[SOLVED] squid3 strange http_access behaivior

Nomad-71 · 01-19-2012, 03:02 AM

Hello!
I have squid setup with ntlm authentication, but i want to allow some networks and users pass proxy without authentication, so I added acl's and http_access rules before auth requirement, but it still doesn't work.
Here part of my squid.conf related to the auth and acl:

Code:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param basic credentialsttl 2 hours
auth_param ntlm keep_alive off


#### NET ACL ####
acl admin_net src 172.17.20.0/24

#### AUTH ACLs ####
acl Authed      proxy_auth REQUIRED
acl NotAuthed   proxy_auth -

#### SERVERS
http_access allow admin_net

http_access deny all !Authed
http_reply_access  allow all

What i am missing here? Why squid still requires auth for 172.17.20.0/24 network?

bathory · 01-19-2012, 05:08 AM

Hi,

Your configuration looks correct. Are you sure you're restarting squid after making changes in squid.conf?
And perhaps try different browsers from different IPs
You may try the following to achieve the same result:

Code:

#### NET ACL ####
acl admin_net src 172.17.20.0/24

#### AUTH ACLs ####
acl Authed      proxy_auth REQUIRED
acl NotAuthed   proxy_auth -

#### SERVERS
http_access allow admin_net

http_access allow Authed
http_access deny all

Regards

Nomad-71 · 01-19-2012, 12:16 PM

Quote:

Originally Posted by bathory

Hi,
Your configuration looks correct. Are you sure you're restarting squid after making changes in squid.conf?
And perhaps try different browsers from different IPs
Regards

Thank you for your reply.
Usually i am reloading squid configuration using

Code:

squid3 -k reconfigure

but sometimes I restart it too.
it didn't helped in this case/
I used Chrome and Konqueror from Fedora and IE from Win 7 (Fedora and Win 7 are even in different networks) - the result still the same.

also some info about OS: Debian 6 with latest updates
squid version: 3.1.16

bathory · 01-19-2012, 04:44 PM

Hi,

Did you try using the configuration from my previous post?

Nomad-71 · 01-20-2012, 01:59 AM

Quote:

Originally Posted by bathory

Hi,

Did you try using the configuration from my previous post?

Sorry, forgot to mention that - yes I did, din't helped either

bathory · 01-20-2012, 03:21 AM

Quote:

Sorry, forgot to mention that - yes I did, din't helped either

Huh, strange
Are you sure there are no other "http_access ..." rules before those above?
Could you post your squid.conf to have a better look?

Nomad-71 · 01-20-2012, 03:26 AM

Here it is.

Code:

http_port 172.17.20.1:3128
#http_port 172.17.20.1:8080

# Added by Kaspersky Anti-Virus installer
icap_enable on
icap_send_client_ip off
icap_preview_enable off
icap_service is_kav_req reqmod_precache 0 icap://127.0.0.1:1344/av/reqmod
icap_service is_kav_resp respmod_precache 0 icap://127.0.0.1:1344/av/respmod
adaptation_service_set ic_kav is_kav_req is_kav_resp
adaptation_access ic_kav allow all
# /Added by Kaspersky Anti-Virus installer
adaptation_access is_kav_req  allow all
adaptation_access is_kav_resp allow all

visible_hostname gw.tts.loc
unique_hostname gw.tts.loc
cache_mgr help@tts.loc

#### For logs #####
forwarded_for on
follow_x_forwarded_for allow all

#### CACHE ###
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log none
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 25 MB


#### AUTH ####
#auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s HTTP/proxy
#auth_param negotiate program /usr/lib/squid3/negotiate_kerb_auth -d 
#auth_param negotiate children 10
#auth_param negotiate keep_alive on


auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param basic credentialsttl 2 hours
auth_param ntlm keep_alive off

#
#Recommended minimum configuration:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

#### NET ACL ####
acl admin_net src 172.17.20.0/24

#### AUTH ACLs ####
acl Authed      proxy_auth REQUIRED
acl NotAuthed   proxy_auth -

#### TimeACL
acl WorkTime      time MTWHF 09:00-18:00


#### USERs
acl user2 src 172.17.21.249
acl user1 proxy_auth_regex -i (station113)

### Web-sites
acl social_nets dstdomain .vk.com .vkontakte.ru .odnoklassniki.ru
acl anon dstdomain .cameleo.ru .climbera.ru

acl yandex dstdomain .yandex.ru
# Only allow cachemgr access from localhost
#http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
#http_access deny CONNECT !SSL_ports
http_access deny to_localhost
#http_access allow localhost

http_access allow yandex
# users
http_access allow user1
http_access allow user2

http_access allow admin_net

# anonymizers should be denied
http_access deny anon

#### Allow all authed and deny all from not local subnets
http_access deny social_nets WorkTime

http_access allow all Authed
http_access deny all

http_reply_access       allow all

bathory · 01-20-2012, 04:50 AM

Does the following rule for user2 work?

Quote:

http_access allow user2

Also are you sure about the net_admin network IPs (172.17.20.0/24). Because for user2 you use a different IP (172.17.21.249)

Nomad-71 · 01-20-2012, 04:58 AM

Quote:

Does the following rule for user2 work?

No, it doesn't

Quote:

Also are you sure about the net_admin network IPs (172.17.20.0/24). Because for user2 you use a different IP (172.17.21.249)

Yes, absolutely sure -) I have got several networks and this person should bypass proxy auth.

bathory · 01-20-2012, 06:21 AM

Quote:

Does the following rule for user2 work?
No, it doesn't

It should work.
Maybe it's the icap related stuff. I don't use icap, so I cannot verify if it's the case, but you can move the icap directives right under the http_access rules and see if it changes anything.

Nomad-71 · 01-20-2012, 07:17 AM

Didn't helped either.
I commented out all icap related stuff, but still no luck.

bathory · 01-20-2012, 11:32 AM

Well, I'm baffled!! It should work.
Comment out "forwarded_for on" and "follow_x_forwarded_for allow all" to see what happens

Nomad-71 · 01-23-2012, 01:38 AM

Tnank you for your reply's bathory
But

Quote:

Comment out "forwarded_for on" and "follow_x_forwarded_for allow all" to see what happens

didn't helped either
So, I reinstalled squid and wrote config from the beginning - it helped and now it works fine.
Really strange issue.