On 4/07/2013 6:47 a.m., David Touzeau wrote:
>
> Dear,
>
> i would like squid to not display authentication popup
Authentication FAQ #4 -
http://wiki.squid-cache.org/Features/Authentication#How_do_I_prevent_Login_Popups.3F
****** Squid does NOT display anything.
There are *exactly* two ways to avoid popups:
1) ensure the browser has credentials already known to it which can
satisfy the 401/407 authentication requirements without user interaction.
2) not use authentication.
> if the client is not authenticated trough NTLM
> For this i have understood that if deny_info is set then Squid
> redirect the error to the specified url.
In a roundabout way only. deny_info does not suppress login
specifically. Although its side effect of replacing the normal response
status with a redirect may result in a 3XX response with authentication
challenge headers (which the browser would then ignore instead of using
a popup).
>
> I have set this:
> auth_param ntlm program /usr/bin/ntlm_auth --domain=ABC.LAB
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 20 startup=1 idle=1
> auth_param ntlm keep_alive on
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 3 startup=1 idle=1
> auth_param basic realm Basic Identification
> auth_param basic credentialsttl 2 hours
>
>
> acl AUTHENTICATED proxy_auth REQUIRED
> acl AllowedUrisTemplates dstdomain .domain.tld
>
> http_access allow AllowedUrisTemplates
> http_access deny !AUTHENTICATED all
> deny_info http://proxy-error.domain.tld AUTHENTICATED
> http_access deny all
>
> But it seems that squid did not care about the deny_info defined for
> AUTHENTICATED acl and force to use the ERR_CACHE_ACCESS_DENIED template.
>
> Why ?
"AUTHENTICATED" is not the last ACL on the line. "all" is.
I suggest you define a custom version of "all" and link the deny_info
action to that. Like so:
acl authFailed src all
http_access deny !AUTHENTICATED authFailed
deny_info http://proxy-error.domain.tld authFailed
What this does is the use of a non-auth ACL last on the line suppressed
authentication challenge (not the deny_info). Then deny_info changes the
403 ACCESS_DENIED with authentication error message into a redirect
response for the http://proxy-error.domain.tld URL.
BTW the URL needs '/' at the end to parse properly.
<snip>
> 2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert:
> errorConvert: %%h --> 'squid32-64.localhost.localdomain'
Er. This is a really weird domain name you have.
Amos
Received on Thu Jul 04 2013 - 01:08:42 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 04 2013 - 12:00:06 MDT