Author Topic: Problem squid authentication with zentyal  (Read 3110 times)

Yoann

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Problem squid authentication with zentyal
« on: January 18, 2018, 12:52:39 pm »
Hello,

I would like to set up a captive portal on the Ethernet network of my company for this squid authentication was retained. The problem is that when no access rule is set up in zentyal everything works fine, but when I start modifying the access rules to block some site or I set up a category list the authentication always does, but there is no access to the internet anymore and this message appears:



Here is the configuration of my squid.conf file:

Code: [Select]
http_port 0.0.0.0:3129

visible_hostname zentyal2.test.gerson
coredump_dir /var/spool/squid
cache_effective_user proxy
cache_effective_group proxy
cache_mem 128 MB
cache_dir ufs /var/spool/squid 100 16 256
maximum_object_size 300 MB
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

pid_filename /var/run/squid.pid

dns_nameservers 192.168.43.1

# refresh patterns

# windows updates
refresh_pattern http://.*\.windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://.*\.update\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://download\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://.*\.download\.windowsupdate\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://office\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://w2ksp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims

# linux updates
refresh_pattern http://.*\.archive\.ubuntu\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://(ftp|http)[0-9]*\.[a-z]+\.debian\.org/ 0 80% 20160 reload-into-ims

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# end refresh patterns

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/utilisateur
auth_param basic children 5
auth_param basic realm Merci de vous identifier sur notre proxy
#auth_param basic credentialsttl 15 hours
authenticate_ttl 1 hour

authenticate_ip_ttl 60 seconds


acl_uses_indirect_client on

# no cache domains acl


acl from_localhost src 127.0.0.0/8 ::1
#acl to_localhost dst 127.0.0.0/8 ::1
acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
acl SSL_ports port 443          # https, snews
acl SSL_ports port 873          # rsync
acl SSL_ports port 21       #ftp
acl SSL_ports port 631      #cups over https
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 631         # cups
acl Safe_ports port 777         # multiling http
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT

acl CONNECT method CONNECT
acl purge method PURGE

acl utilisateur proxy_auth REQUIRED
acl fltr2~df~dmn3 dstdomain .youtube.com

http_access allow to_localhost
follow_x_forwarded_for allow from_localhost
log_uses_indirect_client on

http_access allow manager to_localhost

http_access deny manager
http_access deny purge
http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports
http_access allow from_localhost
forwarded_for on
always_direct allow to_localhost


##
## ACLs from model rules
##
##
## Access
##


http_access allow  utilisateur

http_access deny  all fltr2~df~dmn3
http_access allow  all

##
## Default policy
##
# All acces denied by default if no other allow rule matchs
http_access deny all
# reply access allowed if not denied before
http_reply_access allow all

Here I hope I was clear enough I remain at your disposal for any questions.