Re: [squid-users] Credentials not kept cross domain from Amos Jeffries on 2008-07-10 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 11 Jul 2008 15:59:18 +1200

Joseph Piché wrote:
> Hi.
>
> I have a setup with Squid 3.0 stable 7 and DansGuardian 2.9.9.4. I
> have been trying to set up authentication using ntlm_auth connecting
> to Active Directory. Everything works fine except I get prompted for a
> username and password for every single domain. The credentials are
> accepted, and I am allowed to browse that domain (ex. www.google.com)
> for as long as the credentialsttl is set, but if I try to access a
> different domain, then I am asked for my credentials again. I have
> referanced all the FAQs and tried to search the mailing list, and
> couldn't find anything. My config is below. Also, when I uncomment the
> first two lines, then I get asked for credentials twice. Any help
> would be greatly appreciated.
>
>
> #auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> #auth_param ntlm children 15
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 10
> auth_param basic realm Proxy
> auth_param basic credentialsttl 2 hours
> authenticate_ttl 2 hours
>
> cache_effective_group root

Oh for pete's sake. Never, never, never give permanent root privileges
like that to Squid. It undermines the whole idea of security on that box.

Make sure the default user of squid is assigned, with a proper service
group and that group or user has access to the resources squid needs to run.

>
> visible_hostname slate.tbc2day.edu
> shutdown_lifetime 5 seconds
> http_port 127.0.0.1:3128 vhost
>
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> pid_filename /var/run/squid3.pid
> access_log /var/log/squid3/access.log squid
> log_mime_hdrs off
> forwarded_for off
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl CONNECT method CONNECT
> acl ldap-auth proxy_auth REQUIRED
> acl Users src 192.168.0.0/16
>
> always_direct allow localhost
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny to_localhost
> http_access allow ldap-auth Users
> http_access allow CONNECT localhost
> http_access allow localhost
> http_access deny all
> miss_access allow all
> http_reply_access allow all
>
>
> Thanks,
>
> Joseph J. Piché

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE7

Received on Fri Jul 11 2008 - 03:59:20 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 11 2008 - 12:00:03 MDT