+ Post New Thread
Results 1 to 7 of 7
Internet Related/Filtering/Firewall Thread, Cannot bypass authentication for squid proxy using ncsa authentication in Technical; Hi, I have recently deployed a squid proxy server with qlproxy content filtering. It is running on a centos 6 ...
  1. #1

    Join Date
    Jan 2013
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Cannot bypass authentication for squid proxy using ncsa authentication

    Hi,

    I have recently deployed a squid proxy server with qlproxy content filtering. It is running on a centos 6 box with webmin.

    Works great, except i cannot by pass authentication for some websites which do not work via simple authentication such as windows activations and myob company file validations.

    I am using ncsa for authentication

    here is a post of the squid.conf

    _______________________________

    # qlproxy settings added by adrian for content scanning
    icap_enable on
    icap_preview_enable on
    icap_preview_size 4096
    icap_persistent_connections on
    icap_send_client_ip on
    icap_send_client_username on
    icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
    icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
    adaptation_access qlproxy1 allow all
    adaptation_access qlproxy2 allow all


    # Recommended minimum configuration:
    #
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    # acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    # acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines



    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    # added by adrian to bypass auth on certain domains
    acl whitelist dstdomain "/etc/squid/whitelist.txt"
    http_access allow all whitelist


    # --------------------------------------------------------------

    # NCSA configuration for authentication added by adrian

    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
    auth_param basic children 5
    auth_param basic realm Acoustic Proxy Server
    auth_param basic credentialsttl 8 hours
    auth_param basic casesensitive off
    acl ncsa_users proxy_auth REQUIRED
    http_access allow ncsa_users

    # ------------------------------------------------------------



    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost


    http_access allow manager localhost


    http_access deny manager

    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports



    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports


    # catch-all rule



    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user

    # http_access deny to_localhost

    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #

    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    # http_access allow localnet
    # http_access allow localhost

    # And finally deny all other access to this proxy
    http_access deny all

    # Squid normally listens to port 3128
    http_port 3128

    # We recommend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?

    # Uncomment and adjust the following to add a disk cache directory.
    cache_dir ufs /var/spool/squid 100 16 256

    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid

    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320
    cache_mem 512 MB
    _____________________________________

    here is a paste of the whitelist.txt

    activation.sls.microsoft.com
    .google.com
    .google.com.au
    sqm.microsoft.com
    go.microsoft.com
    Search Microsoft.com
    https://sls.microsoft.com/
    https://sls.microsoft.com:443
    http://crl.microsoft.com/pki/crl/pro...tAuthority.crl
    http://crl.microsoft.com/pki/crl/pro...unications.crl
    http://www.microsoft.com/pki/crl/pro...unications.crl
    http://crl.microsoft.com/pki/crl/pro...cureServer.crl
    http://www.microsoft.com/pki/crl/pro...cureServer.crl
    https://activation.sls.microsoft.com
    myob.com
    myob.com.au
    .quintolabs.com
    quintolabs.com


    no matter what I seem to do, when i go to these sites they still always ask for authentication?? i have spent days on google and all solutions dont seem to work??

    any ideas?

  2. #2
    grant_girdwood's Avatar
    Join Date
    Jun 2012
    Location
    Bloxx HQ
    Posts
    54
    Thank Post
    2
    Thanked 11 Times in 10 Posts
    Rep Power
    6
    Bypass authentication only applies to domains not URLs.

    .domain.com should be the syntax you are using.

    Have a wee read here: ConfigExamples/Authenticate/Bypass - Squid Web Proxy Wiki

  3. #3

    Join Date
    Jan 2013
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by grant_girdwood View Post
    Bypass authentication only applies to domains not URLs.

    .domain.com should be the syntax you are using.

    Have a wee read here: ConfigExamples/Authenticate/Bypass - Squid Web Proxy Wiki
    Even so. I have changed them all to .domain.name.com

    makes no difference. also implemented the above link sample and does not work.

    Any further ideas?

  4. #4
    grant_girdwood's Avatar
    Join Date
    Jun 2012
    Location
    Bloxx HQ
    Posts
    54
    Thank Post
    2
    Thanked 11 Times in 10 Posts
    Rep Power
    6
    Code:
    # added by adrian to bypass auth on certain domains
    acl whitelist dstdomain "/etc/squid/whitelist.txt"
    http_access allow all whitelist
    Should read

    Code:
    # added by adrian to bypass auth on certain domains
    acl whitelist dstdomain "/etc/squid/whitelist.txt"
    http_access allow whitelist

  5. #5

    Join Date
    Jan 2013
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by grant_girdwood View Post
    Code:
    # added by adrian to bypass auth on certain domains
    acl whitelist dstdomain "/etc/squid/whitelist.txt"
    http_access allow all whitelist
    Should read

    Code:
    # added by adrian to bypass auth on certain domains
    acl whitelist dstdomain "/etc/squid/whitelist.txt"
    http_access allow whitelist
    hello, and thankyou for your assistance.

    The way I am testing this is setting for example microsoft.com as my home page in internet explorer.

    But when i open internet explorer it is still requesting a username and password.

    This should not be the case correct? This means that it is still requesting authenthication for a site which we have requested to by pass.

    Any ideas? Could it be the QL proxy content filtering that I have at the beginning of the squid conf?

    Thanks so far for all your help its been great...

    but this erally has me baffled.

  6. #6
    grant_girdwood's Avatar
    Join Date
    Jun 2012
    Location
    Bloxx HQ
    Posts
    54
    Thank Post
    2
    Thanked 11 Times in 10 Posts
    Rep Power
    6
    Quote Originally Posted by asb2204 View Post
    hello, and thankyou for your assistance.

    The way I am testing this is setting for example microsoft.com as my home page in internet explorer.

    But when i open internet explorer it is still requesting a username and password.

    This should not be the case correct? This means that it is still requesting authenthication for a site which we have requested to by pass.

    Any ideas? Could it be the QL proxy content filtering that I have at the beginning of the squid conf?

    Thanks so far for all your help its been great...

    but this erally has me baffled.
    Your ICAP settings shouldn't prompt you for authentication - you can modify your authentication prompt to display a specific message - may be an idea to change that (cannot remember where the option is but a quick google will help) this would help you identify if the prompt is definitely coming from your proxy.

    I usually have my authentication options before my ICAP settings so you could juggle them around.

    What does your whitelist.txt file now read?

    You could also try quickly creating your own bypass ACL for a test site and pop it before the ICAP options.

    e.g.

    Code:
    acl authbypass_test dstdomain .microsoft.com
    http_access allow authbypass_test

  7. #7
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    806
    Thank Post
    83
    Thanked 132 Times in 115 Posts
    Blog Entries
    8
    Rep Power
    32
    What about in the icap settings at the top:

    Code:
    icap_send_client_username on
    The only way for it to be able to include the username would be to prompt for authorization and this is further up the chain than your bypass acl.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 22nd November 2010, 10:23 AM
  2. Which Linux distro shall I use for Squid?
    By Cragzman in forum *nix
    Replies: 18
    Last Post: 2nd December 2008, 09:10 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •