Re: [squid-users] Digest auth doesn't work anymore

From: Amos Jeffries <squid3@dont-contact.us>
Date: Fri, 21 Mar 2008 00:00:15 +1300

Ralf Hildebrandt wrote:
> Version:
> ii squid3 3.0.STABLE2-1 A full featured Web Proxy cache (HTTP proxy)
>
> The Problem: Digest auth doesn't work anymore
> The users aren't even being asked for a username/password. All they
> get is a rejection page (access denied). In the log I get:
>
> 1205999382.801 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
> 1205999384.457 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
> 1205999385.320 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
> 1205999386.409 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
> 1205999387.455 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
> 1205999388.167 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
> 1205999389.011 0 172.19.32.82 TCP_DENIED/407 2813 GET http://www.google.de/ - NONE/- text/html
>
> My config:
>
> ------- snip ------
> http_port 3128
> cache_peer 127.0.0.1 parent 3129 0 no-query default
>
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache_access_log /var/log/squid/access-wlan.log
> cache_log none
> cache_store_log none
> pid_filename /var/run/squid-wlan.pid
> hosts_file /etc/hosts
> auth_param digest program /usr/lib/squid3/digest_pw_auth /etc/squid/wlan-proxyauth.digest
> auth_param digest children 10
> auth_param digest realm Hualp!
> auth_param digest nonce_garbage_interval 5 minutes
> auth_param digest nonce_max_duration 30 minutes
> auth_param digest nonce_max_count 50
> auth_param digest post_workaround on
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563 # https, snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> acl to_internal_networks dst 10.0.0.0/8 141.42.0.0/16 160.45.172.0/255.255.252.0 160.45.176.0/255.255.240.0 160.45.192.0/255.255.240.0 172.16.0.0/255.240.0.0 192.168.0.0/16 193.175.64.0/255.255.248.0
> acl to_dmz dst 193.175.72.0/24 193.175.74.0/24 141.42.4.0/26 141.42.4.64/26 141.42.4.128/26 141.42.4.192/26
> acl to_webmail dst webmail.charite.de
> acl to_zugang dst zugang.charite.de
> http_access allow to_webmail
> http_access allow CONNECT to_webmail
> http_access allow to_zugang
> http_access allow CONNECT to_zugang
> http_access deny to_internal_networks
> http_access deny CONNECT to_internal_networks
> acl digestauthentifizierung proxy_auth REQUIRED
> http_access allow digestauthentifizierung
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> visible_hostname wlan-proxy.charite.de
> always_direct allow CONNECT SSL_ports
> never_direct allow all
> error_directory /usr/share/squid3/errors/German
> snmp_port 0
> coredump_dir /var/spool/squid
> ------- snip ------
>
> /etc/squid/wlan-proxyauth.digest contains:
> st51:CVK
>
> Testing the authenticator:
>
> # su - proxy
> $ /usr/lib/squid3/digest_pw_auth /etc/squid/wlan-proxyauth.digest
> "st51":"CVK"
> 6247d0eea64cfb87a71ab2d65de99a6d
> "st51":"bullshit"
> 483cffce047c51d30070337fea523369
>
> (What does that H(A1) value tell me??)
>

Sounds like bug 2206. Has the temporary fix patch for that been applied?
http://www.squid-cache.org/bugs/show_bug.cgi?id=2206

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Thu Mar 20 2008 - 04:59:20 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT