RE: [squid-users] Access Problems

From: Casey King <cking@dont-contact.us>
Date: Tue, 27 Sep 2005 13:50:11 -0500

I have since worked on this issue some more, and I have come to find the
information from my first email must work correctly. Here is another
section of my squid.conf:

------------------------------------------------------------------------
auth_param ntlm program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off

auth_param basic program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
------------------------------------------------------------------------

If I comment out the section "auth_param ntlm ...", I am able to see my ACLs
working as they should. I have uncommented the "auth_aram ntlm .."
settings, and am back at square 1. From the command prompt, basic works
fine, but does not: (see below)

#ntlm_auth --helper-protocol=squid-2.5-ntlmssp
domain\user password
utils/ntlm_auth.c:manage_squid_ntlmssp_request(576)
BH

After reading the man on ntlm_auth, I checked winbindd_privileged and the
settings for it is root:squid and permissions 750. This seems to be the
proper setting. I am not sure what else I need to be doing in order to get
this going.

Any help would be appreciated

Casey

Our company has a proxy server running on RH8.0. My job is to setup a
second proxy server that will be acting as a primary proxy for another
location. The OS I am using is CentOS 4.1, which came loaded with
squid-2.5.STABLE6-3.4E.5.

I copied the ACLs from the production proxy server. I am in the process of
trying to see if everything is working properly, but it seems the squid.conf
is not reading the users.txt, powerusers.txt, or anything with the acl
[name] proxy_auth "" configuration. I am able to get to sites listed in the
whitelist.txt. Outside of that, I cannot go anywhere (such as
www.google.com). The production server allows this. I added .google.com to
the whitelist.txt on the machine I am trying to setup, and then it works,
but I do not understand why it is not working without being in the
whitelist.txt. Below are my squid.conf acl settings. The part I thought
would allow me to access google or other not whitelist.txt sites (other than
blacklist, and sites for powerusers) was the acl AuthLimitedUsers proxy_auth
REQUIRED
What am I missing?

---------------------------------------------------

acl DoNotCacheWebSites dstdomain "/etc/squid/rules/donotcachewebsites.txt"
acl Freemarkets dstdomain .freemarkets.com
acl MyTextron dstdomain .mytextron.com
acl WComNet dstdomain .wcom.net
acl Corrlink dstdomain .weyerhaeuser.com
acl SchwabPlan dstdomain .schwabplan.com
acl LindWaldock dstdomain .lind-waldock.com
acl BrownListWebsites dstdomain "/etc/squid/rules/brownlist.txt"
acl BlackListWebsites dstdomain "/etc/squid/rules/blacklist.txt"
acl BlackListIpAddresses dst "/etc/squid/rules/blacklistipaddr.txt"
acl BlackListIpAddress1 dst 64.73.35.120
acl OpenAccessWhiteListWebsites dstdomain
"/etc/squid/rules/openaccesswhitelist.txt"
acl OpenAccessWhiteListIpAddresses dst
"/etc/squid/rules/openaccesswhitelistipaddr.txt"
acl WhiteListWebsites dstdomain "/etc/squid/rules/whitelist.txt"
acl WhiteListIPAddresses dst "/etc/squid/rules/whiteipaddr.txt"
acl AuthLimitedUsers proxy_auth REQUIRED
acl AuthPowerUsers proxy_auth "/etc/squid/rules/powerusers.txt"
acl AuthIPAddresses src "/etc/squid/rules/poweripaddresses.txt"
acl AuthSafeAccessUsers proxy_auth "/etc/squid/rules/users.txt"
acl OverRideBrownListUsers proxy_auth "/etc/squid/rules/ovrdbrownlist.txt"

#http_access allow manager all
http_access allow manager our_networks
#http_access allow all open_for_ip_address
http_access allow all Freemarkets
http_access allow all MyTextron
http_access allow all Corrlink
http_access allow all SchwabPlan
http_access allow all WcomNet
http_access allow all LindWaldock
http_access allow all AuthSafeAccessUsers
http_access allow all AuthPowerUsers
http_access allow all AuthIPAddresses
http_access allow all OpenAccessWhiteListWebsites
http_access allow all OpenAccessWhiteListIpAddresses
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny !our_networks
http_access allow BrownListWebsites OverRideBrownListUsers
http_access deny all BrownListWebsites
http_access deny all BlackListWebsites
http_access deny all BlackListIpAddresses
http_access deny all BlackListIpAddress1
#http_access allow all AuthSafeAccessUsers
http_access allow WhiteListWebsites AuthLimitedUsers
http_access allow WhiteListIPAddresses AuthLimitedUsers
http_access deny all

--------------------------------------------------------
Received on Tue Sep 27 2005 - 12:50:29 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:04 MDT