LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Squid Proxy - Bungled line (http://www.linuxquestions.org/questions/linux-software-2/squid-proxy-bungled-line-861668/)

Mustafa Ismail Mustafa 02-09-2011 01:29 PM

Squid Proxy - Bungled line
 
I don't get it.

I followed (partially) the config file that was displayed on the squid site (here: Clickety) after I had joined the server to the domain (correctly as per the how to on the CentOS website)

BTW, this is with CentOS 5.5 and Squid 2.6

This is my squid.conf:

Code:

#auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="RCH\InternetUsers"

auth_param ntlm program /usr/local/bin/ntlm_auth RCH/RCHDC01

auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on

# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of="RCH\InternetUsers"
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl InternetUsers proxy_auth REQUIRED
http_access allow InternetUsers
http_access deny all

The idea is to block all users not in the AD security group "InternetUsers" from accessing the internet (this is intentional as at the Red Cross Hospital there is some serious time wastage happening and therefore lock down is in place)

When I try to start the squid service it fails and checking /var/logs/messages it reads:

Quote:

Feb 9 21:25:25 RCHPX01 squid[13525]: Bungled squid.conf line 21: http_access deny all
And this is when I suffered my "huh!?!?!" moment.

Any ideas?

TIA

acid_kewpie 02-10-2011 08:04 AM

you deleted the "all" acl i guess, it's certainly not in the config there. "all" is not a built in name, it's defined higher up in the file usually.

Mustafa Ismail Mustafa 02-16-2011 12:15 PM

Can't seem to make it work with that either.

Now my conf file is:

Code:

  1 #auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="RCH\InternetUsers"
  2
  3
  4 auth_param ntlm program /usr/local/bin/ntlm_auth RCH/RCHDC01
  5
  6 auth_param ntlm children 30
  7 auth_param ntlm max_challenge_reuses 0
  8 auth_param ntlm max_challenge_lifetime 2 minutes
  9 # ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
 10 auth_param ntlm use_ntlm_negotiate on
 11
 12 # warning: basic authentication sends passwords plaintext
 13 # a network sniffer can and will discover passwords
 14 auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of="RCH\InternetUsers"
 15 auth_param basic children 5
 16 auth_param basic realm Squid proxy-caching web server
 17 auth_param basic credentialsttl 2 hours
 18
 19
 20 acl all src 0.0.0.0/0.0.0.0
 21 acl InternetUsers proxy_auth REQUIRED
 22 http_access allow InternetUsers
 23 http_access deny all

And when I try to run squid (sudo /sbin/service squid start) I get:

Code:

sudo /sbin/service squid start
Starting squid: /etc/init.d/squid: line 42:  4885 Aborted                $SQUID $SQUID_OPTS >> /var/log/squid/squid.out 2>&1
                                                          [FAILED]

But if I reset squid.conf back to the very original file that came out of the box, it runs without a hitch.

Any ideas?

acid_kewpie 02-16-2011 04:19 PM

Well you need to find it what the error was. Not sure why the service script b0rked so badly, but that isn't the error itself. Look in the log files or run squid directly without the service script for full disclosure.

Mustafa Ismail Mustafa 02-17-2011 07:25 AM

OK, I went at it with the determination of a hamster on his wheel.

I figured out several things.

1. I had to be a lot more precise when it comes to my src definition (which makes sense)
2. If I have httpd running, obviously I cannot use port 80 because competition would ensue between the services
3. The location of the ntlm helper libraries are not the ones I, naively, pasted right away. I should have known better.
4. I should RTFM before I start tackling stuff like this and then asking n00b questions.

Thanks a lot mate, you were patient with me :)


All times are GMT -5. The time now is 06:08 AM.