Re: [squid-users] ask three times authentication

From: Usuário do Sistema <maiconlp_at_ig.com.br>
Date: Tue, 14 Jan 2014 10:27:18 -0200

Thank you,

From 2.6 to 3.1.10, was there any other change in the system?

     yes, I have changed my squid from an machine with S.O Red Hat 5.9
to other machine with S.O CentOS 6.5

the issue it's seems to be something about authentication
compatibility between Browse and new squid version 3.1.10

I have the old machine yet. I have done some test and from a client
machine when I put the old proxy on browse all it's work.
but the strange I use the same squid.conf either old proxy machine as
well as new proxy machine so why the pop-up authentication appear
three times only at the new proxy squid version 3.1.10 ?

my question is if there is any problem with squid version 3.1.10 about
authentication ?

Follow my squid.conf.

############################################################
#
# Squid.conf autenticacao AD
#
#############################################################

## Autenticacao

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on

#auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param basic children 30

## comentadas

auth_param basic realm Acesso a Internet teste SA
auth_param basic credentialsttl 2 hours

authenticate_cache_garbage_interval 1 hour
authenticate_ttl 120 seconds

external_acl_type NT_global_group children=50 %LOGIN
/usr/lib64/squid/squid_unix_group

## SQSTAT

acl ntlm_users proxy_auth REQUIRED

#cache_store_log none
#cache_log /var/log/squid/cache.log
#cache_log none
#request_entities on

# debug_options rotate=16 ALL,1
#debug_options ALL,9
#debug_options ALL,1 33,2
#debug_options ALL

visible_hostname proxy.teste.com
http_port 8080
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

ie_refresh on

max_filedesc 4096

###################################
# Parametros de Cache NAO ALTERAR #
###################################

#cache_dir aufs /var/spool/squid 6000 16 256
#cache_dir ufs /var/spool/squid 5000 64 1024
#cache_dir ufs /var/spool/squid 2048 64 64

diskd_program /usr/lib64/squid/diskd-daemon

cache_dir diskd /var/spool/squid/1 1000 16 128 Q1=64 Q2=72
cache_dir diskd /var/spool/squid/2 1000 16 128 Q1=64 Q2=72
cache_dir diskd /var/spool/squid/3 1000 16 128 Q1=64 Q2=72
cache_dir diskd /var/spool/squid/4 1000 16 128 Q1=64 Q2=72

#This stops squid from holding onto ram that it is no longer actively using.
memory_pools off

#Buffers the write-out to log files. This can increase performance slightly
buffered_logs on

cache_mem 1024 MB

half_closed_clients off
cache_swap_low 80%
cache_swap_high 100%

maximum_object_size 10 MB
maximum_object_size_in_memory 2048 KB

cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

#######################################

ftp_passive on
acl ftp_21 port 21

############################################################
#
# Regras Padrao
#
############################################################

acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 20 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # companyling http
acl Safe_ports port 10080 # Porta http das unidades remotas teste.
acl Safe_ports port 8181 # Publicacao
acl Safe_ports port 10082 # DBMessenger
acl Safe_ports port 9082
acl ftp proto FTP
acl CONNECT method CONNECT

#################################
# Origens
#################################
acl rede_projeto src 192.168.52.0/22
acl nelson src 128.2.20.213
acl 2m041187 src 128.2.20.171
acl localhost src 127.0.0.1/32
acl LAN_GERAL src 128.0.0.0/8
acl LAN_ADM src 128.2.0.0/16
acl gilson src 128.2.20.141/32
acl LAN_IDU src 128.4.0.0/16
acl LAN_JBOCD src 10.13.0.0/16
acl LAN_COJ src 128.1.0.0/16
acl LAN_COJ_TS src 10.1.251.0/25
acl dropbox_liberado src 128.2.30.201/32
acl testebo dst 189.36.1.226/32

