| Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
05-21-2007, 10:56 AM
|
#1
|
|
Member
Registered: Mar 2004
Distribution: SUSE8.2, 9.2, Knoppix
Posts: 323
Rep: 
|
Squid not accepting users from a VPN dial subnet
I am running a red hat es3 server which is running Squid Cache: Version 2.5.STABLE6
I have a group of users who are dialing into our vpn server and are given an ip of 10.16.96* these users can ping the proxy server and get prompted for the password but the proxy server does not accept their passwords.
Our config is:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache_dir ufs /logs/squidora 7168 16 256
cache_access_log /var/log/squidora/access.log
cache_log /var/log/squidora/cache.log
pid_filename /var/run/squidora.pid
cache_store_log none
auth_param basic children 5
auth_param basic realm squid-home2
auth_param basic credentialsttl 2 hour
auth_param basic casesensitive off
auth_param basic program //usr/lib/squid/ncsa_auth /etc/squid.passwd
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl Oracle url_regex .oracle.com .oracleoutsourcing.com
acl cporacleps src 10.15.2.36/255.255.255.255
acl Clients src 10.16.90.0-10.16.90.255/255.255.255.255 10.16.91.0-10.16.91.255/255.255.255.255 10.16.92.0-10.16.92.255/255.255.255.255 10.16.96.0-10.16.96.255/255.255.255.255
acl vpnusers src 10.16.96.0-10.16.96.255/255.255.255.255
acl Admin src 10.16.91.101/255.255.255.255 10.16.91.99/255.255.255.255 10.16.90.122/255.255.255.255
acl Users proxy_auth "/etc/squid.passwd"
acl Safe_ports port # multiling cups 631
acl UnBlock url_regex "/etc/squid/unblock.txt"
acl PublicAccess url_regex "/etc/squid/public_access.txt"
acl Block url_regex "/etc/squid/block_less.txt"
acl Safe_ports port 25 110
acl group1 src 172.16.0.0-172.16.254.254/255.255.255.0
no_cache deny QUERY
http_access allow Admin
http_access allow PublicAccess
http_access deny Block !UnBlock
http_access allow Users
http_access allow vpnusers
http_access allow cporacleps
http_access allow Clients
http_access allow washrooms
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
visible_hostname blah.blah.com
http_port 80
http_port 127.0.0.1:80
coredump_dir /var/spool/squid
deny_info ERR_ACCESS_DENIED Oracle
deny_info ERR_ACCESS_DENIED Clients
deny_info ERR_ACCESS_DENIED vpnusers
deny_info ERR_ACCESS_DENIED Users
deny_info ERR_ACCESS_DENIED UnBlock
deny_info ERR_ACCESS_DENIED PublicAccess
deny_info ERR_ACCESS_DENIED Admin
deny_info ERR_ACCESS_DENIED Block
Any ideas why they cant login.
Thanks in advance.
|
|
|
|
|
05-22-2007, 03:39 AM
|
#2
|
|
Member
Registered: Mar 2004
Distribution: SUSE8.2, 9.2, Knoppix
Posts: 323
Original Poster
Rep:
|
getting this in access.log
1179823107.054 4 10.16.96.93 TCP_DENIED/407 1404 GET http://www.go.com/ - NONE/- text/html |
|
|
|
|
05-22-2007, 05:12 AM
|
#3
|
|
Member
Registered: Nov 2005
Location: Davao City, Philippines
Distribution: RHEL, CentOS, Ubuntu, Mint
Posts: 139
Rep:
|
Hi! I guess it's a subnet issue. I guess your local machines(same subnet with your proxy) do get same error when using the proxy server.
The line below as well as the others stated above is not valid
acl vpnusers src 10.16.96.0-10.16.96.255/255.255.255.255
What type of network class is that? The mask 255.255.255.255 makes it invalid as far as I know.. Correct me people if I am wrong..
|
|
|
|
|
05-24-2007, 03:32 AM
|
#4
|
|
Member
Registered: Mar 2005
Location: India
Distribution: RHEL 3/4, Solaris 8/9/10, Fedora 4/8, Redhat Linux 9
Posts: 237
Rep:
|
Agreed with yongitz....
I am using mostly same configuration. Just my VPN network is 192.168.0.0/24, means Total 255 Ips [ 192.168.0.1-192.168.0.255 ].
Snipplet from squid.conf :
-----------------------------------------
# acl aclname src ip-address/netmask ... (clients IP address)
# acl aclname src addr1-addr2/netmask ... (range of addresses)
acl our_networks src 192.168.0.0/24
http_access allow our_networks
-----------------------------------------
Its working perfectly fine for me.
Please check subnet mask option again.
|
|
|
|
All times are GMT -5. The time now is 02:05 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
