squid asking for authentication repeatedly

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

squid asking for authentication repeatedly

Paul Hackmann
Has anyone had the instance where the proxy will ask the user to authenticate several times as they are browsing the web?  I have been seeing this as a random occurrence for some of the users on the server.  It will pop up a login prompt in the browser repeatedly for a minute or two.  Then it will settle down and be fine for hours.  I'm trying to track it down, but I can't find anything amiss.  The access logs haven't shown anything unusual.  I am using basic authentication with the proxy settings set in firefox.  Is this something that a spike in traffic on the server could cause?  Anybody have any suggestions?  The server is linux based.

PH

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid asking for authentication repeatedly

Alex Crow
Firefox is not great at Auth. Chrome works better imho. FF seems ok with digest, ie AD.

Sent from TypeApp
On 11 Dec 2017, at 22:05, Paul Hackmann <[hidden email]> wrote:
Has anyone had the instance where the proxy will ask the user to authenticate several times as they are browsing the web?  I have been seeing this as a random occurrence for some of the users on the server.  It will pop up a login prompt in the browser repeatedly for a minute or two.  Then it will settle down and be fine for hours.  I'm trying to track it down, but I can't find anything amiss.  The access logs haven't shown anything unusual.  I am using basic authentication with the proxy settings set in firefox.  Is this something that a spike in traffic on the server could cause?  Anybody have any suggestions?  The server is linux based.

PH


squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid asking for authentication repeatedly

Amos Jeffries
Administrator
In reply to this post by Paul Hackmann
On 12/12/17 11:04, Paul Hackmann wrote:

> Has anyone had the instance where the proxy will ask the user to
> authenticate several times as they are browsing the web?  I have been
> seeing this as a random occurrence for some of the users on the server.  
> It will pop up a login prompt in the browser repeatedly for a minute or
> two.  Then it will settle down and be fine for hours.  I'm trying to
> track it down, but I can't find anything amiss.  The access logs haven't
> shown anything unusual.  I am using basic authentication with the proxy
> settings set in firefox.  Is this something that a spike in traffic on
> the server could cause?  Anybody have any suggestions?  The server is
> linux based.
>

What version of Squid?
What ACLs and http_access configuration?

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid asking for authentication repeatedly

Paul Hackmann
In reply to this post by Alex Crow
Alex,

That is certainly something I can test.  It was never a problem before, so I wonder if one of the recent updates (pre-quantum) has introduced a new issue with firefox.  Thanks.
PH

On Mon, Dec 11, 2017 at 4:16 PM, Alex Crow <[hidden email]> wrote:
Firefox is not great at Auth. Chrome works better imho. FF seems ok with digest, ie AD.

Sent from TypeApp
On 11 Dec 2017, at 22:05, Paul Hackmann <[hidden email]> wrote:
Has anyone had the instance where the proxy will ask the user to authenticate several times as they are browsing the web?  I have been seeing this as a random occurrence for some of the users on the server.  It will pop up a login prompt in the browser repeatedly for a minute or two.  Then it will settle down and be fine for hours.  I'm trying to track it down, but I can't find anything amiss.  The access logs haven't shown anything unusual.  I am using basic authentication with the proxy settings set in firefox.  Is this something that a spike in traffic on the server could cause?  Anybody have any suggestions?  The server is linux based.

PH


squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid asking for authentication repeatedly

Paul Hackmann
In reply to this post by Amos Jeffries
Amos,

The squid version is 3.1.19.  The network is set up with a 192.168.0.X network on the lan side, and a 192.168.1.x network on the internet side.  Both ports 3120 and 4120 require authentication, but port 4120 is meant to be restricted to only the whitelisted sites which are in a separate file.  Port 3120 allows access to any site.  The browser causing trouble is configured for port 3120, not 4120.  Here is my squid.conf file:

http_port 3120
http_port 4120 intercept

cache_dir ufs /var/spool/squid3 500 16 256

#not sure what this block is for
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

acl whitelist dstdomain "/etc/squid3/whitelist.conf"

auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
auth_param basic children 6
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 4 hours
auth_param basic casesensitive off

acl ncsa_users proxy_auth REQUIRED

#not sure what this line does
acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/

acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

#acl http proto http
acl SSL_ports port 443
acl port_80 port 80
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

