Problem with Squid and LDAP

venki_bu · 03-17-2017, 12:00 AM

Dear Friends,
I have squid proxy running fine till few days back,the authentication helper is OpenLDAP recently we have add an mac filtering layer above squid, after that some machines not prompting for proxy authentication and the squid access log entry is
10.6.1.11 TCP_DENIED/407 3788 CONNECT safebrowsing.google.com:443 - NONE/- text/html, it has happening to few machines, we have internal ip range 10.6.0.x and 10.6.1.x, the problem is with 10.6.1.x, but the same series IP's in other building working fine. we have removed recently added mac filtering also. still no clue, through CLI using squid client if i pass username and pass the request is going through, but using browser the proxy authentication request is not poping up. please find the below is my squid.conf

Code:

http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
debug_options ALL,1
hosts_file /etc/hosts
dns_nameservers 127.0.0.1
auth_param basic program /usr/lib64/squid/squid_ldap_auth -v 3 -b "ou=People,dc=ada,dc=in" -D 

"cn=Manager,dc=ada,dc=in" -w `cat /root/openldap/scripts/ldappassword` -h 127.0.0.1
auth_param basic children 10
auth_param basic realm Please Enter Access Credentials
auth_param basic credentialsttl 60 minutes
auth_param basic casesensitive off
external_acl_type group_auth %LOGIN /usr/lib64/squid/squid_ldap_group -b "ou=group,dc=ada,dc=in" -f "(&(cn=%a)

(memberuid=%v))" -h 127.0.0.1
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320
acl drdoldap_auth proxy_auth REQUIRED
acl g1 external group_auth webusers
acl g2 external group_auth privusers
acl g3 external group_auth ictusers
acl bad url_regex "/etc/squid/squid-block.acl"
acl badg2 url_regex "/etc/squid/squid-block-g2.acl"
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl manager proto cache_object
http_access allow manager localhost
http_access deny manager
acl SSL_ports port 443 483 4343 563 444 888 4446-4510 8443 20-22 1024-65535
acl Safe_ports port 80		# http
acl Safe_ports port 81-85		# http
acl Safe_ports port 8080		# http
acl Safe_ports port 20-22		# ftp
acl Safe_ports port 443 563	# https, snews
acl Safe_ports port 8443	# https, snews
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 5222		# multiling http
acl Safe_ports port 9000		# multiling http
acl Safe_ports port 3478		# multiling http
acl Safe_ports port 444 483 888 4446-4510 5222 5223 8080 587 995 993  	# multiling http
acl CONNECTSSL method CONNECT
acl our_networks src 10.6.0.0/22
no_cache deny QUERY
ignore_expect_100 on
acl dir-sites dstdomain .attendance.gov.in .uidai.gov.in .microsoft.com .windowsupdate.com cdp1.public-trust.com 

ajax.aspnetcdn.com .verisign.com geotrust.com login.live.com account.live.com clientconfig.passport.net 

wustat.windows.com .wns.windows.com .msftncsi.com
http_access allow dir-sites
acl msft8 dst 81.19.104.42/32
http_access allow msft8
http_access deny !Safe_ports
http_access allow drdoldap_auth g2 our_networks !badg2
http_access allow drdoldap_auth g1 our_networks !bad CONNECTSSL Safe_ports
http_access allow drdoldap_auth g1 our_networks !bad
http_access allow drdoldap_auth g3 our_networks !bad
http_access deny all
http_access deny bad
icp_access allow all
visible_hostname ada.in
unique_hostname ada.in
acl FTP proto FTP
always_direct allow FTP
coredump_dir /var/spool/squid
max_filedesc	4096
request_header_access User-Agent allow all
via off
forwarded_

TB0ne · 03-17-2017, 02:34 PM

Quote:

