Squid doesn't call helper

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid doesn't call helper

Kornexl, Anton

Squid 4.10 on Ubuntu 20.04

 

The configured program is started but not called (or the result not used)

The authentication window does not show up in the browser

All request are denied because acl proxyuser doesn’t match

The same config runs on squid 3.5.27 on Ubuntu 18.04 and squid 4.13 on opensuse 4.13

 

How can i debug this problem

Other helpers are also not called/used

 

The squid user can execute the configured program

/usr/local/bin/mysql_auth and returns an OK

 

sudo -u squid /usr/local/bin/mysql_auth

test testing

OK

 

-------------------

auth_param basic program /usr/local/bin/mysql_auth

auth_param basic children 10 startup=5 idle=1

auth_param basic utf8 on

auth_param basic realm "Squid proxy-caching web server"

auth_param basic credentialsttl 2 hours

 

acl jufi1 src 1.2.3.4/32

acl jufi1-6 src  2a01:…..::2

acl jufi2 src 1.2.3.5/32

acl jufi2-6 src 2a01:…..::2

 

acl proxyusers proxy_auth REQUIRED

 

http_access allow jufi1

http_access allow jufi1-6

http_access allow jufi2

http_access allow jufi2-6

 

http_access allow proxyusers

 

-----------------------

 

Yours

Anton Kornexl


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't call helper

Amos Jeffries
Administrator
On 20/10/20 6:18 pm, Kornexl, Anton wrote:
> Squid 4.10 on Ubuntu 20.04
>
>  
>
> The configured program is started but not called (or the result not used)
>

Please check cache.log to find out which of those two very different
things is happening.

One means the ACL is not being checked or credentials not provided. The
other means credentials are invalid.

You may need to set this directive:
  debug_options 11,2 29,5 28,4

> The authentication window does not show up in the browser

That means the auth result was not deny.


>
> All request are denied because acl proxyuser doesn’t match
>

There is no deny line in your shown config using auth ACLs.


> The same config runs on squid 3.5.27 on Ubuntu 18.04 and squid 4.13 on
> opensuse 4.13
>
>  
>
> How can i debug this problem
>

Check cache.log with this directive set:
  debug_options 11,2 29,5 28,4


> Other helpers are also not called/used
>
>  

That strongly implies you have an ordering problem in your config file.
One early ACL allowing or denying traffic before any helpers get checked.


>
> http_access allow jufi1
>
> http_access allow jufi1-6
>
> http_access allow jufi2
>
> http_access allow jufi2-6
>

Since they are all the same type, and used the same way at the same time
You can combine all those ACLs into one name.

>
> http_access allow proxyusers
>

Please try the recommended auth config:

  http_access deny !proxyusers
  http_access allow localnet



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid doesn't call helper

Kornexl, Anton
Thank you very much

With the debug option i found the error

An external acl program  later in the config returned a number and OK in one line (5:OK or 10:ERR)
The acl handler in squid got an exception handling this returned result and all requests got DENIED

After correcting the external handler squid works OK
AAAHHHH  

Yours
Anton Kornexl


-----Ursprüngliche Nachricht-----
Von: squid-users <[hidden email]> Im Auftrag von Amos Jeffries
Gesendet: Dienstag, 20. Oktober 2020 13:38
An: [hidden email]
Betreff: Re: [squid-users] Squid doesn't call helper

On 20/10/20 6:18 pm, Kornexl, Anton wrote:
> Squid 4.10 on Ubuntu 20.04
>
>  
>
> The configured program is started but not called (or the result not used)
>

Please check cache.log to find out which of those two very different
things is happening.

One means the ACL is not being checked or credentials not provided. The
other means credentials are invalid.

You may need to set this directive:
  debug_options 11,2 29,5 28,4

> The authentication window does not show up in the browser

That means the auth result was not deny.


>
> All request are denied because acl proxyuser doesn’t match
>

There is no deny line in your shown config using auth ACLs.


> The same config runs on squid 3.5.27 on Ubuntu 18.04 and squid 4.13 on
> opensuse 4.13
>
>  
>
> How can i debug this problem
>

Check cache.log with this directive set:
  debug_options 11,2 29,5 28,4


> Other helpers are also not called/used
>
>  

That strongly implies you have an ordering problem in your config file.
One early ACL allowing or denying traffic before any helpers get checked.


>
> http_access allow jufi1
>
> http_access allow jufi1-6
>
> http_access allow jufi2
>
> http_access allow jufi2-6
>

Since they are all the same type, and used the same way at the same time
You can combine all those ACLs into one name.

>
> http_access allow proxyusers
>

Please try the recommended auth config:

  http_access deny !proxyusers
  http_access allow localnet



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users