Re: [squid-users] squid 3.3.3 : deny_info with NTLM - remove popup auth - from Amos Jeffries on 2013-07-03 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 04 Jul 2013 13:08:29 +1200

On 4/07/2013 6:47 a.m., David Touzeau wrote:
>
> Dear,
>
> i would like squid to not display authentication popup

Authentication FAQ #4 -
http://wiki.squid-cache.org/Features/Authentication#How_do_I_prevent_Login_Popups.3F

****** Squid does NOT display anything.

There are *exactly* two ways to avoid popups:

1) ensure the browser has credentials already known to it which can
satisfy the 401/407 authentication requirements without user interaction.

2) not use authentication.

> if the client is not authenticated trough NTLM
> For this i have understood that if deny_info is set then Squid
> redirect the error to the specified url.

In a roundabout way only. deny_info does not suppress login
specifically. Although its side effect of replacing the normal response
status with a redirect may result in a 3XX response with authentication
challenge headers (which the browser would then ignore instead of using
a popup).

>
> I have set this:
> auth_param ntlm program /usr/bin/ntlm_auth --domain=ABC.LAB
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 20 startup=1 idle=1
> auth_param ntlm keep_alive on
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 3 startup=1 idle=1
> auth_param basic realm Basic Identification
> auth_param basic credentialsttl 2 hours
>
>
> acl AUTHENTICATED proxy_auth REQUIRED
> acl AllowedUrisTemplates dstdomain .domain.tld
>
> http_access allow AllowedUrisTemplates
> http_access deny !AUTHENTICATED all
> deny_info http://proxy-error.domain.tld AUTHENTICATED
> http_access deny all
>
> But it seems that squid did not care about the deny_info defined for
> AUTHENTICATED acl and force to use the ERR_CACHE_ACCESS_DENIED template.
>
> Why ?

"AUTHENTICATED" is not the last ACL on the line. "all" is.

I suggest you define a custom version of "all" and link the deny_info
action to that. Like so:

   acl authFailed src all
   http_access deny !AUTHENTICATED authFailed
   deny_info http://proxy-error.domain.tld authFailed

What this does is the use of a non-auth ACL last on the line suppressed
authentication challenge (not the deny_info). Then deny_info changes the
403 ACCESS_DENIED with authentication error message into a redirect
response for the http://proxy-error.domain.tld URL.
BTW the URL needs '/' at the end to parse properly.

<snip>
> 2013/07/03 20:20:29.173 kid1| errorpage.cc(1120) Convert:
> errorConvert: %%h --> 'squid32-64.localhost.localdomain'

Er. This is a really weird domain name you have.

Amos
Received on Thu Jul 04 2013 - 01:08:42 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 04 2013 - 12:00:06 MDT