#list of computers that have access by ip address
acl allowed_clients src 192.168.0.9-192.168.0.45 192.168.0.53 192.168.0.65 192.168.0.83 192.168.0.90 192.168.0.91 192.168.0.179 192.168.0.186 192.168.0.220 192.168.0.221 192.168.0.244

acl portX myportname 4120
http_access allow portX whitelist
http_access deny portX

acl deny_websites dstdomain "/etc/squid3/deny_websites.conf"
acl CONNECT method CONNECT
#acl wuCONNECT dstdomain "/etc/squid3/whitelist.conf"
#acl wuCONNECT dstdomain sls.microsoft.com

#rule allowing nonauthenticated users
#http_access allow http port_80 whitelist
http_access allow CONNECT SSL_ports whitelist

#other access rules
#http_access deny !ncsa_users
http_access allow CONNECT localnet
http_access deny deny_websites
http_access allow allowed_clients ncsa_users
http_access deny !allowed_clients
#http_access allow ncsa_users
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost
#http_access allow localnet

http_access deny all

If the conf file is a mess, or has some problems, feel free to say so, as I don't know what all of the directives in it are for.  I marked a couple of lines I don't understand.  I would be happy for it to be optimized more if anyone has ideas.

Thanks,
PH

On Mon, Dec 11, 2017 at 7:16 PM, Amos Jeffries <[hidden email]> wrote:
On 12/12/17 11:04, Paul Hackmann wrote:
Has anyone had the instance where the proxy will ask the user to authenticate several times as they are browsing the web?  I have been seeing this as a random occurrence for some of the users on the server.  It will pop up a login prompt in the browser repeatedly for a minute or two.  Then it will settle down and be fine for hours.  I'm trying to track it down, but I can't find anything amiss.  The access logs haven't shown anything unusual.  I am using basic authentication with the proxy settings set in firefox.  Is this something that a spike in traffic on the server could cause?  Anybody have any suggestions?  The server is linux based.


What version of Squid?
What ACLs and http_access configuration?

Amos
_______________________________________________

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid asking for authentication repeatedly

Amos Jeffries
Administrator
On 13/12/17 04:10, Paul Hackmann wrote:
> Amos,
>
> The squid version is 3.1.19.

Please upgrade. There have been a *lot* of authentication related issues
that got solved in the years since that version was released. IIRC
several involved nasty things like the looping you described.

All current OS distributions have more recent Squid versions available.
Or worst-case custom building is not very hard.


>  The network is set up with a 192.168.0.X
> network on the lan side, and a 192.168.1.x network on the internet
> side.  Both ports 3120 and 4120 require authentication,


NOTE: port 4120 is an intercepted port. HTTP Proxy Authentication on
traffic arriving there is prohibited, since the HTTP traffic syntax is
origin-form.

However that said, your config displayed below contradicts what you
wrote above. Port 41290 traffic does *not* use authentication - the only
restriction on port 4120 traffic is that it be going to one of the
whitelisted domains. Period. There is absolutely no restriction on what
happens or can be done when going to those domains.



> but port 4120 is
> meant to be restricted to only the whitelisted sites which are in a
> separate file.  Port 3120 allows access to any site.  The browser
> causing trouble is configured for port 3120, not 4120.  Here is my
> squid.conf file:
>
...
>
> #not sure what this line does
> acl manager url_regex -i ^cache_object:// +i
> ^https?://[^/]+/squid-internal-mgr/
>

The above line defines an ACL which matches requests for Squids internal
cache management reports. For both the Squid-2+ and Squid-3.4+
management APIs.

Your Squid version requires this to be configured. Current releases
provide it as a built-in default ACL so you don't need to track or fix
its definition changes during upgrade.

...
> http_access allow CONNECT localnet

Bad. All LAN clients are allowed to open arbitrary TCP connections
(CONNECT tunnels) through the proxy *to anywhere* absolutely zero
restrictions.

The entire point of the "deny CONNECT !SSL_ports" and other default
security rules is to prohibit attackers and infected LAN clients from
using the proxy to spread nasty traffic around.

To be useful those default security measure must be placed *first* in
the http_access ordering and written exactly as provided in the default
installation. Your own rules should be applied to the traffic which gets
past those basic precautions.


> http_access deny deny_websites
> http_access allow allowed_clients ncsa_users
> http_access deny !allowed_clients
> #http_access allow ncsa_users
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> #http_access deny CONNECT !SSL_ports
> http_access allow localhost
> #http_access allow localnet
>
> http_access deny all
>
> If the conf file is a mess, or has some problems, feel free to say so,
> as I don't know what all of the directives in it are for.  I marked a
> couple of lines I don't understand.  I would be happy for it to be
> optimized more if anyone has ideas.
>

I recommend you write your http_access something like so:


  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow manager localhost
  http_access deny manager

  # domains in deny_websites are DENIED for everybody.
  http_access deny deny_websites

  # domains in whitelist are ALLOWED for everybody
  http_access allow whitelist

  # port 4120 traffic is restricted to the above whitelisted domains
  http_access deny portX

  # otherwise; for port 3120 traffic ...

  # only specific clients with whitelisted IPs can use the proxy ...
  http_access deny !allowed_clients

  # ... and must also login
  http_access deny !ncsa_users

  http_access allow localnet

  http_access deny all


If the above still has the looping issue then I think the problem is
related to how the Browser is using its TCP connections.