#################################
# Regras LYNC e Sites sem AUTH
#################################
acl MSN_Liberado external NT_global_group msn_liberado
acl lync url_regex "/etc/squid/acls/lync.txt"
http_access allow lync

acl semauth url_regex -i "/etc/squid/acls/sites_semauth.txt"
http_access allow all semauth all
http_access allow CONNECT semauth all
http_access allow testebo

acl semauth_sap url_regex -i "/etc/squid/acls/sites_semauth_sap.txt"
http_access allow rede_projeto semauth_sap all

acl msn.8 url_regex "/etc/squid/acls/msn.txt"
acl local url_regex localhost

http_access allow local
http_access allow semauth 2m041187
http_access allow localhost all
http_access allow nelson
http_access allow MSN_Liberado msn.8

############################################################
#
# Regras teste
#
############################################################

acl manager proto cache_object

acl semcache url_regex "/etc/squid/acls/semcache.txt"
acl SITES_BLOQUEADOS url_regex -i "/etc/squid/acls/sites_bloqueados.txt"
acl SITES_LIBERADOS url_regex -i "/etc/squid/acls/sites_liberados.txt"
acl acesso_mkt_vendas url_regex -i "/etc/squid/acls/acesso_mkt_vendas.txt"
#acl quiosque url_regex -i "/etc/squid/acls/quiosque.txt"
acl mtmon url_regex -i "/etc/squid/acls/mtmon.txt"
acl IPS_LIBERADOS src "/etc/squid/acls/ips_liberados.txt"
acl IPS_BLOQUEADOS src "/etc/squid/acls/ips_bloqueados.txt"
acl PORN url_regex -i "/etc/squid/acls/porn.txt"
acl NOPORN url_regex -i "/etc/squid/acls/noporn.txt"
acl downloads url_regex -i "/etc/squid/acls/extensoes.txt"

acl msn dstdomain loginnet.passport.com login.live.com
acl msn.1 dstdomain loginnet.passport.com
acl msn.2 dstdomain webmessenger.msn.com
acl msn.3 url_regex -i gateway.dll
acl msn.4 req_mime_type -i ^application/x-msn-messenger$
acl msn.5 url_regex -i "/etc/squid/acls/msn.txt"
acl msn.6 src 65.0.0.0/12
acl msn.7 url_regex -i gateway.dll?
acl webmails_liberado url_regex -i "/etc/squid/acls/webmail_liberados.txt"
acl webmail_bloqueado url_regex -i "/etc/squid/acls/webmail_bloqueado.txt"
acl bb browser C:\BancoBrasil\officeIE\index.html
acl bancos url_regex -i "/etc/squid/acls/bancos.txt"
acl bb1 url_regex -i "/etc/squid/acls/bb.txt"
acl CAIXA url_regex -i "/etc/squid/acls/caixa.txt"
acl WINDOWS_UPDATE url_regex -i "/etc/squid/acls/windows_update.txt"
acl teste url_regex -i "/etc/squid/acls/teste.txt"
acl sites_bloqueados2 url_regex -i "/etc/squid/acls/sites_bloqueados2.txt"
acl sites_mfseguranca url_regex -i "/etc/squid/acls/sites_mfseguranca.txt"
acl sites_gilson url_regex -i "/etc/squid/acls/sites_gilson.txt"
acl GTALK url_regex -i "/etc/squid/acls/gtalk.txt"
acl SITES_INTERNET_SAP url_regex -i "/etc/squid/acls/sites_internet_sap.txt"

# Fix support.microsoft.com by removing Accept-Encoding header

acl support.microsoft.com dstdomain support.microsoft.com
acl trendmicro url_regex "/etc/squid/acls/trendmicro.txt"
acl GOV url_regex -i "/etc/squid/acls/gov.txt"
acl sites_normas url_regex -i "/etc/squid/acls/sites_normas.txt"
acl twitter url_regex -i "/etc/squid/acls/twitter.txt"
acl orkut url_regex -i "/etc/squid/acls/orkut.txt"
acl ninecon url_regex -i "/etc/squid/acls/ninecon.txt"
acl youtube url_regex -i "/etc/squid/acls/youtube.txt"
acl facebook url_regex -i "/etc/squid/acls/facebook.txt"

