Cannot bypass authentication for squid proxy using ncsa

Discussion in 'Technical' started by asb2204, Jan 22, 2013.

  1. asb2204

    asb2204 New Member

    Hi,

    I have recently deployed a squid proxy server v3.1 with qlproxy content filtering. It is running on a centos 6 box with webmin.

    Works great, except i cannot by pass authentication for some websites which do not work via simple authentication such as windows activations and myob company file validations.

    I am using ncsa for authentication

    here is a post of the squid.conf. Any assistance would be greatly appreciated. the how tos on this site rock btw!


    squid.conf
    _____________________________________________


    # qlproxy settings added by adrian for content scanning
    icap_enable on
    icap_preview_enable on
    icap_preview_size 4096
    icap_persistent_connections on
    icap_send_client_ip on
    icap_send_client_username on
    icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
    icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
    adaptation_access qlproxy1 allow all
    adaptation_access qlproxy2 allow all


    # Recommended minimum configuration:
    #
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    # acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    # acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines



    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    # added by adrian to bypass auth on certain domains

    acl whitelist dstdomain "/etc/squid/whitelist.txt"
    acl http proto http
    acl port_80 port 80
    acl port_443 port 443
    acl CONNECT method CONNECT

    # rules allowing non-authenticated users
    http_access allow http port_80 whitelist
    http_access allow CONNECT port_443 whitelist



    # --------------------------------------------------------------

    # NCSA configuration for authentication added by adrian

    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
    auth_param basic children 5
    auth_param basic realm Acoustic Proxy Server
    auth_param basic credentialsttl 2 hours
    auth_param basic casesensitive off
    acl ncsa_users proxy_auth REQUIRED
    http_access allow ncsa_users

    # ------------------------------------------------------------



    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost


    http_access allow manager localhost


    http_access deny manager

    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports

    ___________________________


    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    whitelist.txt

    .google.com.au
    .myob.com.au
    .microsoft.com
    .quintolabs.com




    So when I open my internet browser as google as home page it does not ask for username and password. I can search google as well and see search results without user/pw. but when I goto www.microsoft.com or www.myob.com.au it always asks for pw when I I do not want it to.

    As I will also need to do microsoft activations via the proxy./

    Please assist.

    Kind Regards
     
  2. thctlo

    thctlo New Member

    Hai, add this to your squid.conf and put it before your auth !

    ## Windows Updates
    acl windowsupdate dstdomain .download.windowsupdate.com
    acl windowsupdate dstdomain .windowsupdate.microsoft.com
    acl windowsupdate dstdomain .update.microsoft.com
    acl windowsupdate dstdomain redir.metaservices.microsoft.com
    acl windowsupdate dstdomain images.metaservices.microsoft.com
    acl windowsupdate dstdomain c.microsoft.com
    acl windowsupdate dstdomain wustat.windows.com
    acl windowsupdate dstdomain crl.microsoft.com
    acl windowsupdate dstdomain .microsoft.com
    acl wuCONNECT dstdomain .microsoft.com
    http_access allow CONNECT wuCONNECT our_networks
    http_access allow CONNECT wuCONNECT localhost
    http_access allow windowsupdate our_networks
    http_access allow windowsupdate localhost


    and dont forget to correct the 'our_networks' and if needed the localhost.
     
  3. asb2204

    asb2204 New Member

    hello, and thankyou for your assistance.

    The way I am testing this is setting for example microsoft.com as my home page in internet explorer.

    But when i open internet explorer it is still requesting a username and password.

    This should not be the case correct? This means that it is still requesting authenthication for a site which we have requested to by pass.

    Any ideas? Could it be the QL proxy content filtering that I have at the beginning of the squid conf?
     

Share This Page