Author Topic: HTTP Proxy not authenticating  (Read 3816 times)

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #30 on: August 29, 2012, 04:03:29 pm »
so it looks like your "basic" authentication settings do not work... are you 100% sure tweak you apply is correct? (I didn't look at the detail of what this "how to" suggests yet)

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #31 on: August 29, 2012, 04:03:53 pm »
:) /var/logs all in there.

Always good to throw in the zentyal log and module specific log.

I usually use winscp as a freebie goodie to do it remotely.

What do you mean by this? The default gateway for the DHCP pool is to use the zentyal firewall.

Sorry I got confused but I thought you said you couldn't get any access from the proxy machine?
In fact a little confused to be honest :)

Stay with it :) post some logs and check the basics and build without the proxy and all.

Might be a while as I have an invite for pub lunch and a beer.

I don't have internet access on some clients if they are setup to go through the proxy on port 3128, but on those same computers with the proxy setting removed I do have internet access through zentyal as the gateway as long as it's not being sent through squid.

Also I don't have permission to view /var/log/squid? Shouldn't I?

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #32 on: August 29, 2012, 04:07:48 pm »
so it looks like your "basic" authentication settings do not work... are you 100% sure tweak you apply is correct? (I didn't look at the detail of what this "how to" suggests yet)

It seems that way. I removed the NTLM auth setting in squid and dansguardian just now and I am being prompted for login in IE and its the same as it was with firefox. Just keeps re-prompting for login even with credentials I know are correct.

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #33 on: August 29, 2012, 04:15:39 pm »
- access to squid log (although at this stage I don't think this is the highest priority): you need to sudo.
- basic authentication not working:  ??? ??? are these credential working when you, e.g., access user corner ?

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #34 on: August 29, 2012, 04:23:19 pm »
- access to squid log (although at this stage I don't think this is the highest priority): you need to sudo.
- basic authentication not working:  ??? ??? are these credential working when you, e.g., access user corner ?

In the admin gui for user corner it says "User Corner is not supported on slave servers."

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #35 on: August 29, 2012, 04:33:49 pm »
hoops, I missed this point described in your  very first post  :-[
Would you mind posting your squid.conf file here?
« Last Edit: August 29, 2012, 04:37:37 pm by christian »

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #36 on: August 29, 2012, 04:36:35 pm »
hoops, I missed this point described in your  very first post  :-[
Would you mind posting your squid.cong file here?

/etc/squid/squid.conf
or
/usr/share/zentyal/stubs/squid/suid.conf.mas

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #37 on: August 29, 2012, 04:38:09 pm »
the one active, meaning /etc/squid/squid.conf

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #38 on: August 29, 2012, 05:02:04 pm »
Here is the /etc/squid/squid.conf
I changed my domain and server name in the auth_param setting.


# <EBOX> TAG_HTTPORT #
http_port 3128
# END_TAG #

visible_hostname localhost
dns_nameservers 8.8.8.8 8.8.4.4
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

# refresh patterns

# windows updates
refresh_pattern http://.*\.windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://.*\.update\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://download\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://.*\.download\.windowsupdate\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://office\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://w2ksp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims
# linux updates
refresh_pattern http://.*\.archive\.ubuntu\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://(ftp|http)[0-9]*\.[a-z]+\.debian\.org/ 0 80% 20160 reload-into-ims

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
# end refresh patterns

coredump_dir /var/spool/squid
cache_effective_user proxy
cache_effective_group proxy
cache_mem 128 MB
maximum_object_size 300 MB
access_log /var/log/squid/access.log squid
pid_filename /var/run/squid.pid

cache_dir ufs /var/spool/squid 500 16 256



# <EBOX> TAG_ACL #
#auth_param basic realm Zentyal HTTP proxy
#auth_param basic program /usr/lib/squid/ldap_auth -v 3 -b  ou=Users,dc=rvw,dc=com  -u uid  -h ldap://127.0.0.1:389
auth_param ntlm program /usr/lib/squid/ntlm_auth -b mydomain.local/myserver
auth_param ntlm children 25

acl authorized  proxy_auth required




acl Sales proxy_auth my users synced from ldap
acl Information__Systems proxy_auth my users synced from ldap
     