####################################
# ACL USANDO AUTENTICACAO GRUPOS AD
####################################

acl facebook_liberado external NT_global_group facebook_liberado
acl internet_teste external NT_global_group internet_teste
acl internet_normal external NT_global_group internet_normal
acl internet_liberada external NT_global_group internet_liberada
acl internet_bloqueada external NT_global_group internet_bloqueada
acl download_liberado external NT_global_group download_liberado
acl orkut_liberado external NT_global_group orkut_liberado
acl twitter_liberado external NT_global_group twitter_liberado
acl youtube_liberado external NT_global_group youtube_liberado
acl update_liberado external NT_global_group update_liberado
acl webmail_liberado external NT_global_group webmail_liberado
acl webmailninecon external NT_global_group webmailninecon
acl sites_mkt_vendas external NT_global_group sites_mkt_vendas
acl semi_liberado external NT_global_group semi_liberado
acl internet_consultores_sap external NT_global_group
internet_consultores_sap
#acl quiosque_liberado external NT_global_group internet_quiosque

###########################################################
#
# BLOQUEIO DO SQUID
###########################################################

http_access allow manager localhost
http_access allow localhost manager
http_access allow localhost all

#http_access allow all
http_access allow teste all
http_access allow bancos
http_access allow bb
http_access allow bb1
http_access allow GOV
http_access allow CAIXA
http_access allow sites_normas
http_access allow webmails_liberado
http_access allow mtmon

http_access allow internet_liberada all

http_access allow LAN_ADM sites_mfseguranca
#http_access allow gilson sites_gilson
http_access allow gilson
http_access allow LAN_COJ sites_mfseguranca
http_access allow dropbox_liberado
http_access allow ftp
http_access allow ftp_21
http_access allow IPS_LIBERADOS
http_access allow acesso_mkt_vendas sites_mkt_vendas
http_access allow youtube youtube_liberado
http_access allow facebook facebook_liberado
http_access allow WINDOWS_UPDATE update_liberado
http_access allow webmailninecon ninecon
http_access allow downloads download_liberado
http_access deny IPS_BLOQUEADOS
#http_access allow downloads download_liberado
#no_cache deny semcache
cache deny semcache
http_access allow semcache all

http_access allow semi_liberado !youtube !facebook !twitter !orkut
!GTALK !msn !msn.1 !msn.2 !msn.3 !msn.4 !msn.5 !msn.6 !msn.7
!sites_bloqueados !PORN
http_access deny sites_bloqueados2
http_access allow MSN_Liberado msn msn.1 msn.2 msn.3 msn.4 msn.5 msn.6 msn.7
http_access deny MSN_Liberado SITES_BLOQUEADOS
http_access deny MSN_Liberado ORKUT
http_access allow internet_teste SITES_LIBERADOS
http_access allow internet_normal SITES_LIBERADOS
http_access deny internet_teste SITES_BLOQUEADOS
http_access deny internet_normal SITES_BLOQUEADOS
#http_access deny !internet_teste
http_access deny webmail_bloqueado !webmail_liberado
http_access allow SITES_LIBERADOS
http_access deny ORKUT !orkut_liberado
http_access deny twitter !twitter_liberado all
http_access deny ORKUT
http_access deny internet_bloqueada all
http_access allow sites_normas
#http_access allow WINDOWS_UPDATE update_liberado
http_access deny WINDOWS_UPDATE
http_access allow all SSL_ports
http_access deny msn
http_access deny msn.1
http_access deny msn.2
http_access deny msn.3
http_access deny msn.4
http_access deny msn.5
http_access deny GTALK
http_access deny PORN !NOPORN all
http_access deny SITES_BLOQUEADOS
##http_access allow downloads download_liberado
http_access deny downloads

acl BLOQUEIO_SAP url_regex
"/etc/squid/acls/sites_internet_sap_bloqueio.txt"
http_access deny rede_projeto BLOQUEIO_SAP

http_access allow ntlm_users rede_projeto

http_access allow internet_consultores_sap SITES_INTERNET_SAP
http_access allow internet_consultores_sap SITES_LIBERADOS
http_access allow internet_consultores_sap semauth_sap
http_access allow rede_projeto SITES_INTERNET_SAP
http_access allow rede_projeto SITES_LIBERADOS
http_access deny internet_consultores_sap all
http_access deny rede_projeto all

