[squid-users] problem with authentication with 3.0

From: Leonardo Rodrigues Magalhães <leolistas_at_solutti.com.br>
Date: Wed, 21 May 2008 12:04:04 -0300

    Hello Guys,

    I have 2 boxes, one running squid 3.0-stable5 and other 3.0-stable6.
Both hand compiled for enabling ldap authentication helpers.

    I got ldap authentication running successfully on both boxes,
there's no problem on that.

    the problem is when i issued the 'transparent' option to my
http_port parameter.

    Yes i know i cannot have authentication on transparent intercepted
requests, i know that. My idea of enabling transparent on that port was
to allow, without authentication, some antivirus and Windows Update
stuff (and some other special URLs which would be exceptions to my auth
rules). Sometimes these things (antivirus updates, Windows Update,
antispyware updates, etc etc) seems to not use the IE proxy settings. I
would like to allow some special URLs without authentication and then
got everything authenticated with LDAP as it was working.

    This works fine in 2.5 which i was running until last month, just to
let you know. I could enable the transparent parameters and still have
authentication running.

    Altough, on squid 3.0 (stable5 and stable6 tested), despite the fact
i'm sure that my ldap configuration is running fine, when i add the
'transparent' option to the http_port, my authentication simply stop
working and i got cache.log filled with:

2008/05/21 11:48:18| ACHChecklist::authenticated: authentication not
applicable on transparently intercepted requests.
2008/05/21 11:48:18| ACHChecklist::authenticated: authentication not
applicable on transparently intercepted requests.
2008/05/21 11:48:18| ACHChecklist::authenticated: authentication not
applicable on transparently intercepted requests.
2008/05/21 11:48:18| ACHChecklist::authenticated: authentication not
applicable on transparently intercepted requests.
2008/05/21 11:48:18| ACHChecklist::authenticated: authentication not
applicable on transparently intercepted requests.

    and lots of TCP_DENIED/403 on access.log, showing requests are all
being denied.

    it seems to be that when transparent option is enabled, squid
assumes ALL requests received are transparently intercepted, which is
NOT true. Simply removing the transparent from http_port make things
works again (ldap authentication), which proves my browsers do have the
proxy settings correctly configured.

    is this transparent option/authentication behavior i noticed is
expected, or it seems to be a bug ??

    if this is somehow expected, i was thinking on having two http_port,
one with transparent and other not. The one with transparent would be
used on my iptables transparent proxy rules, and the non-transparent
port would be used for configuring browsers. That way i think i can
acchieve what i want.

    if this behavior i noticed is not expected, then i think we got a
bug here ..... even with 3.0 stable 6 which was released some days ago.

-- 
	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br
	Minha armadilha de SPAM, NÃO mandem email
	gertrudes_at_solutti.com.br
	My SPAMTRAP, do not email it
Received on Wed May 21 2008 - 15:04:18 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:13 MDT