Some Browsers used to open many parallel TCP connections and start
requesting stuff immediately. But their internal credential handling
seemed not to cope with the parallelism, treating the 2nd through Nth
auth challenges as a sign that the 1st connections credentials were invalid.

This was particularly bad for any Browsers configured to auto-load many
tabs on startup. I've not heard of it happening in quite a while though,
so it may be fixed in current Browsers. Or maybe they just handle tabs
differently that does not trigger so easily.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid asking for authentication repeatedly

Paul Hackmann
Amos,

I will do an update to the most recent version and see if that helps.  It was one of those situations where if it ain't broke, don't fix it.  And up until now, it has worked very well.

You are right, I had brain fade about port 4120.  It should NOT ask for authentication ever, and only connect to whitelisted sites, which is what I want.

I've made the changes you recommended to the conf file.  So far, everything seems to be working as I expect it to.  Thank you!

One more question if you don't mind.  I am trying to add some ip addresses as whitelisted for port 4120.  I guess I can't add those to the whitelist file, because it's formatting doesn't work with IP addresses?  I read that you can add them into the conf file.  I've created the following acl line:

acl 8x8 dst 8.5.248.0/23 8.28.0.0/22 63.209.12.0/24 162.221.236.0/23 162.221.238.0/23 192.84.16.0/22

and I tried to add 8x8 to the the http_access line:

http_access allow whitelist 8x8

but when I did that, the 4120 port started asking for authentication, which is wrong. Can you tell me how to open those ip address ranges for port 4120?

Thanks very much
PH

On Tue, Dec 12, 2017 at 10:30 AM, Amos Jeffries <[hidden email]> wrote:
On 13/12/17 04:10, Paul Hackmann wrote:
Amos,

The squid version is 3.1.19.

Please upgrade. There have been a *lot* of authentication related issues that got solved in the years since that version was released. IIRC several involved nasty things like the looping you described.

All current OS distributions have more recent Squid versions available. Or worst-case custom building is not very hard.


  The network is set up with a 192.168.0.X network on the lan side, and a 192.168.1.x network on the internet side.  Both ports 3120 and 4120 require authentication,


NOTE: port 4120 is an intercepted port. HTTP Proxy Authentication on traffic arriving there is prohibited, since the HTTP traffic syntax is origin-form.

However that said, your config displayed below contradicts what you wrote above. Port 41290 traffic does *not* use authentication - the only restriction on port 4120 traffic is that it be going to one of the whitelisted domains. Period. There is absolutely no restriction on what happens or can be done when going to those domains.



but port 4120 is meant to be restricted to only the whitelisted sites which are in a separate file.  Port 3120 allows access to any site.  The browser causing trouble is configured for port 3120, not 4120.  Here is my squid.conf file:

...

#not sure what this line does
acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/


The above line defines an ACL which matches requests for Squids internal cache management reports. For both the Squid-2+ and Squid-3.4+ management APIs.

Your Squid version requires this to be configured. Current releases provide it as a built-in default ACL so you don't need to track or fix its definition changes during upgrade.

...
http_access allow CONNECT localnet

Bad. All LAN clients are allowed to open arbitrary TCP connections (CONNECT tunnels) through the proxy *to anywhere* absolutely zero restrictions.

The entire point of the "deny CONNECT !SSL_ports" and other default security rules is to prohibit attackers and infected LAN clients from using the proxy to spread nasty traffic around.

To be useful those default security measure must be placed *first* in the http_access ordering and written exactly as provided in the default installation. Your own rules should be applied to the traffic which gets past those basic precautions.


http_access deny deny_websites
http_access allow allowed_clients ncsa_users
http_access deny !allowed_clients
#http_access allow ncsa_users
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost
#http_access allow localnet

http_access deny all

If the conf file is a mess, or has some problems, feel free to say so, as I don't know what all of the directives in it are for.  I marked a couple of lines I don't understand.  I would be happy for it to be optimized more if anyone has ideas.