# nelson http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow ntlm_users
http_access allow LAN_ADM
http_access allow rede_projeto
http_access allow LAN_IDU
http_access allow LAN_JBOCD
http_access allow LAN_COJ
http_access allow LAN_COJ_TS

http_access deny all
http_reply_access allow all
icp_access allow all

cache_mgr suporte_at_teste.com
#cachemgr_passwd companytTask all
error_directory /usr/share/squid/errors/pt-br
coredump_dir /pacotes/squid/core

Thanks

2014/1/13 Eliezer Croitoru <eliezer_at_ngtech.co.il>:
> Hey,
>
> I would like to try and understand the issue but it seems like more complex
> to me to understand what happens yet.
> You use NTLM auth but I do not understand the authentication settings yet.
> From 2.6 to 3.1.10, was there any other change in the system?
> As I understand it's an internal proxy it seems a bit weird.
> I do not assume that the issue is in the config file but a basic description
> of the environment can help to understand more about the subject.
>
> If you can share the basic squid.conf it would help but note to remove any
> personal details or at least change them to make sure that the environment
> can be understood properly.
>
> All The Bests,
> Eliezer
>
>
> On 13/01/14 16:13, Usuário do Sistema wrote:
>>
>> Hello everyone,
>>
>>
>> I have done upgrade in the my squid from Version 2.6.STABLE21 to Version
>> 3.1.10
>>
>> After that it always pop-up authentication three times before allow
>> that url. follow a example for www.bol.com.br url
>>
>>
>> 1389621501.201 1 192.168.53.31 TCP_DENIED/407 3849 GET
>> http://www.bol.com.br/ - NONE/- text/html
>> 1389621501.213 2 192.168.53.31 TCP_DENIED/407 4148 GET
>> http://www.bol.com.br/ - NONE/- text/html
>> 1389621501.226 4 192.168.53.31 TCP_DENIED/407 4135 GET
>> http://www.bol.com.br/ - NONE/- text/html
>> 1389621532.660 2 192.168.53.31 TCP_DENIED/407 3947 GET
>> http://www.bol.com.br/ - NONE/- text/html
>> 1389621534.117 0 192.168.53.31 TCP_DENIED/407 3947 GET
>> http://www.bol.com.br/ - NONE/- text/html
>> 1389621535.165 98 192.168.53.31 TCP_DENIED/407 4148 GET
>> http://www.bol.com.br/ - NONE/- text/html
>> 1389621535.397 143 192.168.53.31 TCP_MISS/302 577 GET
>> http://www.bol.com.br/ sa_mtmon DIRECT/200.147.35.224 text/html
>> 1389621535.542 88 192.168.53.31 TCP_DENIED/407 4187 GET
>> http://www.bol.uol.com.br/ - NONE/- text/html
>> 1389621535.829 256 192.168.53.31 TCP_DENIED/407 4486 GET
>> http://www.bol.uol.com.br/ - NONE/- text/html
>> 1389621536.969 1129 192.168.53.31 TCP_MISS/200 35705 GET
>> http://www.bol.uol.com.br/ sa_mtmon DIRECT/200.147.68.9 text/html
>>
>>
>> I released with upgrade changed NTLM version too. before
>> 3.6.6-0.136.el5 and now 3.6.9-167.el6_5
>>
>>
>> how to can I figure out that problem the pop-up authentication three
>> times ? before upgrade it ask only one pop-up authentication.
>>
>>
>> thanks
>>
>
Received on Tue Jan 14 2014 - 12:27:25 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 15 2014 - 12:00:06 MST