Re: [squid-users] Cache access denied

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 17 Jul 2009 23:16:36 +1200

shacky wrote:
> Hi.
> I installed and configured Squid version 3.0.STABLE8 on my Debian
> Lenny system with NTLM authentication:
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param ntlm keep_alive on
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 10
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> authenticate_ttl 1 hour
> authenticate_cache_garbage_interval 10 minutes
> acl AuthorizedUsers proxy_auth REQUIRED
> http_access allow all AuthorizedUsers
>
> It works, clients are able to surf on the web using the Proxy and
> usernames are correctly logged.
>
> The problem is that sometimes it happens that the browser asks
> username and password to the user, and it is not accepted even if they
> are correctly typed in.
> After some attempts the browser show a "Cache Access Denied" error and
> I don't see any errors in access.log, cache.log or store.log
> This problem happens especially with already visited websites.
>
> These are my ACLs and rules:
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 192.168.33.0/24
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> acl AuthorizedUsers proxy_auth REQUIRED
> http_access allow all AuthorizedUsers
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access deny to_localhost
>
> http_access allow localhost
>
> http_access deny all
>
> icp_access deny all
> htcp_access deny all
>
> Could you help me to solve this problem, please?
> Thank you very much!
> Bye.

There is nothing visibly wrong with that configuration. Check for other
things going on. Like any issues withe the helpers checking the
authentication.

Your access line:
   http_access allow all AuthorizedUsers
is a bit weird the "all" in the middle is useless.

If you meant to prevent non-authenticated users being challenged for
their credentials the all should be at the end of the line.
But, I think you don't want it anywhere on that line.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.9
Received on Fri Jul 17 2009 - 11:16:44 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 17 2009 - 12:00:03 MDT