Originally Posted by venki_bu

Dear Friends,
I have squid proxy running fine till few days back,the authentication helper is OpenLDAP recently we have add an mac filtering layer above squid, after that some machines not prompting for proxy authentication and the squid access log entry is
10.6.1.11 TCP_DENIED/407 3788 CONNECT safebrowsing.google.com:443 - NONE/- text/html, it has happening to few machines, we have internal ip range 10.6.0.x and 10.6.1.x, the problem is with 10.6.1.x, but the same series IP's in other building working fine. we have removed recently added mac filtering also. still no clue, through CLI using squid client if i pass username and pass the request is going through, but using browser the proxy authentication request is not poping up. pls find the below is my squid.conf

Code:

http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
debug_options ALL,1
hosts_file /etc/hosts
dns_nameservers 127.0.0.1
auth_param basic program /usr/lib64/squid/squid_ldap_auth -v 3 -b "ou=People,dc=ada,dc=in" -D 

"cn=Manager,dc=ada,dc=in" -w `cat /root/openldap/scripts/ldappassword` -h 127.0.0.1
auth_param basic children 10
auth_param basic realm Please Enter Access Credentials
auth_param basic credentialsttl 60 minutes
auth_param basic casesensitive off
external_acl_type group_auth %LOGIN /usr/lib64/squid/squid_ldap_group -b "ou=group,dc=ada,dc=in" -f "(&(cn=%a)

(memberuid=%v))" -h 127.0.0.1
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320
acl drdoldap_auth proxy_auth REQUIRED
acl g1 external group_auth webusers
acl g2 external group_auth privusers
acl g3 external group_auth ictusers
acl bad url_regex "/etc/squid/squid-block.acl"
acl badg2 url_regex "/etc/squid/squid-block-g2.acl"
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl manager proto cache_object
http_access allow manager localhost
http_access deny manager
acl SSL_ports port 443 483 4343 563 444 888 4446-4510 8443 20-22 1024-65535
acl Safe_ports port 80		# http
acl Safe_ports port 81-85		# http
acl Safe_ports port 8080		# http
acl Safe_ports port 20-22		# ftp
acl Safe_ports port 443 563	# https, snews
acl Safe_ports port 8443	# https, snews
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 5222		# multiling http
acl Safe_ports port 9000		# multiling http
acl Safe_ports port 3478		# multiling http
acl Safe_ports port 444 483 888 4446-4510 5222 5223 8080 587 995 993  	# multiling http
acl CONNECTSSL method CONNECT
acl our_networks src 10.6.0.0/22
no_cache deny QUERY
ignore_expect_100 on
acl dir-sites dstdomain .attendance.gov.in .uidai.gov.in .microsoft.com .windowsupdate.com cdp1.public-trust.com 

ajax.aspnetcdn.com .verisign.com geotrust.com login.live.com account.live.com clientconfig.passport.net 

wustat.windows.com .wns.windows.com .msftncsi.com
http_access allow dir-sites
acl msft8 dst 81.19.104.42/32
http_access allow msft8
http_access deny !Safe_ports
http_access allow drdoldap_auth g2 our_networks !badg2
http_access allow drdoldap_auth g1 our_networks !bad CONNECTSSL Safe_ports
http_access allow drdoldap_auth g1 our_networks !bad
http_access allow drdoldap_auth g3 our_networks !bad
http_access deny all
http_access deny bad
icp_access allow all
visible_hostname ada.in
unique_hostname ada.in
acl FTP proto FTP
always_direct allow FTP
coredump_dir /var/spool/squid
max_filedesc	4096
request_header_access User-Agent allow all
via off
forwarded_

First, use CODE tags when posting such long files, and don't use text speak...see the LQ Rules. It's "please", not "pls".

What you posted makes little sense...if this was a totally working configuration until you changed something on the network, what makes you think changing something in the configuration NOW will make it work again??

Since you say it works via CLI, then the problem isn't with the configuration, since if it was, it would not work at all, would it? Try to flush the browser cache on the non-working machines?