WG: [squid-users] Squid 3.3.8 NTLM problems

From: Manfred Mayer IT <manfred.mayer.it_at_rapunzel.de>
Date: Tue, 10 Jun 2014 11:41:28 +0200

Hello Amos,

thanks for your suggestions on the config, I changed the lines as you proposed. But I'm still having the issue with the multiple popups at first logon with IE. Do you have any idea to this?

Thanks and regards
Mana

-----Ursprüngliche Nachricht-----
Von: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Gesendet: Donnerstag, 5. Juni 2014 11:32
An: squid-users_at_squid-cache.org
Betreff: Re: [squid-users] Squid 3.3.8 NTLM problems

On 5/06/2014 7:54 p.m., Manfred Mayer IT wrote:
> Hi there,
>
> I'm trying to setup a Squid 3.3.8 on a Ubuntu 14.04 and I'm having some problems with the NTLM authentication. We have three ports, 2 are with authentication (3128 and 3129). The server is joined to a Windows 2008 domain and authentication works fine on machines that are also in this domain. But on non-domain machines, in Internet Explorer I get the authentication popup up to 6 times, then I get "Access denied" and only after a reload, the site is viewed correctly. With our old Squid 2.7 I just had to login once. I tried to adapt our existing 2.7-config for squid3, maybe I made a mistake, can someone help me to fix this error? Or is this a smb/winbind related error?
>

Please rune squid -k check and fix the errors it mentions. There are quite a few lines of the config below which are unnecessary or wrong in squid-3.3.

I've mentioned below a few of the extra changes that are not easily detected like that..

> http_port 3128
> http_port 3129
> http_port 4711
> logformat squid %{%d.%m.%Y %H:%M:%S}tl.%03tu %6tr %>a %[un %Ss/%03>Hs
> %<st %rm %ru %Sh/%<a %mt

You should not re-define the native Squid log format.
Please use a different name. Although its worth noting that this logformat is never being used anyway due to "emulate_httpd_log on".

> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY

the above three lines can go.

> cache_dir ufs /var/cache/squid 100 16 256 cache_access_log
> stdio:/var/log/squid3/access.log cache_log /var/logs/cache.log
> cache_log /var/log/squid3/cache.log

You can only have one debug log for Squid. Temove the top cache_log line.

> cache_store_log none
> emulate_httpd_log on
> log_fqdn on
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server auth_param basic
> credentialsttl 2 hours
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
> refresh_pattern . 0 20% 4320
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563 4434 7004
> acl Safe_ports port 80 # http
> acl Safe_ports port 180 # http
> acl Safe_ports port 181 # http
> acl Safe_ports port 182 # http
> acl Safe_ports port 183 # http
> acl Safe_ports port 184 # http
> acl Safe_ports port 185 # http
> acl Safe_ports port 186 # http
> acl Safe_ports port 187 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl firstport myport 3128 # (first local socket TCP port)
> acl secport myport 3129 # (second local socket TCP port)
> acl thirdport myport 4711 # (third local socket TCP port)
> acl SSL method CONNECT
> always_direct allow SSL

Why not simplify with "always_direct allow CONNECT" ?

> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl local-servers dstdomain int.rapunzel.de always_direct allow
> local-servers acl our_networks_new src 172.16.0.0/16 acl goodlocalips
> src "/etc/squid3/goodlocalips"
> http_access allow localhost
> http_access allow goodlocalips
> acl AuthorizedUsers proxy_auth REQUIRED http_access allow firstport
> our_networks_new AuthorizedUsers http_access allow secport
> our_networks_new AuthorizedUsers http_access allow thirdport
> http_access deny all always_direct allow all icp_access allow all
> forwarded_for on never_direct allow all

So you have a series of "always_direct allow" terminated by an "allow all". Then a single "never_direct allow all". But you have no cache_peer lines at all.

So all these always/never routing rules are just a waste of CPU cycles and time. You can drop the always_direct and never_direct lines completely.

Amos

Email secured by [Rapunzel IT]

Rapunzel Naturkost GmbH, Rapunzelstraße 1, D-87764 Legau
Registergericht Memmingen HRB 14736 | Sitz der Gesellschaft: Legau
Ust Id Nr. DE 129088402
Geschäftsführer: Joseph Wilhelm | Margit Epple | Andreas Wenning
Telefon: +49 (0)8330 / 529 - 0
Received on Tue Jun 10 2014 - 09:41:41 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 10 2014 - 12:00:04 MDT