Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Technical

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd January 2013, 00:11
asb2204 asb2204 is offline
Junior Member
 
Join Date: Jan 2013
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Cannot bypass authentication for squid proxy using ncsa

Hi,

I have recently deployed a squid proxy server v3.1 with qlproxy content filtering. It is running on a centos 6 box with webmin.

Works great, except i cannot by pass authentication for some websites which do not work via simple authentication such as windows activations and myob company file validations.

I am using ncsa for authentication

here is a post of the squid.conf. Any assistance would be greatly appreciated. the how tos on this site rock btw!


squid.conf
_____________________________________________


# qlproxy settings added by adrian for content scanning
icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all


# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
# acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
# acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines



acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# added by adrian to bypass auth on certain domains

acl whitelist dstdomain "/etc/squid/whitelist.txt"
acl http proto http
acl port_80 port 80
acl port_443 port 443
acl CONNECT method CONNECT

# rules allowing non-authenticated users
http_access allow http port_80 whitelist
http_access allow CONNECT port_443 whitelist



# --------------------------------------------------------------

# NCSA configuration for authentication added by adrian

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Acoustic Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

# ------------------------------------------------------------



#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost


http_access allow manager localhost


http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

___________________________


$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$

whitelist.txt

.google.com.au
.myob.com.au
.microsoft.com
.quintolabs.com




So when I open my internet browser as google as home page it does not ask for username and password. I can search google as well and see search results without user/pw. but when I goto www.microsoft.com or www.myob.com.au it always asks for pw when I I do not want it to.

As I will also need to do microsoft activations via the proxy./

Please assist.

Kind Regards
Reply With Quote
Sponsored Links
  #2  
Old 22nd January 2013, 10:41
thctlo thctlo is offline
Junior Member
 
Join Date: Jun 2006
Posts: 8
Thanks: 2
Thanked 1 Time in 1 Post
Default

Hai, add this to your squid.conf and put it before your auth !

## Windows Updates
acl windowsupdate dstdomain .download.windowsupdate.com
acl windowsupdate dstdomain .windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain .microsoft.com
acl wuCONNECT dstdomain .microsoft.com
http_access allow CONNECT wuCONNECT our_networks
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate our_networks
http_access allow windowsupdate localhost


and dont forget to correct the 'our_networks' and if needed the localhost.
Reply With Quote
  #3  
Old 23rd January 2013, 01:58
asb2204 asb2204 is offline
Junior Member
 
Join Date: Jan 2013
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

hello, and thankyou for your assistance.

The way I am testing this is setting for example microsoft.com as my home page in internet explorer.

But when i open internet explorer it is still requesting a username and password.

This should not be the case correct? This means that it is still requesting authenthication for a site which we have requested to by pass.

Any ideas? Could it be the QL proxy content filtering that I have at the beginning of the squid conf?
Reply With Quote
Reply

Bookmarks

Tags
authentication, cent os 6, proxy, squid

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SASL LOGIN authentication failed Captain Installation/Configuration 4 13th March 2012 20:07
Need help with ISPConfig Mail and Squirrelmail m.xander Installation/Configuration 109 3rd February 2012 00:15
strange fail2ban behaviour > doesn't ban specific IP Djamu Server Operation 2 13th January 2012 02:29
Fail2ban configuration Captain Installation/Configuration 2 28th June 2011 19:48
Mod_Perl Configuration Issue szise Installation/Configuration 4 28th November 2008 12:41


All times are GMT +2. The time now is 12:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.