[squid-users] Problems using external auth with Squid 2.5STABLE4

From: Tyrone Mills <[email protected]>
Date: Thu, 27 Nov 2003 10:46:58 -0700

Hi All,

I've been searching the archives, web and news groups for 2 days now, trying
to figure out what I've done wrong. I've installed Squid 2.5 STABLE 4 on a
RH9 Server and can't get external auth working for the life of me. I've
tried mysql_auth and ncsa_auth and neither seem to work right.

From looking at the cache.log file it seems as though the ncsa_auth module
is indeed being loaded, but it's either not able to be used, or I've really
hosed the acls...

I've tested ncsa_auth from the command line and it does work as expected.

Any thoughts? Any help will be greatly appreciated, I'm pulling my hair out
over this one.

Here is the relevant configure, squid.conf and cache.log details:

./configure --enable-ssl --enable-auth=basic --enable-auth-modules=NCSA

-- squid.conf --

auth_param basic program /usr/local/squid/bin/ncsa_auth
/usr/local/squid/etc/passwd
#auth_param basic program /usr/local/squid/bin/mysql_auth
auth_param basic children 5
auth_param basic realm SquidProxy
auth_param basic credentialsttl 2 hours

acl users proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow users
http_access allow all

-- cache.log --

2003/11/26 12:35:39| Starting Squid Cache version 2.5.STABLE4 for
i686-pc-linux-gnu...
2003/11/26 12:35:39| Process ID 10326
2003/11/26 12:35:39| With 1024 file descriptors available
2003/11/26 12:35:39| Performing DNS Tests...
2003/11/26 12:35:39| Successful DNS name lookup tests...
2003/11/26 12:35:39| DNS Socket created at 0.0.0.0, port 32770, FD 4
2003/11/26 12:35:39| Adding nameserver 64.255.160.17 from /etc/resolv.conf
2003/11/26 12:35:39| Adding nameserver 64.255.160.18 from /etc/resolv.conf
2003/11/26 12:35:39| helperOpenServers: Starting 5 'mysql_auth' processes
2003/11/26 12:35:39| Unlinkd pipe opened on FD 14
2003/11/26 12:35:39| Swap maxSize 102400 KB, estimated 7876 objects
2003/11/26 12:35:39| Target number of buckets: 393
2003/11/26 12:35:39| Using 8192 Store buckets
2003/11/26 12:35:39| Max Mem size: 8192 KB
2003/11/26 12:35:39| Max Swap size: 102400 KB
2003/11/26 12:35:39| Rebuilding storage in /usr/local/squid/var/cache
(CLEAN)
2003/11/26 12:35:39| Using Least Load store dir selection
2003/11/26 12:35:39| Set Current Directory to /usr/local/squid/var/cache
2003/11/26 12:35:39| Loaded Icons.
2003/11/26 12:35:39| Accepting HTTP connections at 0.0.0.0, port 3128, FD
15.
2003/11/26 12:35:39| Accepting ICP messages at 0.0.0.0, port 3130, FD 16.
2003/11/26 12:35:39| WCCP Disabled.
2003/11/26 12:35:39| Ready to serve requests.
2003/11/26 12:35:39| Done scanning /usr/local/squid/var/cache swaplog (0
entries)
2003/11/26 12:35:39| Finished rebuilding storage from disk.
2003/11/26 12:35:39| 0 Entries scanned
2003/11/26 12:35:39| 0 Invalid entries.
2003/11/26 12:35:39| 0 With invalid flags.
2003/11/26 12:35:39| 0 Objects loaded.
2003/11/26 12:35:39| 0 Objects expired.
2003/11/26 12:35:39| 0 Objects cancelled.
2003/11/26 12:35:39| 0 Duplicate URLs purged.
