Re: [squid-users] Browser fails to prompt for authentication

From: Fred <fred@dont-contact.us>
Date: Thu, 19 Jun 2003 17:59:44 -0700

Thanks for the advice, indeed there is an acl definition for all, which I
failed to put in the email.

acl all 0.0.0.0/0.0.0.0

----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Fred Evans" <fred@querymagic.com>
Cc: <squid-users@squid-cache.org>
Sent: Thursday, June 19, 2003 3:39 PM
Subject: Re: [squid-users] Browser fails to prompt for authentication

> On Thursday 19 June 2003 22.26, Fred Evans wrote:
>
> > http_access allow all users
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost
> > http_access deny all
>
>
> And you remembered to restart (or at least reconfigure) squid after
> making the suqid.conf changes?
>
> Note: The intended order of your http_access rules is to have the
> "allow users" rule almost last, not first.. The first rules is to
> restrict things no user should be able to do and to give localhost
> slightly different permissions, and if you place your allow rule
> before this then your rule gets a higher priority and these filters
> are never reached.
>
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access allow localhost
> http_access allow users
> http_access deny all
>
> (note: "all users" and "users" is the same thing)
>
> Or to restructure to make the rules maybe a little more visibe
>
> # Basic acl definitions
> acl all src 0.0.0.0/0
> acl localhost src 127.0.0.1
>
> # Allow cachemgr access from localhost only
> acl manager proto cache_object
> http_access allow manager localhost
> http_access deny manager
>
> # Deny access to unsafe ports
> acl Safe_ports ...
> acl SSL_ports ...
> acl CONNECT method CONNECT
> http_access deny !CONNECT !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> # Deny proxy access to localhost server (often protected
> # administrative HTTP servers runs on the localhost interface
> # and should not be reachable via the proxy)
> acl to_localhost dst 127.0.0.0/8
> http_access deny to_localhost
>
> # Allow localhost access without authentication
> http_access allow localhost
>
> # Allow local authenticated users access
> acl local_network src 192.168.0.0/16
> acl users proxy_auth REQUIRED
> http_access allow local_network users
>
> # Deny all other uses of the proxy
> http_access deny all
>
>
> Hmm.. are you sure "squid -k parse" is happy? You do not seem to have
> a definition of the "all" acl, but maybe this was forgotten in your
> email only?
>
> Regards
> Henrik
>
> >
> > On Thu, 2003-06-19 at 12:38, Henrik Nordstrom wrote:
> > > On Thursday 19 June 2003 19.04, Fred Evans wrote:
> > > > I made sure that the password file is owned by the user squid
> > > > runs as and is readable by that user.
> > > >
> > > > Prior to this installation of squid there was no transparent
> > > > proxy. The browsers were not configured for proxying at all
> > > > until I configured them to work with this install of squid.
> > > > Further, I tested on IE and Mozilla for windows and Mozilla for
> > > > linux.
> > > >
> > > > The config is as follows:
> > > >
> > > > auth_param basic program /usr/lib/squid/ncsa_auth
> > > > /etc/squid.passwd auth_param basic children 5
> > > > auth_param basic credentialsttl 2 hours
> > > >
> > > > acl users proxy_auth REQUIRED
> > > > http_access allow all users
> > >
> > > Looks good..
> > >
> > > Any errors if you run "squid -k parse"?
> > >
> > >
> > > Is there any other http_access lines before this?
> > > (the order of your http_access lines is important)
> > >
> > > Regards
> > > Henrik
>
> --
> Donations welcome if you consider my Free Squid support helpful.
> https://www.paypal.com/xclick/business=hno%40squid-cache.org
>
> If you need commercial Squid support or cost effective Squid or
> firewall appliances please refer to MARA Systems AB, Sweden
> http://www.marasystems.com/, info@marasystems.com
>
Received on Thu Jun 19 2003 - 19:06:20 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:27 MST