Re: [squid-users] ncsa_auth problem

From: ac <freebsdpowered@dont-contact.us>
Date: Tue, 14 Jun 2005 07:46:22 +0700

I think you should create passwords by using htpasswd like this:
htpassword -c squidpassword test
then input password [test]. After that, contents of squidpassword look
like this:
test:2ZynJzZ8gQDsQ
And now you can test password by

D:/Squid/libexec/ncsa_auth.exe squidpassword
test test
OK <---
the result [OK] mean ncsa_auth can understand password

Shortridge, Mark wrote:

>I have SquidNT (squid/2.5.STABLE3-NT-CVS) installed on a Windows 2003
>server. It works fine with no authentication. I want to use the
>ncsa_auth.exe authentication helper that came with squid, but have not been
>successful. I can see in the cache.log that squid starts the ncsa_auth
>helper, I'm not sure if I am writing the password file correctly.
>
>Cache.log
>
>2005/06/13 08:40:03| Squid Cache (Version 2.5.STABLE3-NT-CVS): Exiting
>normally.
>2005/06/13 08:40:12| Starting Squid Cache version 2.5.STABLE3-NT-CVS for
>i686-pc-winnt...
>2005/06/13 08:40:12| Running as Squid_Proxy Windows System Service on
>Windows Server 2003
>2005/06/13 08:40:12| Service command line is:
>2005/06/13 08:40:12| Process ID 860
>2005/06/13 08:40:12| With 2048 file descriptors available
>2005/06/13 08:40:12| With 2048 CRT stdio descriptors available
>2005/06/13 08:40:12| Windows sockets initialized
>2005/06/13 08:40:12| Performing DNS Tests...
>2005/06/13 08:40:12| Successful DNS name lookup tests...
>2005/06/13 08:40:12| DNS Socket created at 0.0.0.0, port 1821, FD 4
>2005/06/13 08:40:12| Adding nameserver 204.65.1.194 from Registry
>2005/06/13 08:40:12| Adding nameserver 67.67.199.122 from Registry
>2005/06/13 08:40:12| Adding nameserver 204.65.1.194 from Registry
>2005/06/13 08:40:12| Adding nameserver 67.67.199.122 from Registry
>2005/06/13 08:40:12| helperOpenServers: Starting 10 'ncsa_auth.exe'
>processes
>2005/06/13 08:40:12| User-Agent logging is disabled.
>2005/06/13 08:40:12| Referer logging is disabled.
>2005/06/13 08:40:12| pinger: ICMP socket opened
>2005/06/13 08:40:13| pinger: Squid socket opened
>2005/06/13 08:40:12| Pinger socket opened on FD 47
>2005/06/13 08:40:12| Unlinkd pipe opened on FD 50
>2005/06/13 08:40:12| Swap maxSize 102400 KB, estimated 7876 objects
>2005/06/13 08:40:12| Target number of buckets: 393
>2005/06/13 08:40:12| Using 8192 Store buckets
>2005/06/13 08:40:12| Max Mem size: 8192 KB
>2005/06/13 08:40:12| Max Swap size: 102400 KB
>2005/06/13 08:40:12| Rebuilding storage in D:\Squid/cache (CLEAN)
>2005/06/13 08:40:12| Using Least Load store dir selection
>2005/06/13 08:40:12| Set Current Directory to D:\Squid/cache
>2005/06/13 08:40:12| Loaded Icons.
>2005/06/13 08:40:12| Accepting HTTP connections at 0.0.0.0, port 80, FD 59.
>2005/06/13 08:40:12| Accepting ICP messages at 0.0.0.0, port 3130, FD 60.
>2005/06/13 08:40:12| Accepting HTCP messages on port 4827, FD 61.
>2005/06/13 08:40:12| Accepting SNMP messages on port 3401, FD 62.
>2005/06/13 08:40:13| NETDB state reloaded; 166 entries, 94 msec
>2005/06/13 08:40:13| Ready to serve requests.
>2005/06/13 08:40:13| Configuring Parent icupub.twc.state.tx.us/80/0
>2005/06/13 08:40:13| Store rebuilding is 97.2% complete
>2005/06/13 08:40:13| Done reading D:\Squid/cache swaplog (4212 entries)
>2005/06/13 08:40:13| Finished rebuilding storage from disk.
>2005/06/13 08:40:13| 4212 Entries scanned
>2005/06/13 08:40:13| 0 Invalid entries.
>2005/06/13 08:40:13| 0 With invalid flags.
>2005/06/13 08:40:13| 4212 Objects loaded.
>2005/06/13 08:40:13| 0 Objects expired.
>2005/06/13 08:40:13| 0 Objects cancelled.
>2005/06/13 08:40:13| 0 Duplicate URLs purged.
>2005/06/13 08:40:13| 0 Swapfile clashes avoided.
>2005/06/13 08:40:13| Took 0.1 seconds (29872.3 objects/sec).
>2005/06/13 08:40:13| Beginning Validation Procedure
>2005/06/13 08:40:13| Completed Validation Procedure
>2005/06/13 08:40:13| Validated 4212 Entries
>2005/06/13 08:40:13| store_swap_size = 37236k
>2005/06/13 08:40:13| storeLateRelease: released 0 objects
>