2003/11/26 12:35:39| 0 Swapfile clashes avoided.
2003/11/26 12:35:39| Took 0.1 seconds ( 0.0 objects/sec).
2003/11/26 12:35:39| Beginning Validation Procedure
2003/11/26 12:35:39| Completed Validation Procedure
2003/11/26 12:35:39| Validated 0 Entries
2003/11/26 12:35:39| store_swap_size = 0k
2003/11/26 12:35:40| storeLateRelease: released 0 objects
2003/11/27 09:26:18| aclCheckFast: list: 0x8213400
2003/11/27 09:26:18| aclMatchAclList: checking all
2003/11/27 09:26:18| aclMatchAcl: checking 'acl all src 0/0'
2003/11/27 09:26:18| aclMatchIp: '68.144.72.187' found
2003/11/27 09:26:18| aclMatchAclList: returning 1
2003/11/27 09:26:18| aclCheck: checking 'http_access allow manager
localhost'
2003/11/27 09:26:18| aclMatchAclList: checking manager
2003/11/27 09:26:18| aclMatchAcl: checking 'acl manager proto cache_object'
2003/11/27 09:26:18| aclMatchAclList: no match, returning 0
2003/11/27 09:26:18| aclCheck: checking 'http_access deny manager'
2003/11/27 09:26:18| aclMatchAclList: checking manager
2003/11/27 09:26:18| aclMatchAcl: checking 'acl manager proto cache_object'
2003/11/27 09:26:18| aclMatchAclList: no match, returning 0
2003/11/27 09:26:18| aclCheck: checking 'http_access deny !Safe_ports'
2003/11/27 09:26:18| aclMatchAclList: checking !Safe_ports
2003/11/27 09:26:18| aclMatchAcl: checking 'acl Safe_ports port 80 # http'
2003/11/27 09:26:18| aclMatchAclList: no match, returning 0
2003/11/27 09:26:18| aclCheck: checking 'http_access deny CONNECT
!SSL_ports'
2003/11/27 09:26:18| aclMatchAclList: checking CONNECT
2003/11/27 09:26:18| aclMatchAcl: checking 'acl CONNECT method CONNECT'
2003/11/27 09:26:18| aclMatchAclList: no match, returning 0
2003/11/27 09:26:18| aclCheck: checking 'http_access deny to_localhost'
2003/11/27 09:26:18| aclMatchAclList: checking to_localhost
2003/11/27 09:26:18| aclMatchAcl: checking 'acl to_localhost dst
127.0.0.0/8'
2003/11/27 09:26:18| aclMatchAcl: Can't yet compare 'to_localhost' ACL for
'www.google.ca'
2003/11/27 09:26:18| aclMatchAclList: no match, returning 0
2003/11/27 09:26:18| aclCheck: checking 'http_access deny to_localhost'
2003/11/27 09:26:18| aclMatchAclList: checking to_localhost
2003/11/27 09:26:18| aclMatchAcl: checking 'acl to_localhost dst
127.0.0.0/8'
2003/11/27 09:26:18| aclMatchIp: '216.239.41.99' NOT found
2003/11/27 09:26:18| aclMatchAclList: no match, returning 0
2003/11/27 09:26:18| aclCheck: checking 'http_access allow users'
2003/11/27 09:26:18| aclMatchAclList: checking users
2003/11/27 09:26:18| aclMatchAcl: checking 'acl users proxy_auth REQUIRED'
2003/11/27 09:26:18| authenticateAuthenticate: broken auth or no proxy_auth
header. Requesting auth header.
2003/11/27 09:26:18| aclMatchAcl: returning 0 sending authentication
challenge.
2003/11/27 09:26:18| aclMatchAclList: no match, returning 0
2003/11/27 09:26:18| aclCheck: requiring Proxy Auth header.
2003/11/27 09:26:18| aclCheck: match found, returning 2
2003/11/27 09:26:18| aclCheckCallback: answer=2
2003/11/27 09:26:18| The request GET http://www.google.ca/ is DENIED,
