[squid-users] PRETTY URGENT: Auth Rejected, while authentication program(s) gives OK back to Squid

From: Daniël Mostertman <daniel@dont-contact.us>
Date: Fri, 6 Apr 2001 19:42:00 -0700

Hi all,

Problem: Squid doesn't "understand" OK ?

I'm blocking sexsites using an ACL/HTTP_ACCESS/PASSWORD combo...

Below are all details!

First of all:

* Squid Cache: Version 2.2.STABLE5
* Configuration file is /etc/squid.conf
* mysql_auth [ /usr/bin/mysql_auth ]
* ncsa_auth [ /usr/local/bin/ncsa_auth ]
* Both programs give OK back to Squid when used as supposed to.
* Doublechecked that by entering it on the console...
* I'm using IE5.5

From console:
------------------------------------------------------
aeris:/var/squid/logs # su squid
aeris:~/logs # whoami
squid
aeris:~/logs # /usr/bin/mysql_auth
daniel blah123
ERR
daniel pxrccu24
OK

aeris:~/logs # exit
aeris:/var/squid/logs #

------------------------------------------------------

Entire squid.conf:
------------------------------------------------------
#####
#####
##### This configurations for Squid 2.2.STABLE5 has been created by Daniël
Mostertman
#####
mailto:daniel@mostertman.org
#####

# Let it run on port 8080:
http_port 8080

# Configure some options:
authenticate_program /usr/bin/mysql_auth
authenticate_children 5
authenticate_ttl 3600

##### ACCESS CONTROL LINES #####

# Disallow cache for cgi-bin directory:
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

# Define authentication:
acl password proxy_auth REQUIRED

# Define all hosts:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 192.168.0.0/255.255.0.0

# Define all hours:
acl StartOfDay time MTWHF 00:00-06:59
acl BeforeTime time MTWHF 07:00-08:59
acl WorkTime time MTWHF 09:00-17:29
acl OverTime time MTWHF 17:30-20:59
acl EndOfDay time MTWHF 21:00-23:59

acl AllTime time MTWHF 00:00-23:59

##### FILES AND SITES WHICH ARE BANNED

acl pornsites url_regex -i .*sex.*$ .*xxx.*$ .*porn.*$ .*adult.*$
.*pimp.*$ .*gay.*$ .*lesbian.*$ .*pussy.*$
acl hacksites url_regex -i .*crack.*$ .*hack.*$
acl waresites url_regex -i .*warez.*$ .*x-drive.*$ .*xdrive.*$ .*gamez.*$
.*downloadz.*$
acl mpegsites url_regex -i .*mp3.*$ .*mp4.*$ .*divx.*$ .*vcd.*$
acl mailsites url_regex -i .*mail.*\..*/$ .*i-p.*\..*/$
acl bannsites url_regex -i .*banner.*$ .*clickthru.*$ .*thruport.*$
.*igallery.*$ .*advert.*$ .*247media.*$ .*linkex.*$
acl illesites url_regex -i .*simlock.*$

# Banned because of bandwidth consumption
acl mpeg url_regex -i \.mp3([;#\?].*)*$ \.mpeg3([;#\?].*)*$
\.mp4([;#\?].*)*$ \.mpeg4([;#\?].*)*$
acl videocd url_regex -i \.dvd([;#\?].*)*$ \.vcd([;#\?].*)*$
acl quicktime url_regex -i \.mov([;#\?].*)*$ \.qt([;#\?].*)*$
acl realaudio url_regex -i \.ra([;#\?].*)*$ \.ram([;#\?].*)*$
acl mediaplayer url_regex -i \.wma([;#\?].*)*$ \.asf([;#\?].*)*$
\.asx([;#\?].*)*$
acl divx url_regex -i \.divx([;#\?].*)*$ \.dvx([;#\?].*)*$
acl vbscript url_regex -i \.vbs([;#\?].*)*$
acl executables url_regex -i \.exe([;#\?].*)*$
acl zipfiles url_regex -i \.zip([;#\?].*)*$

##### HTTP ACCESS LINES #####

# Always deny access to these sites:
http_access deny pornsites AllTime password
http_access deny hacksites AllTime
http_access deny waresites AllTime
http_access deny mpegsites AllTime
http_access deny bannsites AllTime
http_access deny illesites AllTime

# Sometimes deny access to these sites:
http_access deny mailsites WorkTime password

# Always deny access to these filetypes:
http_access deny mpeg AllTime password
http_access deny videocd AllTime password
http_access deny quicktime AllTime password
http_access deny realaudio AllTime password
http_access deny mediaplayer AllTime password
http_access deny divx AllTime password
http_access deny vbscript AllTime password
http_access deny executables AllTime password

# Sometimes deny access to these filetypes:
http_access deny zipfiles WorkTime password

# Allow what isn't blocked:
http_access allow all
icp_access allow all
miss_access allow all

------------------------------------------------------

So it does come up with the password screen where it is supposed to,
but when I enter a correct username/password combo it just denies it.

Just like it's getting only ERR's back, or just doesn't execute the auth
program...

Did anybody figure out what caused this and how to fix this??

TIA

Daniël Mostertman
Received on Fri Apr 06 2001 - 10:37:13 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:10 MST