     









# no cache domains acl

# END_TAG #
acl localhost src 127.0.0.0/8
acl localhostdst dst 127.0.0.0/8
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563   # https, snews
acl SSL_ports port 873      # rsync
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443 563   # https, snews
acl Safe_ports port 70      # gopher
acl Safe_ports port 210      # wais
acl Safe_ports port 1025-65535   # unregistered ports
acl Safe_ports port 280      # http-mgmt
acl Safe_ports port 488      # gss-http
acl Safe_ports port 591      # filemaker
acl Safe_ports port 777      # multiling http
acl Safe_ports port 631      # cups
acl Safe_ports port 873      # rsync
acl Safe_ports port 901      # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

follow_x_forwarded_for allow localhost
log_uses_indirect_client off

http_access allow localhost

http_access deny manager
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_reply_access allow all



# <EBOX> TAG_DELAYPOOLS #


acl eboxlocalnets dst 10.20.20.0/22




# END_TAG

# <EBOX> TAG_HTTP_ACCESS #








http_access allow authorized all
http_access allow   Information__Systems

http_access allow   Sales





# default policy section


http_access allow authorized all
http_access allow all


# END_TAG #

# <EBOX> TAG SNMP #

# END_TAG #

always_direct allow localhostdst
« Last Edit: August 29, 2012, 05:18:45 pm by ccarpenter »

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #39 on: August 29, 2012, 05:06:00 pm »
 ??? either you made a mistake or there is something really weird because this file looks like squid.conf.mas, not like squid.conf
Please check twice and confirm.

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #40 on: August 29, 2012, 05:19:22 pm »
Sorry copied the wrong text file. Edited my last post.

christian

  • Guest
Re: HTTP Proxy not authenticating
« Reply #41 on: August 29, 2012, 05:27:57 pm »
Cool.
Looking at your file, you are using NTLM authentication... so I'm lost now.
I was under the impression that you were facing an error with basic authentication and in order to investigate this, you reverted back to "basic authentication", still it was not working. However, when I look at this file, there is no basic but NTLM.
Could you please clarify this?

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #42 on: August 29, 2012, 05:31:59 pm »
Could you please clarify this?

Yes I've switched it back and forth a couple times this morning. It just happen to be with NTLM when I copied it just now.

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #43 on: August 29, 2012, 05:48:15 pm »
Also 3.0 RC1 is out and to be honest that is the way to go.

NTLM isn't secure anymore as there are exploits. Kerberos is the way to go and is all singing and dancing in the new version.

Installed 3.0 in a vm and I noticed the "users and groups" found my domain automatically. Do I still need to use the zentyal windows program on my server to synchronize users?

ccarpenter

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: HTTP Proxy not authenticating
« Reply #44 on: August 29, 2012, 06:04:14 pm »
Going through my syslog it is showing this:

Aug 29 12:00:01 firewall slapd[10359]: connection_read(19): no connection!
Aug 29 12:00:01 firewall slapd[10359]: connection_read(19): no connection!
Aug 29 12:00:01 firewall slapd[10359]: connection_read(13): no connection!
Aug 29 12:00:02 firewall slapd[10359]: last message repeated 11 times
Aug 29 12:00:02 firewall slapd[10359]: connection_read(19): no connection!
Aug 29 12:00:03 firewall slapd[10359]: last message repeated 3 times
Aug 29 12:00:03 firewall slapd[10359]: connection_read(13): no connection!
Aug 29 12:00:03 firewall slapd[10359]: connection_read(13): no connection!

looks like ldap is not working correctly?