>For the password file, I have a file called password.txt, and I have a
>username and a password separated by a colon: username:password. Is this
>correct?
> test:test
> shortma1:5t43tv
>
>Conf.cmd
>
>echo auth_param basic program D:/Squid/libexec/ncsa_auth.exe
>D:/Squid/pwd/password.txt >> %CONFFILE%
>echo auth_param basic children 10 >> %CONFFILE%
>echo auth_param basic realm SquidNT >> %CONFFILE%
>echo auth_param basic credentialsttl 30 minutes >> %CONFFILE%
>
>echo acl all src 0.0.0.0/0.0.0.0 >> %CONFFILE%
>echo acl manager proto cache_object >> %CONFFILE%
>echo acl localhost src 127.0.0.1/255.255.255.255 >> %CONFFILE%
>echo acl to_localhost dst 127.0.0.0/8 >> %CONFFILE%
>echo acl SSL_ports port 443 563 >> %CONFFILE%
>echo acl Safe_ports port 80 # http >> %CONFFILE%
>echo acl Safe_ports port 21 # ftp >> %CONFFILE%
>echo acl Safe_ports port 443 563 # https, snews >> %CONFFILE%
>echo acl Safe_ports port 70 # gopher >> %CONFFILE%
>echo acl Safe_ports port 210 # wais >> %CONFFILE%
>echo acl Safe_ports port 1025-65535 # unregistered ports >> %CONFFILE%
>echo acl Safe_ports port 280 # http-mgmt >> %CONFFILE%
>echo acl Safe_ports port 488 # gss-http >> %CONFFILE%
>echo acl Safe_ports port 591 # filemaker >> %CONFFILE%
>echo acl Safe_ports port 777 # multiling http >> %CONFFILE%
>echo acl CONNECT method CONNECT >> %CONFFILE%
>echo acl MYLAN src %IP1%-%IP2%/%NETMASK% >> %CONFFILE%
>echo acl TWC url_regex -i ^.twc.state.tx.us >> %CONFFILE%
>echo acl TWC2 url_regex -i .twc.state.tx.us$ >> %CONFFILE%
>echo acl users proxy_auth REQUIRED >> %CONFFILE%
>echo # acl BadSites url_regex -i "D:/blacklists/warez/badsites.txt" >>
>%CONFFILE%
>echo acl PornSites url_regex -i "D:/blacklists/porn/domain.txt" >>
>%CONFFILE%
>echo acl Porn_Urls url_regex -i "D:/blacklists/porn/Porn_Urls.txt" >>
>%CONFFILE%
>echo # acl warez url_regex -i "D:/blacklists/warez/domains.txt" >>
>%CONFFILE%
>echo # TAG: http_access >> %CONFFILE%
>echo # Allowing or Denying access based on defined access lists >>
>%CONFFILE%
>echo # >> %CONFFILE%
>echo # Access to the HTTP port: >> %CONFFILE%
>echo # http_access allow//deny [!]aclname ... >> %CONFFILE%
>echo # >> %CONFFILE%
>echo # NOTE on default values: >> %CONFFILE%
>echo # >> %CONFFILE%
>echo # If there are no "access" lines present, the default is to deny >>
>%CONFFILE%
>echo # the request. >> %CONFFILE%
>echo # >> %CONFFILE%
>echo # If none of the "access" lines cause a match, the default is the >>
>%CONFFILE%
>echo # opposite of the last line in the list. If the last line was >>
>%CONFFILE%
>echo # deny, then the default is allow. Conversely, if the last line >>
>%CONFFILE%
>echo # is allow, the default will be deny. For these reasons, it is a >>
>%CONFFILE%
>echo # good idea to have an "deny all" or "allow all" entry at the end >>
>%CONFFILE%
>echo # of your access lists to avoid potential confusion. >> %CONFFILE%
>echo # >> %CONFFILE%
>echo # Default: >> %CONFFILE%
>echo # http_access allow all >> %CONFFILE%
>echo # >> %CONFFILE%
>echo # Recommended minimum configuration: >> %CONFFILE%
>echo # >> %CONFFILE%
>echo # Only allow cachemgr access from localhost >> %CONFFILE%
>echo http_access allow manager localhost >> %CONFFILE%
>echo #http_access deny manager >> %CONFFILE%
>echo http_access allow users >> %CONFFILE%
>echo http_access deny !users >> %CONFFILE%
>echo # Deny requests to unknown ports >> %CONFFILE%
>echo http_access deny !Safe_ports >> %CONFFILE%
>echo # Deny CONNECT to other than SSL ports >> %CONFFILE%
>echo http_access deny CONNECT !SSL_ports >> %CONFFILE%
>echo # >> %CONFFILE%
>echo # We strongly recommend to uncomment the following to protect innocent
>
>
>>>%CONFFILE%
>>>
>>>
>echo # web applications running on the proxy server who think that the only
>
>
>>>%CONFFILE%
>>>
>>>
>echo # one who can access services on "localhost" is a local user >>
>%CONFFILE%
>echo # http_access deny to_localhost >> %CONFFILE%
>echo # >> %CONFFILE%
>echo # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS >>
>%CONFFILE%
>echo # Exampe rule allowing access from your local networks. Adapt >>
