Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-09-2011, 01:29 PM
|
#1
|
Member
Registered: Nov 2009
Location: Amman, Jordan
Distribution: Ubuntu 10.04, CentOS 5.5, FreeBSD 7.2, Debian Squeeze, PC-BSD 8
Posts: 44
Rep:
|
Squid Proxy - Bungled line
I don't get it.
I followed (partially) the config file that was displayed on the squid site (here: Clickety) after I had joined the server to the domain (correctly as per the how to on the CentOS website)
BTW, this is with CentOS 5.5 and Squid 2.6
This is my squid.conf:
Code:
#auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="RCH\InternetUsers"
auth_param ntlm program /usr/local/bin/ntlm_auth RCH/RCHDC01
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on
# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of="RCH\InternetUsers"
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl InternetUsers proxy_auth REQUIRED
http_access allow InternetUsers
http_access deny all
The idea is to block all users not in the AD security group "InternetUsers" from accessing the internet (this is intentional as at the Red Cross Hospital there is some serious time wastage happening and therefore lock down is in place)
When I try to start the squid service it fails and checking /var/logs/messages it reads:
Quote:
Feb 9 21:25:25 RCHPX01 squid[13525]: Bungled squid.conf line 21: http_access deny all
|
And this is when I suffered my "huh!?!?!" moment.
Any ideas?
TIA
|
|
|
02-10-2011, 08:04 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
you deleted the "all" acl i guess, it's certainly not in the config there. "all" is not a built in name, it's defined higher up in the file usually.
|
|
|
02-16-2011, 12:15 PM
|
#3
|
Member
Registered: Nov 2009
Location: Amman, Jordan
Distribution: Ubuntu 10.04, CentOS 5.5, FreeBSD 7.2, Debian Squeeze, PC-BSD 8
Posts: 44
Original Poster
Rep:
|
Can't seem to make it work with that either.
Now my conf file is:
Code:
1 #auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="RCH\InternetUsers"
2
3
4 auth_param ntlm program /usr/local/bin/ntlm_auth RCH/RCHDC01
5
6 auth_param ntlm children 30
7 auth_param ntlm max_challenge_reuses 0
8 auth_param ntlm max_challenge_lifetime 2 minutes
9 # ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
10 auth_param ntlm use_ntlm_negotiate on
11
12 # warning: basic authentication sends passwords plaintext
13 # a network sniffer can and will discover passwords
14 auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of="RCH\InternetUsers"
15 auth_param basic children 5
16 auth_param basic realm Squid proxy-caching web server
17 auth_param basic credentialsttl 2 hours
18
19
20 acl all src 0.0.0.0/0.0.0.0
21 acl InternetUsers proxy_auth REQUIRED
22 http_access allow InternetUsers
23 http_access deny all
And when I try to run squid (sudo /sbin/service squid start) I get:
Code:
sudo /sbin/service squid start
Starting squid: /etc/init.d/squid: line 42: 4885 Aborted $SQUID $SQUID_OPTS >> /var/log/squid/squid.out 2>&1
[FAILED]
But if I reset squid.conf back to the very original file that came out of the box, it runs without a hitch.
Any ideas?
|
|
|
02-16-2011, 04:19 PM
|
#4
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Well you need to find it what the error was. Not sure why the service script b0rked so badly, but that isn't the error itself. Look in the log files or run squid directly without the service script for full disclosure.
|
|
|
02-17-2011, 07:25 AM
|
#5
|
Member
Registered: Nov 2009
Location: Amman, Jordan
Distribution: Ubuntu 10.04, CentOS 5.5, FreeBSD 7.2, Debian Squeeze, PC-BSD 8
Posts: 44
Original Poster
Rep:
|
OK, I went at it with the determination of a hamster on his wheel.
I figured out several things.
1. I had to be a lot more precise when it comes to my src definition (which makes sense)
2. If I have httpd running, obviously I cannot use port 80 because competition would ensue between the services
3. The location of the ntlm helper libraries are not the ones I, naively, pasted right away. I should have known better.
4. I should RTFM before I start tackling stuff like this and then asking n00b questions.
Thanks a lot mate, you were patient with me
Last edited by Mustafa Ismail Mustafa; 02-17-2011 at 07:26 AM.
Reason: forgot another point
|
|
|
01-10-2015, 02:50 AM
|
#6
|
LQ Newbie
Registered: Feb 2013
Posts: 11
Rep:
|
Bungled
This happens missconfigured acl type. for example if you have not set dstdomain acl type.
|
|
|
All times are GMT -5. The time now is 05:57 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|