I
>> > for the life of me can˘t figure it out.
>> > Also Edward I do not have a wb_group module I have a
>> > wb_auth module I am running samba 2.2.6. Am I suppose
>>to
>> > have a wb_group module?
>> >
>> > Thanks for the help so far it is very appreciated.
>> >
>> >
>> >
>> > acl all src 0.0.0.0/0.0.0.0
>> > acl manager proto cache_object
>> > acl localhost src 127.0.0.1/255.255.255.255
>> > acl http_ports port 1-65000
>> >
>> > acl CONNECT method CONNECT
>> > acl proxy_server dst 172.16.1.226/255.255.255.255
>> > acl restricted_users_websites dstdomain
>> > "/etc/squid/restricted_users_websites.txt"
>> > acl my_network src 172.16.0.0-172.25.0.0/255.255.0.0
>> >
>> > external_acl_type NT_auth %LOGIN
>>/usr/lib/squid/wb_auth
>> > acl FullAccess external NT_auth all
>> >
>> > acl unrestricted_users proxy_auth
>>"/etc/squid/unrestricted_users.txt"
>> > acl restricted_users proxy_auth
>> > "/etc/squid/restricted_users.txt"
>> >
>> > acl downloads rep_mime_type
>> > "/etc/squid/mime_type_blocked_download.txt"
>> > acl blocked_urls url_regex
>>"/etc/squid/blocked_urls.txt"
>> > acl available_download_websites dstdomain
>> > "/etc/squid/available_download_websites.txt"
>> >
>> >
>> >
>> >
>> > http_access deny blocked_urls
>> > http_access allow restricted_users
>> > restricted_users_websites http_ports my_network
>> > http_access allow unrestricted_users all http_ports
>>my_network
>> > http_access allow proxy_server http_ports my_network
>> > http_access allow FullAccess
>> >
>> > http_access allow manager localhost
>> > http_access allow manager FullAccess
>> >
>> > auth_param ntlm program /usr/lib/squid/wb_ntlmauth
>> > auth_param ntlm children 5
>> > auth_param ntlm max_challenge_reuses 0
>> > auth_param ntlm max_challenge_lifetime 2 minutes
>> >
>> > auth_param basic program /usr/lib/squid/wb_auth
>> > auth_param basic children 5
>> > auth_param basic realm Squid proxy-caching web server
>>auth_param basic
>> > credentialsttl 2 hours
>> >
>> >
>> >
>> >
>> > On 06 Nov 2002 08:58:38 -0600
>> > Edward Mann <edward@arctechnology.com> wrote:
>> > >ACL run in order. Using the ip address, something
>>like
>> > >this should do
>> > >the trick.
>> > >
>> > >acl nopasswd src 10.251.0.38/255.255.0.0
>>10.251.0.39/255.255.0.0
>> > >
>> > >external_acl_type NT_global_group %LOGIN
>>/usr/lib/squid/wb_group
>> > >acl FullAccess external NT_global_group internet
>> > >
>> > >
>> > >http_access allow nopasswd
>> > >http_access allow FullAccess
>> > >
>> > >
>> > >See if that works.
>> > >
>> > >On Wed, 2002-11-06 at 05:48, Chris Tatro wrote:
>> > >> I have all the users authenticating through the NT
>> > >>domain
>> > >> controller via winbind from samba. How do I write a
>>ACL with
>> > >>proxy_auth to allow 2 computer to get through
>>without
>> > >> authenticating?
>> > >> Is this possible?
>> > >>
>> > >> Thanks
>> > >>
>> > >> >PS I found this post which says what I need to do
>>to
>> > >>get my cachemgr.cgi working.
>> > >>
>> > >>
>> > >> >You need to allow the host where cachemgr.cgi runs
>> > >>access without
>> > >> >proxy_auth.
>> > >>
>> > >> >I have a small patch to cachemgr.cgi to allow it
>>to be
>> > >>used in
>> > >> >proxy_auth environments.
>> > >>
>> > >> ---
>> > >> >Henrik Nordstrom
>> > >> >Spare time Squid hacker
>> > >>
>> > >> >Alex Pikus wrote:
>> > >
>> >
>> > <TEXTAREA NAME="Signature" ROWS="4"
>>COLS="60"><TEXTAREA
>> > NAME="Signature" ROWS="4" COLS="60">
>>
>> ---
>> Incoming mail is certified Virus Free.
>> Checked by AVG anti-virus system
>>(http://www.grisoft.com).
>> Version: 6.0.408 / Virus Database: 230 - Release Date:
>> 10/24/2002
>> failure
>> ---
>> Outgoing mail is certified Virus Free.
>> Checked by AVG anti-virus system
>>(http://www.grisoft.com).
>> Version: 6.0.408 / Virus Database: 230 - Release Date:
>> 10/24/2002
>>
>>
>>
>>
>>
>>
>>
>>
>> You can see exactly why I am not allowed to view the
>>cache
>> manager because it is denied from my restricted users
>> rule. I there a way for me to get around not having to
>> authenticate for the cache manager? If I remove the
>>rules
>> below from my squid.conf:
>>
>> http_access allow restricted_users
>> restricted_users_websites http_ports my_network
>> http_access allow unrestricted_users all http_ports
>> my_network
>>
>> I am then allowed to go into the cache manager. So it is
>> something about these rules that is causing the problem.
>>
>>
>> I have turned the “debug_options ALL,1 28,9” on in
>> squid.conf to debug my ACLs and I get the following in
>>the
>> cache.log when I try to access the Cache manager:
>>
>>
>> 2002/11/07 05:15:51| The request GET
>> http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
>> is ALLOWED, because it matched 'my_network'
>>
>> 2002/11/07 05:15:52| The reply for GET
>> http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
>> is ALLOWED, because it matched 'all'
>>
>> 2002/11/07 05:16:56| The request GET
>> cache_object://localhost/ is DENIED, because it matched
>> 'restricted_users'
>>
>> 2002/11/07 05:16:56| The reply for GET
>> cache_object://localhost/ is ALLOWED, because it matched
>> 'all'
>>
>> So the problem is definetly a ACL prbelm but I for the
>> life of me can’t figure it out. Thank you so much for
>>your
>> help so far it has helped me pin point the problem
>>further
>> but only if I could fix it now &#61514;. Do you have any
>> further ideas?
>>
>>
>>
>>
>>
>

<TEXTAREA NAME="Signature" ROWS="4" COLS="60"><TEXTAREA
NAME="Signature" ROWS="4" COLS="60">
Received on Thu Nov 07 2002 - 08:50:13 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:12 MST