Re: [squid-users] Browser fails to prompt for authentication

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 20 Jun 2003 00:39:49 +0200

On Thursday 19 June 2003 22.26, Fred Evans wrote:

> http_access allow all users
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all

And you remembered to restart (or at least reconfigure) squid after
making the suqid.conf changes?

Note: The intended order of your http_access rules is to have the
"allow users" rule almost last, not first.. The first rules is to
restrict things no user should be able to do and to give localhost
slightly different permissions, and if you place your allow rule
before this then your rule gets a higher priority and these filters
are never reached.

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access allow users
http_access deny all

(note: "all users" and "users" is the same thing)

Or to restructure to make the rules maybe a little more visibe

# Basic acl definitions
acl all src 0.0.0.0/0
acl localhost src 127.0.0.1

# Allow cachemgr access from localhost only
acl manager proto cache_object
http_access allow manager localhost
http_access deny manager

# Deny access to unsafe ports
acl Safe_ports ...
acl SSL_ports ...
acl CONNECT method CONNECT
http_access deny !CONNECT !Safe_ports
http_access deny CONNECT !SSL_ports

# Deny proxy access to localhost server (often protected
# administrative HTTP servers runs on the localhost interface
# and should not be reachable via the proxy)
acl to_localhost dst 127.0.0.0/8
http_access deny to_localhost

# Allow localhost access without authentication
http_access allow localhost

# Allow local authenticated users access
acl local_network src 192.168.0.0/16
acl users proxy_auth REQUIRED
http_access allow local_network users

# Deny all other uses of the proxy
http_access deny all

Hmm.. are you sure "squid -k parse" is happy? You do not seem to have
a definition of the "all" acl, but maybe this was forgotten in your
email only?

Regards
Henrik

>
> On Thu, 2003-06-19 at 12:38, Henrik Nordstrom wrote:
> > On Thursday 19 June 2003 19.04, Fred Evans wrote:
> > > I made sure that the password file is owned by the user squid
> > > runs as and is readable by that user.
> > >
> > > Prior to this installation of squid there was no transparent
> > > proxy. The browsers were not configured for proxying at all
> > > until I configured them to work with this install of squid.
> > > Further, I tested on IE and Mozilla for windows and Mozilla for
> > > linux.
> > >
> > > The config is as follows:
> > >
> > > auth_param basic program /usr/lib/squid/ncsa_auth
> > > /etc/squid.passwd auth_param basic children 5
> > > auth_param basic credentialsttl 2 hours
> > >
> > > acl users proxy_auth REQUIRED
> > > http_access allow all users
> >
> > Looks good..
> >
> > Any errors if you run "squid -k parse"?
> >
> >
> > Is there any other http_access lines before this?
> > (the order of your http_access lines is important)
> >
> > Regards
> > Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Thu Jun 19 2003 - 16:40:01 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:27 MST