Authentication Problem

From: Wayne Bastow <[email protected]>
Date: Tue, 25 May 1999 15:27:13 +1000

Hi,

I've just upgraded to Squid2.2STABLE3 from squid1.1.22. I was using NCSA
authentication in Squid1 and am using it in Squid2. However I'm
experiencing a problem where I allow some sites to be accessed without
authentication. Access is through our squid and then through a parent
running Altavista WWW Proxy. If I access the allowed sites when I first
open Netscape (or IE) they work fine without needing authentication. If
I then go to a site requiring authentication (i.e. sites that are not
allowed to all users) I get my normal authentication popup window (for
realm "Internet Access") and after entering my user/password am allowed
access to the site. Now if I go back to one of the allowed sites I am
asked to reauthenticate (not with the "Internet Access" realm) but it
seems to be the parent cache asking for authentication. So it seems that
once I authenticate with the local proxy then for allowed sites I have
to then authenticate with the parent. (Squid1.2 did not appear to do
this). I've looked in the relevant places but I can't find anything
about this.

(unless this has something to do with it (from the .conf file):
# # WARNING: proxy_auth can't be used in a transparent proxy. It
# # collides with any authentication done by origin servers. It may
# # seem like it works at first, but it doesn't. )

Does anyone have any experience of this or have any ideas?

The relevant parts of my squid.conf are:

cache_peer 999.9.999.9 parent 8080 3130 no-query

authenticate_program /usr/local/squid/bin/ncsa_auth
/usr/local/squid/etc/htpasswd
authenticate_children 5

acl all src 0.0.0.0/0.0.0.0
acl internal_health dstdomain health.nsw.gov.au
acl hcn dstdomain hcn.net.au
acl copyright dstdomain austlii.edu.au
acl cochrane dstdomain cochranelibrary.net
acl whitepages dstdomain whitepages.com.au
acl yellowpages dstdomain yellowpages.com.au
acl pamedia dstdomain pamedia.com.au
acl passwd proxy_auth REQUIRED

http_access allow internal_health all
http_access allow hcn all
http_access allow cochrane all
http_access allow copyright all
http_access allow whitepages all
http_access allow yellowpages all
http_access allow pamedia all
http_access allow all passwd
http_access deny all

proxy_auth_realm Internet Access

always_direct allow internal_health
never_direct allow all

Thanks,
Wayne

-- 
=========================================================================
  Wayne Bastow                        |          Database Administrator
  Central Coast Area Health Service   |      Internet/Intranet Services
  Gosford, Australia.                 |
  Phone: 61 2 43203231                |    
             Email: wbastowATccahsDOThealthDOTnswDOTgovDOTau
=========================================================================
Received on Mon May 24 1999 - 23:22:11 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:25 MST