because it matched 'users'
2003/11/27 09:26:18| aclCheckFast: list: 0x8211c18
2003/11/27 09:26:18| aclMatchAclList: checking all
2003/11/27 09:26:18| aclMatchAcl: checking 'acl all src 0/0'
2003/11/27 09:26:18| aclMatchIp: '68.144.72.187' found
2003/11/27 09:26:18| aclMatchAclList: returning 1
2003/11/27 09:26:18| aclCheckFast: list: 0x8212b90
2003/11/27 09:26:18| aclMatchAclList: checking all
2003/11/27 09:26:18| aclMatchAcl: checking 'acl all src 0/0'
2003/11/27 09:26:18| aclMatchIp: '68.144.72.187' found
2003/11/27 09:26:18| aclMatchAclList: returning 1
2003/11/27 09:26:18| aclCheckFast: list: 0x8212718
2003/11/27 09:26:18| aclMatchAclList: checking all
2003/11/27 09:26:18| aclMatchAcl: checking 'acl all src 0/0'
2003/11/27 09:26:18| aclMatchIp: '68.144.72.187' found
2003/11/27 09:26:18| aclMatchAclList: returning 1
2003/11/27 09:26:18| aclCheckFast: list: 0x8212cf0
2003/11/27 09:26:18| aclMatchAclList: checking all
2003/11/27 09:26:18| aclMatchAcl: checking 'acl all src 0/0'
2003/11/27 09:26:18| aclMatchIp: '68.144.72.187' found
2003/11/27 09:26:18| aclMatchAclList: returning 1
2003/11/27 09:26:18| aclCheckFast: list: 0x8211ae0
2003/11/27 09:26:18| aclMatchAclList: checking all
2003/11/27 09:26:18| aclMatchAcl: checking 'acl all src 0/0'
2003/11/27 09:26:18| aclMatchIp: '68.144.72.187' found
2003/11/27 09:26:18| aclMatchAclList: returning 1
2003/11/27 09:26:18| aclCheckFast: list: 0x8213090
2003/11/27 09:26:18| aclMatchAclList: checking all
2003/11/27 09:26:18| aclMatchAcl: checking 'acl all src 0/0'
2003/11/27 09:26:18| aclMatchIp: '68.144.72.187' found
2003/11/27 09:26:18| aclMatchAclList: returning 1
2003/11/27 09:26:18| aclCheckFast: list: 0x82136c0
2003/11/27 09:26:18| aclMatchAclList: checking all
2003/11/27 09:26:18| aclMatchAcl: checking 'acl all src 0/0'
2003/11/27 09:26:18| aclMatchIp: '68.144.72.187' found
2003/11/27 09:26:18| aclMatchAclList: returning 1
2003/11/27 09:26:18| aclCheckFast: list: 0x82121c0
2003/11/27 09:26:18| aclMatchAclList: checking all
2003/11/27 09:26:18| aclMatchAcl: checking 'acl all src 0/0'
2003/11/27 09:26:18| aclMatchIp: '68.144.72.187' found
2003/11/27 09:26:18| aclMatchAclList: returning 1
2003/11/27 09:26:18| aclCheckFast: list: 0x8213560
2003/11/27 09:26:18| aclMatchAclList: checking all
2003/11/27 09:26:18| aclMatchAcl: checking 'acl all src 0/0'
2003/11/27 09:26:18| aclMatchIp: '68.144.72.187' found
2003/11/27 09:26:18| aclMatchAclList: returning 1
2003/11/27 09:26:18| aclCheckFast: list: 0x8212220
2003/11/27 09:26:18| aclMatchAclList: checking all
2003/11/27 09:26:18| aclMatchAcl: checking 'acl all src 0/0'
2003/11/27 09:26:18| aclMatchIp: '68.144.72.187' found
2003/11/27 09:26:18| aclMatchAclList: returning 1
2003/11/27 09:26:18| aclCheckFast: list: 0x820e528
2003/11/27 09:26:18| aclMatchAclList: checking all
2003/11/27 09:26:18| aclMatchAcl: checking 'acl all src 0/0'
2003/11/27 09:26:18| aclMatchIp: '68.144.72.187' found
2003/11/27 09:26:18| aclMatchAclList: returning 1
Received on Thu Nov 27 2003 - 10:51:13 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:40 MST