I recommend you write your http_access something like so:


 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow manager localhost
 http_access deny manager

 # domains in deny_websites are DENIED for everybody.
 http_access deny deny_websites

 # domains in whitelist are ALLOWED for everybody
 http_access allow whitelist

 # port 4120 traffic is restricted to the above whitelisted domains
 http_access deny portX

 # otherwise; for port 3120 traffic ...

 # only specific clients with whitelisted IPs can use the proxy ...
 http_access deny !allowed_clients

 # ... and must also login
 http_access deny !ncsa_users

 http_access allow localnet

 http_access deny all


If the above still has the looping issue then I think the problem is related to how the Browser is using its TCP connections.

Some Browsers used to open many parallel TCP connections and start requesting stuff immediately. But their internal credential handling seemed not to cope with the parallelism, treating the 2nd through Nth auth challenges as a sign that the 1st connections credentials were invalid.

This was particularly bad for any Browsers configured to auto-load many tabs on startup. I've not heard of it happening in quite a while though, so it may be fixed in current Browsers. Or maybe they just handle tabs differently that does not trigger so easily.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid asking for authentication repeatedly

Amos Jeffries
Administrator
On 14/12/17 11:32, Paul Hackmann wrote:

> Amos,
>
> I will do an update to the most recent version and see if that helps.  
> It was one of those situations where if it ain't broke, don't fix it.  
> And up until now, it has worked very well.
>
> You are right, I had brain fade about port 4120.  It should NOT ask for
> authentication ever, and only connect to whitelisted sites, which is
> what I want.
>
> I've made the changes you recommended to the conf file.  So far,
> everything seems to be working as I expect it to.  Thank you!
>
> One more question if you don't mind.  I am trying to add some ip
> addresses as whitelisted for port 4120.  I guess I can't add those to
> the whitelist file, because it's formatting doesn't work with IP
> addresses?

Sort of. dstdomain can accept IPs for matching against raw-IP text
strings in URLs where domain should have been. But does not do ranges
like you need there.

So yes dst is the one to use there.

However, be aware that it will match if *any* IPs for the domain being
fetched is in your whitelist set. It has nothing to do with whether that
matching dst-IP is actually used by Squid on the server connection.
To workaround that is where explicitly configuring "never_direct allow
all" comes in handy.


>  I read that you can add them into the conf file.  I've
> created the following acl line:
>
> acl 8x8 dst 8.5.248.0/23 8.28.0.0/22 63.209.12.0/24
> 162.221.236.0/23 162.221.238.0/23 192.84.16.0/22
>
> and I tried to add 8x8 to the the http_access line:
>
> http_access allow whitelist 8x8
>
> but when I did that, the 4120 port started asking for authentication,
> which is wrong. Can you tell me how to open those ip address ranges for
> port 4120?
>

Your use of http_access is not quite right.

see <https://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid asking for authentication repeatedly

Paul Hackmann
Amos,

Understood.  I think it is all working correctly now.  Thank you!

PH

On Wed, Dec 13, 2017 at 7:35 PM, Amos Jeffries <[hidden email]> wrote:
On 14/12/17 11:32, Paul Hackmann wrote:
Amos,

I will do an update to the most recent version and see if that helps.  It was one of those situations where if it ain't broke, don't fix it.  And up until now, it has worked very well.

You are right, I had brain fade about port 4120.  It should NOT ask for authentication ever, and only connect to whitelisted sites, which is what I want.

I've made the changes you recommended to the conf file.  So far, everything seems to be working as I expect it to.  Thank you!

One more question if you don't mind.  I am trying to add some ip addresses as whitelisted for port 4120.  I guess I can't add those to the whitelist file, because it's formatting doesn't work with IP addresses?

Sort of. dstdomain can accept IPs for matching against raw-IP text strings in URLs where domain should have been. But does not do ranges like you need there.

So yes dst is the one to use there.

However, be aware that it will match if *any* IPs for the domain being fetched is in your whitelist set. It has nothing to do with whether that matching dst-IP is actually used by Squid on the server connection.
To workaround that is where explicitly configuring "never_direct allow all" comes in handy.


  I read that you can add them into the conf file.  I've created the following acl line:

acl 8x8 dst 8.5.248.0/23 8.28.0.0/22 63.209.12.0/24 162.221.236.0/23 162.221.238.0/23 192.84.16.0/22

and I tried to add 8x8 to the the http_access line:

http_access allow whitelist 8x8

but when I did that, the 4120 port started asking for authentication, which is wrong. Can you tell me how to open those ip address ranges for port 4120?


Your use of http_access is not quite right.

see <https://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes>



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users