[squid-users] Problem with auth_param + delay_pools

From: Phillip Geiger <[email protected]>
Date: Wed, 12 Oct 2005 10:12:47 +0300

Hello all,

I have Squid running on my firewall, and would like to get a few
features running - adzap, delay pools, and username/password
authentication. So far I've had success with adzap and delay pools,
but the authentication part isn't working.

I'm running version 2.5.STABLE11
configure options: --enable-storeio=diskd,ufs
--enable-linux-netfilter --enable-removal-policies=heap,lru
--enable-delay-pools --enable-auth=ntlm,basic

Unfortunately, when I add the auth bits to the config file, instead of
prompting clients for a username and password, it just spits out

====
ERROR: The requested URL could not be retrieved
You are not currently allowed to request
http://yahoo.com/
from this cache due to Access control configuration.
====

Squid appears to be starting correctly:
# restartsquid
2005/10/12 09:59:46| Creating Swap Directories
#

I've tested my auth program and password file; it works fine:
# /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/squid_passwd
blah blah
ERR
testuser2 test
OK
#

I'm sure my problem is due to some trivial error in my config, but
I've spent a couple days banging away at it without success. I'd
appreciate any advice.

Here's my squid.conf, which is mostly the default provided by my Linux
firewall distribution (SmoothWall):

==============================

# defaults were 8 MB and 32 KB, respectively
cache_mem 32 MB
maximum_object_size_in_memory 128 KB

# changed from GDSF to LFUDA - this means the squid proxy will
# keep the most popular files in the cache regardless of size
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

half_closed_clients off

cache_swap_high 100%
cache_swap_low 80%

shutdown_lifetime 3 seconds
icp_port 0

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_effective_user squid
cache_effective_group squid

pid_filename /var/run/squid.pid

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
error_directory /usr/local/squid/etc/smootherrors
emulate_httpd_log on
log_mime_hdrs off

forwarded_for off

auth_param basic program /usr/local/squid/bin/ncsa_auth
/usr/local/squid/etc/squid_passwd
auth_param basic children 5
auth_param basic realm Firewall
auth_param basic credentialsttl 2 hours

acl users1 src 192.168.36.3-192.168.36.250/32
acl users2 proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 445 443 441 563
acl Safe_ports port 80 # http
acl Safe_ports port 81 # smoothwall http
acl Safe_ports port 21 # ftp
acl Safe_ports port 445 443 441 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow users1 users2
#http_access allow localnet
http_access deny all

################################################################################
# delay_pools config
################################################################################

# define one class 2 pool
delay_pools 1
delay_class 1 2

# users1 follows the rules of pool 1
delay_access 1 allow users1
delay_access 1 deny all

# Everyone in users1 has access to the full bandwidth until
# his 2 megabyte bucket is empty, then it refills at 4 kbyte/sec
# 1 kbyte = 1024, 1 mb = 1048576

#delay_parameters 1 -1/-1 8192/4194304
delay_parameters 1 -1/-1 4096/2097152

# everyone's bucket starts out full
delay_initial_bucket_level 100

refresh_pattern -i \.jpg$ 9000000 100% 9000009 override-expire
refresh_pattern -i \.gif$ 9000000 100% 9000009 override-expire
refresh_pattern -i \.png$ 9000000 100% 9000009 override-expire
refresh_pattern -i \.exe$ 9000000 100% 9000009 override-expire

redirect_program /usr/local/adzap/scripts/wrapzap
Received on Wed Oct 12 2005 - 01:12:49 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:04 MST