Cannot bypass authentication for squid proxy using ncsa authentication

[asb2204]

Hi,

I have recently deployed a squid proxy server with qlproxy content filtering. It is running on a centos 6 box with webmin.

Works great, except i cannot by pass authentication for some websites which do not work via simple authentication such as windows activations and myob company file validations.

I am using ncsa for authentication

here is a post of the squid.conf

_______________________________

# qlproxy settings added by adrian for content scanning
icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all


# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
# acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
# acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines



acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# added by adrian to bypass auth on certain domains
acl whitelist dstdomain "/etc/squid/whitelist.txt"
http_access allow all whitelist


# --------------------------------------------------------------

# NCSA configuration for authentication added by adrian

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Acoustic Proxy Server
auth_param basic credentialsttl 8 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

# ------------------------------------------------------------



#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost


http_access allow manager localhost


http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports



# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports


# catch-all rule



# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user

# http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
# http_access allow localnet
# http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mem 512 MB
_____________________________________

here is a paste of the whitelist.txt

activation.sls.microsoft.com
.google.com
.google.com.au
sqm.microsoft.com
go.microsoft.com
Search Microsoft.com
https://sls.microsoft.com/
https://sls.microsoft.com:443
http://crl.microsoft.com/pki/crl/pro...tAuthority.crl
http://crl.microsoft.com/pki/crl/pro...unications.crl
http://www.microsoft.com/pki/crl/pro...unications.crl
http://crl.microsoft.com/pki/crl/pro...cureServer.crl
http://www.microsoft.com/pki/crl/pro...cureServer.crl
https://activation.sls.microsoft.com
myob.com
myob.com.au
.quintolabs.com
quintolabs.com


no matter what I seem to do, when i go to these sites they still always ask for authentication?? i have spent days on google and all solutions dont seem to work??

any ideas?

[grant_girdwood]

Bypass authentication only applies to domains not URLs.

.domain.com should be the syntax you are using.

Have a wee read here: ConfigExamples/Authenticate/Bypass - Squid Web Proxy Wiki

[asb2204]

Bypass authentication only applies to domains not URLs.

.domain.com should be the syntax you are using.

Have a wee read here: ConfigExamples/Authenticate/Bypass - Squid Web Proxy Wiki

Even so. I have changed them all to .domain.name.com

makes no difference. also implemented the above link sample and does not work.

Any further ideas?

[grant_girdwood]

Code:

# added by adrian to bypass auth on certain domains
acl whitelist dstdomain "/etc/squid/whitelist.txt"
http_access allow all whitelist

Should read

Code:

# added by adrian to bypass auth on certain domains
acl whitelist dstdomain "/etc/squid/whitelist.txt"
http_access allow whitelist

[asb2204]

Code:

# added by adrian to bypass auth on certain domains
acl whitelist dstdomain "/etc/squid/whitelist.txt"
http_access allow all whitelist

Should read

Code:

# added by adrian to bypass auth on certain domains
acl whitelist dstdomain "/etc/squid/whitelist.txt"
http_access allow whitelist

hello, and thankyou for your assistance.

The way I am testing this is setting for example microsoft.com as my home page in internet explorer.

But when i open internet explorer it is still requesting a username and password.

This should not be the case correct? This means that it is still requesting authenthication for a site which we have requested to by pass.

Any ideas? Could it be the QL proxy content filtering that I have at the beginning of the squid conf?

Thanks so far for all your help its been great...

but this erally has me baffled.

[grant_girdwood]

hello, and thankyou for your assistance.

The way I am testing this is setting for example microsoft.com as my home page in internet explorer.

But when i open internet explorer it is still requesting a username and password.

This should not be the case correct? This means that it is still requesting authenthication for a site which we have requested to by pass.

Any ideas? Could it be the QL proxy content filtering that I have at the beginning of the squid conf?

Thanks so far for all your help its been great...

but this erally has me baffled.

Your ICAP settings shouldn't prompt you for authentication - you can modify your authentication prompt to display a specific message - may be an idea to change that (cannot remember where the option is but a quick google will help) this would help you identify if the prompt is definitely coming from your proxy.

I usually have my authentication options before my ICAP settings so you could juggle them around.

What does your whitelist.txt file now read?

You could also try quickly creating your own bypass ACL for a test site and pop it before the ICAP options.

e.g.

Code:

acl authbypass_test dstdomain .microsoft.com
http_access allow authbypass_test

[Duke5A]

What about in the icap settings at the top:

Code:

icap_send_client_username on

The only way for it to be able to include the username would be to prompt for authorization and this is further up the chain than your bypass acl.