>%CONFFILE%
>echo # to list your (internal) IP networks from where browsing should >>
>%CONFFILE%
>echo # be allowed >> %CONFFILE%
>echo # acl our_networks src 192.168.1.0/24 192.168.2.0/24 >> %CONFFILE%
>echo # http_access allow our_networks >> %CONFFILE%
>echo # And finally deny all other access to this proxy >> %CONFFILE%
>echo http_access allow TWC >> %CONFFILE%
>echo http_access allow TWC2 >> %CONFFILE%
>echo # http_access deny BadSites >> %CONFFILE%
>echo http_access deny PornSites >> %CONFFILE%
>echo http_access deny Porn_Urls >> %CONFFILE%
>echo # http_access deny warez >> %CONFFILE%
>echo http_access allow MYLAN >> %CONFFILE%
>echo http_access deny all >> %CONFFILE%
>
>The web browser comes up and prompts for a username and password but will
>not let me get to the internet. I just get the prompt again.
>
>Acess.log
>
>1118669439.698 0 10.7.6.30 TCP_DENIED/407 1867 GET
>http://toolbar.netcraft.com/updates/localblock.dat - NONE/- text/html
>1118669440.291 0 10.7.6.30 TCP_DENIED/407 1885 GET
>http://toolbar.netcraft.com/check_url/http://www.msn.com - NONE/- text/html
>1118669440.291 0 10.7.6.30 TCP_DENIED/407 1885 GET
>http://toolbar.netcraft.com/check_url/http://www.msn.com - NONE/- text/html
>1118669440.526 0 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
>- NONE/- text/html
>1118669440.526 0 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
>- NONE/- text/html
>1118669663.088 31 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
>- NONE/- text/html
>1118669663.698 0 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
>test NONE/- text/html
>1118669669.119 31 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
>- NONE/- text/html
>1118669669.307 31 10.7.6.30 TCP_DENIED/407 1832 GET
>http://toolbarqueries.google.com/search? - NONE/- text/html
>1118669669.338 31 10.7.6.30 TCP_DENIED/407 1832 GET
>http://toolbarqueries.google.com/search? - NONE/- text/html
>1118669922.526 32 10.7.6.30 TCP_DENIED/407 1885 GET
>http://toolbar.netcraft.com/check_url/http://www.msn.com - NONE/- text/html
>1118669922.557 31 10.7.6.30 TCP_DENIED/407 1885 GET
>http://toolbar.netcraft.com/check_url/http://www.msn.com - NONE/- text/html
>1118669926.635 31 10.7.6.30 TCP_DENIED/407 1885 GET
>http://toolbar.netcraft.com/check_url/http://www.msn.com - NONE/- text/html
>1118669932.057 31 10.7.6.30 TCP_DENIED/407 1885 GET
>http://toolbar.netcraft.com/check_url/http://www.msn.com - NONE/- text/html
>1118669933.682 0 10.7.6.30 TCP_DENIED/407 1885 GET
>http://toolbar.netcraft.com/check_url/http://www.msn.com shortma1 NONE/-
>text/html
>1118669934.463 0 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
>shortma1 NONE/- text/html
>1118669934.463 0 10.7.6.30 TCP_DENIED/407 1774 GET http://www.msn.com/
>shortma1 NONE/- text/html
>1118669935.869 0 10.7.6.30 TCP_DENIED/407 1832 GET
>http://toolbarqueries.google.com/search? shortma1 NONE/- text/html
>1118669935.869 0 10.7.6.30 TCP_DENIED/407 1832 GET
>http://toolbarqueries.google.com/search? shortma1 NONE/- text/html
>
>
>Any help or suggestions are very much appreciated.
>
>
>
>
>====================================
>Mark Shortridge
>i-Net+, Network+
>Computer Support Specialist
>North East Texas Workforce Development Board
>903-794-9490 ext. 106
>903-794-4884 fax
>====================================
>
> "This e-mail and any files transmitted with it are the property of the
>North East Texas Workforce Development Board and/or its affiliates, are
>confidential, and are intended solely for the use of the individual or
>entity to whom this e-mail is addressed. If you are not one of the named
>recipient(s) or otherwise have reason or believe that you have received this
>message in error, please notify the Board at 903-794-9490 ext 106 and delete
>this message immediately from your computer. Any other use, retention,
>dissemination, forwarding, printing or copying of this email is strictly
>prohibited".
>
>
>
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Received on Mon Jun 13 2005 - 18:44:17 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT