[squid-users] Digest auth doesn't work anymore

From: Ralf Hildebrandt <Ralf.Hildebrandt@dont-contact.us>
Date: Thu, 20 Mar 2008 11:50:15 +0100

Version:
ii squid3 3.0.STABLE2-1 A full featured Web Proxy cache (HTTP proxy)

The Problem: Digest auth doesn't work anymore
The users aren't even being asked for a username/password. All they
get is a rejection page (access denied). In the log I get:

1205999382.801 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
1205999384.457 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
1205999385.320 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
1205999386.409 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
1205999387.455 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
1205999388.167 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
1205999389.011 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html

My config:

------- snip ------
http_port 3128
cache_peer 127.0.0.1 parent 3129 0 no-query default
           
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_access_log /var/log/squid/access-wlan.log
cache_log none
cache_store_log none
pid_filename /var/run/squid-wlan.pid
hosts_file /etc/hosts
auth_param digest program /usr/lib/squid3/digest_pw_auth /etc/squid/wlan-proxyauth.digest
auth_param digest children 10
auth_param digest realm Hualp!
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50
auth_param digest post_workaround on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl to_internal_networks dst 10.0.0.0/8 141.42.0.0/16 160.45.172.0/255.255.252.0 160.45.176.0/255.255.240.0 160.45.192.0/255.255.240.0 172.16.0.0/255.240.0.0 192.168.0.0/16 193.175.64.0/255.255.248.0
acl to_dmz dst 193.175.72.0/24 193.175.74.0/24 141.42.4.0/26 141.42.4.64/26 141.42.4.128/26 141.42.4.192/26
acl to_webmail dst webmail.charite.de
acl to_zugang dst zugang.charite.de
http_access allow to_webmail
http_access allow CONNECT to_webmail
http_access allow to_zugang
http_access allow CONNECT to_zugang
http_access deny to_internal_networks
http_access deny CONNECT to_internal_networks
acl digestauthentifizierung proxy_auth REQUIRED
http_access allow digestauthentifizierung
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname wlan-proxy.charite.de
always_direct allow CONNECT SSL_ports
never_direct allow all
error_directory /usr/share/squid3/errors/German
snmp_port 0
coredump_dir /var/spool/squid
------- snip ------

/etc/squid/wlan-proxyauth.digest contains:
st51:CVK

Testing the authenticator:

# su - proxy
$ /usr/lib/squid3/digest_pw_auth /etc/squid/wlan-proxyauth.digest
"st51":"CVK"
6247d0eea64cfb87a71ab2d65de99a6d
"st51":"bullshit"
483cffce047c51d30070337fea523369

(What does that H(A1) value tell me??)

-- 
Ralf Hildebrandt (i.A. des IT-Zentrums)         Ralf.Hildebrandt@charite.de
Charite - Universitätsmedizin Berlin            Tel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-962
IT-Zentrum Standort CBF                 send no mail to snickebo@charite.de
Received on Thu Mar 20 2008 - 04:50:28 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT