wonder why there are popups at all. or popups at all. NTLM should work without any popups.
which browser do you use? IE?
could you try to discard the group-check auth?
we are using NTLM but everyone is allowed, after authentication. so we do not use external_acl_type.
we only use
acl auth_user proxy_auth REQUIRED
http_access allow auth_surfer all
> -----Ursprüngliche Nachricht-----
> Von: Usuário do Sistema [mailto:maiconlp_at_ig.com.br]
> Gesendet: Dienstag, 14. Januar 2014 13:27
> An: Eliezer Croitoru
> Cc: squid-users_at_squid-cache.org
> Betreff: Re: [squid-users] ask three times authentication
>
> Thank you,
>
> From 2.6 to 3.1.10, was there any other change in the system?
>
> yes, I have changed my squid from an machine with S.O Red Hat 5.9
> to other machine with S.O CentOS 6.5
>
> the issue it's seems to be something about authentication
> compatibility between Browse and new squid version 3.1.10
>
> I have the old machine yet. I have done some test and from a client
> machine when I put the old proxy on browse all it's work.
> but the strange I use the same squid.conf either old proxy machine as
> well as new proxy machine so why the pop-up authentication appear
> three times only at the new proxy squid version 3.1.10 ?
>
> my question is if there is any problem with squid version 3.1.10 about
> authentication ?
>
> Follow my squid.conf.
>
>
> ############################################################
> #
> # Squid.conf autenticacao AD
> #
> #############################################################
>
> ## Autenticacao
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-
> ntlmssp
> auth_param ntlm children 50
> auth_param ntlm keep_alive on
>
> #auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-
> basic
> #auth_param basic children 30
>
> ## comentadas
>
> auth_param basic realm Acesso a Internet teste SA
> auth_param basic credentialsttl 2 hours
>
> authenticate_cache_garbage_interval 1 hour
> authenticate_ttl 120 seconds
>
> external_acl_type NT_global_group children=50 %LOGIN
> /usr/lib64/squid/squid_unix_group
>
> ## SQSTAT
>
>
> acl ntlm_users proxy_auth REQUIRED
>
> #cache_store_log none
> #cache_log /var/log/squid/cache.log
> #cache_log none
> #request_entities on
>
> # debug_options rotate=16 ALL,1
> #debug_options ALL,9
> #debug_options ALL,1 33,2
> #debug_options ALL
>
>
> visible_hostname proxy.teste.com
> http_port 8080
> http_port 127.0.0.1:3128
> hierarchy_stoplist cgi-bin ?
>
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
>
> access_log /var/log/squid/access.log squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> ie_refresh on
>
> max_filedesc 4096
>
>
> ###################################
> # Parametros de Cache NAO ALTERAR #
> ###################################
>
> #cache_dir aufs /var/spool/squid 6000 16 256
> #cache_dir ufs /var/spool/squid 5000 64 1024
> #cache_dir ufs /var/spool/squid 2048 64 64
>
> diskd_program /usr/lib64/squid/diskd-daemon
>
> cache_dir diskd /var/spool/squid/1 1000 16 128 Q1=64 Q2=72
> cache_dir diskd /var/spool/squid/2 1000 16 128 Q1=64 Q2=72
> cache_dir diskd /var/spool/squid/3 1000 16 128 Q1=64 Q2=72
> cache_dir diskd /var/spool/squid/4 1000 16 128 Q1=64 Q2=72
>
>
> #This stops squid from holding onto ram that it is no longer actively
> using.
> memory_pools off
>
> #Buffers the write-out to log files. This can increase performance
> slightly
> buffered_logs on
>
> cache_mem 1024 MB
>
> half_closed_clients off
> cache_swap_low 80%
> cache_swap_high 100%
>
> maximum_object_size 10 MB
> maximum_object_size_in_memory 2048 KB
>
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap GDSF
>
> #######################################
>
> ftp_passive on
> acl ftp_21 port 21
>
> ############################################################
> #
> # Regras Padrao
> #
> ############################################################
>
>
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 20 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # companyling http
> acl Safe_ports port 10080 # Porta http das unidades remotas teste.
> acl Safe_ports port 8181 # Publicacao
> acl Safe_ports port 10082 # DBMessenger
> acl Safe_ports port 9082
> acl ftp proto FTP
> acl CONNECT method CONNECT
>
>
> #################################
> # Origens
> #################################
> acl rede_projeto src 192.168.52.0/22
> acl nelson src 128.2.20.213
> acl 2m041187 src 128.2.20.171
> acl localhost src 127.0.0.1/32
> acl LAN_GERAL src 128.0.0.0/8
> acl LAN_ADM src 128.2.0.0/16
> acl gilson src 128.2.20.141/32
> acl LAN_IDU src 128.4.0.0/16
> acl LAN_JBOCD src 10.13.0.0/16
> acl LAN_COJ src 128.1.0.0/16
> acl LAN_COJ_TS src 10.1.251.0/25
> acl dropbox_liberado src 128.2.30.201/32
> acl testebo dst 189.36.1.226/32
>
>
> #################################
> # Regras LYNC e Sites sem AUTH
> #################################
> acl MSN_Liberado external NT_global_group msn_liberado
> acl lync url_regex "/etc/squid/acls/lync.txt"
> http_access allow lync
>
> acl semauth url_regex -i "/etc/squid/acls/sites_semauth.txt"
> http_access allow all semauth all
> http_access allow CONNECT semauth all
> http_access allow testebo
>
> acl semauth_sap url_regex -i
> "/etc/squid/acls/sites_semauth_sap.txt"
> http_access allow rede_projeto semauth_sap all
>
>
> acl msn.8 url_regex "/etc/squid/acls/msn.txt"
> acl local url_regex localhost
>
> http_access allow local
> http_access allow semauth 2m041187
> http_access allow localhost all
> http_access allow nelson
> http_access allow MSN_Liberado msn.8
>
> ############################################################
> #
> # Regras teste
> #
> ############################################################
>
> acl manager proto cache_object
>
> acl semcache url_regex "/etc/squid/acls/semcache.txt"
> acl SITES_BLOQUEADOS url_regex -i
> "/etc/squid/acls/sites_bloqueados.txt"
> acl SITES_LIBERADOS url_regex -i "/etc/squid/acls/sites_liberados.txt"
> acl acesso_mkt_vendas url_regex -i
> "/etc/squid/acls/acesso_mkt_vendas.txt"
> #acl quiosque url_regex -i "/etc/squid/acls/quiosque.txt"
> acl mtmon url_regex -i "/etc/squid/acls/mtmon.txt"
> acl IPS_LIBERADOS src "/etc/squid/acls/ips_liberados.txt"
> acl IPS_BLOQUEADOS src "/etc/squid/acls/ips_bloqueados.txt"
> acl PORN url_regex -i "/etc/squid/acls/porn.txt"
> acl NOPORN url_regex -i "/etc/squid/acls/noporn.txt"
> acl downloads url_regex -i "/etc/squid/acls/extensoes.txt"
>
>
> acl msn dstdomain loginnet.passport.com login.live.com
> acl msn.1 dstdomain loginnet.passport.com
> acl msn.2 dstdomain webmessenger.msn.com
> acl msn.3 url_regex -i gateway.dll
> acl msn.4 req_mime_type -i ^application/x-msn-messenger$
> acl msn.5 url_regex -i "/etc/squid/acls/msn.txt"
> acl msn.6 src 65.0.0.0/12
> acl msn.7 url_regex -i gateway.dll?
> acl webmails_liberado url_regex -i
> "/etc/squid/acls/webmail_liberados.txt"
> acl webmail_bloqueado url_regex -i
> "/etc/squid/acls/webmail_bloqueado.txt"
> acl bb browser C:\BancoBrasil\officeIE\index.html
> acl bancos url_regex -i "/etc/squid/acls/bancos.txt"
> acl bb1 url_regex -i "/etc/squid/acls/bb.txt"
> acl CAIXA url_regex -i "/etc/squid/acls/caixa.txt"
> acl WINDOWS_UPDATE url_regex -i "/etc/squid/acls/windows_update.txt"
> acl teste url_regex -i "/etc/squid/acls/teste.txt"
> acl sites_bloqueados2 url_regex -i
> "/etc/squid/acls/sites_bloqueados2.txt"
> acl sites_mfseguranca url_regex -i
> "/etc/squid/acls/sites_mfseguranca.txt"
> acl sites_gilson url_regex -i "/etc/squid/acls/sites_gilson.txt"
> acl GTALK url_regex -i "/etc/squid/acls/gtalk.txt"
> acl SITES_INTERNET_SAP url_regex -i
> "/etc/squid/acls/sites_internet_sap.txt"
>
>
> # Fix support.microsoft.com by removing Accept-Encoding header
>
> acl support.microsoft.com dstdomain support.microsoft.com
> acl trendmicro url_regex "/etc/squid/acls/trendmicro.txt"
> acl GOV url_regex -i "/etc/squid/acls/gov.txt"
> acl sites_normas url_regex -i "/etc/squid/acls/sites_normas.txt"
> acl twitter url_regex -i "/etc/squid/acls/twitter.txt"
> acl orkut url_regex -i "/etc/squid/acls/orkut.txt"
> acl ninecon url_regex -i "/etc/squid/acls/ninecon.txt"
> acl youtube url_regex -i "/etc/squid/acls/youtube.txt"
> acl facebook url_regex -i "/etc/squid/acls/facebook.txt"
>
> ####################################
> # ACL USANDO AUTENTICACAO GRUPOS AD
> ####################################
>
> acl facebook_liberado external NT_global_group facebook_liberado
> acl internet_teste external NT_global_group internet_teste
> acl internet_normal external NT_global_group internet_normal
> acl internet_liberada external NT_global_group internet_liberada
> acl internet_bloqueada external NT_global_group internet_bloqueada
> acl download_liberado external NT_global_group download_liberado
> acl orkut_liberado external NT_global_group orkut_liberado
> acl twitter_liberado external NT_global_group twitter_liberado
> acl youtube_liberado external NT_global_group youtube_liberado
> acl update_liberado external NT_global_group update_liberado
> acl webmail_liberado external NT_global_group webmail_liberado
> acl webmailninecon external NT_global_group webmailninecon
> acl sites_mkt_vendas external NT_global_group sites_mkt_vendas
> acl semi_liberado external NT_global_group semi_liberado
> acl internet_consultores_sap external NT_global_group
> internet_consultores_sap
> #acl quiosque_liberado external NT_global_group internet_quiosque
>
>
> ###########################################################
> #
> # BLOQUEIO DO SQUID
> ###########################################################
>
> http_access allow manager localhost
> http_access allow localhost manager
> http_access allow localhost all
>
> #http_access allow all
> http_access allow teste all
> http_access allow bancos
> http_access allow bb
> http_access allow bb1
> http_access allow GOV
> http_access allow CAIXA
> http_access allow sites_normas
> http_access allow webmails_liberado
> http_access allow mtmon
>
> http_access allow internet_liberada all
>
> http_access allow LAN_ADM sites_mfseguranca
> #http_access allow gilson sites_gilson
> http_access allow gilson
> http_access allow LAN_COJ sites_mfseguranca
> http_access allow dropbox_liberado
> http_access allow ftp
> http_access allow ftp_21
> http_access allow IPS_LIBERADOS
> http_access allow acesso_mkt_vendas sites_mkt_vendas
> http_access allow youtube youtube_liberado
> http_access allow facebook facebook_liberado
> http_access allow WINDOWS_UPDATE update_liberado
> http_access allow webmailninecon ninecon
> http_access allow downloads download_liberado
> http_access deny IPS_BLOQUEADOS
> #http_access allow downloads download_liberado
> #no_cache deny semcache
> cache deny semcache
> http_access allow semcache all
>
> http_access allow semi_liberado !youtube !facebook !twitter !orkut
> !GTALK !msn !msn.1 !msn.2 !msn.3 !msn.4 !msn.5 !msn.6 !msn.7
> !sites_bloqueados !PORN
> http_access deny sites_bloqueados2
> http_access allow MSN_Liberado msn msn.1 msn.2 msn.3 msn.4 msn.5 msn.6
> msn.7
> http_access deny MSN_Liberado SITES_BLOQUEADOS
> http_access deny MSN_Liberado ORKUT
> http_access allow internet_teste SITES_LIBERADOS
> http_access allow internet_normal SITES_LIBERADOS
> http_access deny internet_teste SITES_BLOQUEADOS
> http_access deny internet_normal SITES_BLOQUEADOS
> #http_access deny !internet_teste
> http_access deny webmail_bloqueado !webmail_liberado
> http_access allow SITES_LIBERADOS
> http_access deny ORKUT !orkut_liberado
> http_access deny twitter !twitter_liberado all
> http_access deny ORKUT
> http_access deny internet_bloqueada all
> http_access allow sites_normas
> #http_access allow WINDOWS_UPDATE update_liberado
> http_access deny WINDOWS_UPDATE
> http_access allow all SSL_ports
> http_access deny msn
> http_access deny msn.1
> http_access deny msn.2
> http_access deny msn.3
> http_access deny msn.4
> http_access deny msn.5
> http_access deny GTALK
> http_access deny PORN !NOPORN all
> http_access deny SITES_BLOQUEADOS
> ##http_access allow downloads download_liberado
> http_access deny downloads
>
>
> acl BLOQUEIO_SAP url_regex
> "/etc/squid/acls/sites_internet_sap_bloqueio.txt"
> http_access deny rede_projeto BLOQUEIO_SAP
>
> http_access allow ntlm_users rede_projeto
>
> http_access allow internet_consultores_sap SITES_INTERNET_SAP
> http_access allow internet_consultores_sap SITES_LIBERADOS
> http_access allow internet_consultores_sap semauth_sap
> http_access allow rede_projeto SITES_INTERNET_SAP
> http_access allow rede_projeto SITES_LIBERADOS
> http_access deny internet_consultores_sap all
> http_access deny rede_projeto all
>
>
> # nelson http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow ntlm_users
> http_access allow LAN_ADM
> http_access allow rede_projeto
> http_access allow LAN_IDU
> http_access allow LAN_JBOCD
> http_access allow LAN_COJ
> http_access allow LAN_COJ_TS
>
> http_access deny all
> http_reply_access allow all
> icp_access allow all
>
> cache_mgr suporte_at_teste.com
> #cachemgr_passwd companytTask all
> error_directory /usr/share/squid/errors/pt-br
> coredump_dir /pacotes/squid/core
>
>
> Thanks
>
>
>
>
>
>
>
>
>
>
>
> 2014/1/13 Eliezer Croitoru <eliezer_at_ngtech.co.il>:
> > Hey,
> >
> > I would like to try and understand the issue but it seems like more
> complex
> > to me to understand what happens yet.
> > You use NTLM auth but I do not understand the authentication settings
> yet.
> > From 2.6 to 3.1.10, was there any other change in the system?
> > As I understand it's an internal proxy it seems a bit weird.
> > I do not assume that the issue is in the config file but a basic
> description
> > of the environment can help to understand more about the subject.
> >
> > If you can share the basic squid.conf it would help but note to remove
> any
> > personal details or at least change them to make sure that the
> environment
> > can be understood properly.
> >
> > All The Bests,
> > Eliezer
> >
> >
> > On 13/01/14 16:13, Usuário do Sistema wrote:
> >>
> >> Hello everyone,
> >>
> >>
> >> I have done upgrade in the my squid from Version 2.6.STABLE21 to
> Version
> >> 3.1.10
> >>
> >> After that it always pop-up authentication three times before allow
> >> that url. follow a example for www.bol.com.br url
> >>
> >>
> >> 1389621501.201 1 192.168.53.31 TCP_DENIED/407 3849 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621501.213 2 192.168.53.31 TCP_DENIED/407 4148 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621501.226 4 192.168.53.31 TCP_DENIED/407 4135 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621532.660 2 192.168.53.31 TCP_DENIED/407 3947 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621534.117 0 192.168.53.31 TCP_DENIED/407 3947 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621535.165 98 192.168.53.31 TCP_DENIED/407 4148 GET
> >> http://www.bol.com.br/ - NONE/- text/html
> >> 1389621535.397 143 192.168.53.31 TCP_MISS/302 577 GET
> >> http://www.bol.com.br/ sa_mtmon DIRECT/200.147.35.224 text/html
> >> 1389621535.542 88 192.168.53.31 TCP_DENIED/407 4187 GET
> >> http://www.bol.uol.com.br/ - NONE/- text/html
> >> 1389621535.829 256 192.168.53.31 TCP_DENIED/407 4486 GET
> >> http://www.bol.uol.com.br/ - NONE/- text/html
> >> 1389621536.969 1129 192.168.53.31 TCP_MISS/200 35705 GET
> >> http://www.bol.uol.com.br/ sa_mtmon DIRECT/200.147.68.9 text/html
> >>
> >>
> >> I released with upgrade changed NTLM version too. before
> >> 3.6.6-0.136.el5 and now 3.6.9-167.el6_5
> >>
> >>
> >> how to can I figure out that problem the pop-up authentication three
> >> times ? before upgrade it ask only one pop-up authentication.
> >>
> >>
> >> thanks
> >>
> >
Received on Wed Jan 15 2014 - 13:56:44 MST
This archive was generated by hypermail 2.2.0 : Wed Jan 15 2014 - 12:00:06 MST