Rakesh Jha wrote:
> Hi,
>
> I want to run squid in acceleration mode for a internal site. The ISS
> site prompts window for authentication. When I connect to the site I get
> window prompt for entering username and password. But after entering
> domain username and password, I get access denied to the site.
ISS (or did you mean IIS?) is the software doing the reject.
I've done an audit below, with a lot of things you can fix up. They need
doing first, but by themselves will likely not resolve the auth issue
until the server is also fixed not to reject.
>
> I have compiled squid 3 with following option -
>
> /sbin/squid -v
> Squid Cache: Version 3.1.0.17
> configure options: '--enable-ssl' '--enable-ntlm-auth'
> '--enable-basic-auth'
Those two options are not valid in Squid's configure script.
For 3.1 series it should be: --enable-auth="basic ntlm"
As well as --enable-basic-auth-helpers="PAM" to build the PAM helper you
are using.
Also, ... 3.1 is in stable cycle now. Please try 3.1.3.
> --with-squid=/tmp/squid-3.1.0.17
> --enable-ltdl-convenience
>
> My squid.conf is
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl bd_host dst 10.10.3.41/32
> acl all src 0.0.0.0/0.0.0.0
"all" ACL needs to be remove for 3.1+. It's now built in and defined
automatically.
> acl SSL_ports port 443
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
The above lines are all forward proxy configuration.
Reverse-proxy http_access configuration must be above them to work properly.
For a pure reverse-proxy you can erase the forward-proxy configuration
http_access lines.
> http_access allow bd_host
In a reverse proxy clients are never expected to be asking for the
hidden master server. This will only work with split-DNS.
I think you really want to define this as a dstdomain type ACL listing
the internal domain(s) being serviced.
With that done Squid can handle all the attack rejections and save your
server from potential DoS overloads.
> http_access allow all
More forward-proxy config?
> icp_access deny all
> htcp_access deny all
>
> https_port 10.1.1.97:443 defaultsite=tpaspp01 protocol=http
> cert=/usr/local/cert/cert.crt key=/usr/local/cert/private.key version=3
> options=NO_SSLv2
>
> ssl_unclean_shutdown on
>
> cache_peer tpaspp01 parent 80 0 no-query proxy-only login=PASS
> front-end-https=on
Since this is a master peer you could also add the "default" option here.
If that is a web server (IIS? or ISS?) then it also needs the
"originserver" option to pass on the credentials properly.
That said, Squid is not doing any auth anyway (see below).
>
> hierarchy_stoplist cgi-bin ?
>
> access_log /usr/local/squid/var/logs/access.log squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
That line should now be:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> cache_effective_user squid
> cache_effective_group squid
>
> visible_hostname bdproxy
>
> icp_port 3130
>
> auth_param basic program /usr/local/squid/pam_auth
> auth_param basic children 5
> auth_param basic realm Adzapping Squid
> auth_param basic credentialsttl 1 week
> acl password proxy_auth REQUIRED
> http_access allow password
Your Squid is not doing the auth challenge. There is a "http_access
allow all" above here which prevents this auth from happening.
Also, it's not clear whether you want authenticated requests to go
through OR requests to the bd_host.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3Received on Sun May 02 2010 - 11:59:24 MDT
This archive was generated by hypermail 2.2.0 : Sun May 02 2010 - 12:00:03 MDT