Re: [squid-users] Squid2.6 Stable with Mac OSX issue

From: Chris Robertson <crobertson@dont-contact.us>
Date: Thu, 01 Nov 2007 11:15:44 -0800

Eric Young wrote:
> I am running Squid2.6 stable running on Win2003
>
>
>
> I have a stable config running with 120+ WinXP boxes and 130+ users. I have 3 Mac OSX workstations that like the XP workstations are setup with manual proxy settings. My problem is that Mac users are getting prompt every 15-20 meeting for authentication again. They are able to surf but are getting errors on RSS streams and WebDav. XP users are getting authenticated via NTLM.
>

Authentication caching is the responsibility of the browser, as HTTP is
a stateless protocol. That said, if your access controls are set up
such that access is denied to a certain resource for certain people,
Squid will re-prompt for authentication to give the surfer a chance to
give authentication that will allow access. I don't see that situation
below, but...

> auth_param ntlm program e:/squid/libexec/mswin_ntlm_auth.exe
> auth_param ntlm children 5
> auth_param ntlm max_challenge_lifetime 600 minutes
> auth_param ntlm keep_alive on
> external_acl_type win_domain_group ttl=120 %LOGIN
> e:/squid/libexec/mswin_check_lm_group.exe -G
> acl ProxyUsers external win_domain_group ProxyAccess
> acl NoProxyUsers external win_domain_group NoProxyAccess
> acl password proxy_auth REQUIRED
> http_access allow password ProxyUsers

This line should really go down just above the "http_access deny all"
line. Otherwise, the other restrictions you have (only allowing manager
from localhost, denying CONNECTS to ports other than 443) are bypassed.
http_access processing exits on the first match.

> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow !Safe_ports

Yikes. Anyone that can access your proxy can use it without
authentication to reach ports not included in the Safe_ports acl.
Probably not what you want to do. If you want to access ports not
listed in the Safe_ports ACL, either add them with their own "acl
Safe_ports port NNN" line (recommended), or drop this line and the
"http_access deny Safe_ports" line below entirely (better than what you
have).

> http_access allow localhost
> cache_mgr eric.young@tullys.com
> httpd_suppress_version_string on
> visible_hostname Tullys
> via off
> forwarded_for off
> log_icp_queries off
> client_db off
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all
> icp_access allow all
> http_port x.x.x.x:8002
> cache_dir ufs e:/squid/var/cache 3000 16 256
> access_log e:/squid/var/logs/access.log common
> cache_log e:/squid/var/logs/cache.log
> cache_store_log e:/squid/var/logs/store.log
> pid_filename e:/squid/var/logs/squid.pid
> debug_options ALL,1 33,2
> unlinkd_program e:/squid/libexec/unlinkd.exe
> refresh_pattern ^http://.*\.gif$ 1440 50% 20160 reload-into-ims
> refresh_pattern ^http://.*\.asis$ 1440 50% 20160
> refresh_pattern -i \.png$ 10080 150% 40320 reload-into-ims
> refresh_pattern -i \.jpg$ 10080 150% 40320 reload-into-ims
> refresh_pattern -i \.bmp$ 10080 150% 40320 reload-into-ims
> refresh_pattern -i \.gif$ 10080 300% 40320 reload-into-ims
> refresh_pattern -i \.ico$ 10080 300% 40320 reload-into-ims
> refresh_pattern -i \.swf$ 10080 300% 40320 reload-into-ims
> refresh_pattern -i \.flv$ 10080 300% 40320 reload-into-ims
> refresh_pattern -i \.rar$ 10080 150% 40320
> refresh_pattern -i \.ram$ 10080 150% 40320
> refresh_pattern -i \.txt$ 1440 100% 20160 reload-into-ims override-lastmod
> refresh_pattern -i \.css$ 1440 60% 20160
> refresh_pattern ^http:// 1 100% 20160 reload-into-ims ignore-reload
> refresh_pattern ^ftp:// 240 50% 20160
> refresh_pattern ^gopher:// 240 40% 20160
> refresh_pattern /cgi-bin/ 0 0% 30
> refresh_pattern . 0 100% 20160 reload-into-ims
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> icp_port 3130
> htcp_port 4827
> icon_directory e:/squid/share/icons
> error_directory e:/squid/share/errors/English
> coredump_dir e:/squid/var/cache

> Eric Young
> Senior Network Engineer
> Tully's Coffee Corporation
> 206.695.6504
>

As for the RSS and WebDav errors, check your cache_log
(e:\squid\var\logs\cache.log) to see if it gives a reason.

Chris
Received on Thu Nov 01 2007 - 13:16:41 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:01 MST