Author Topic: Endless login popups from Proxy  (Read 1224 times)

Ret

  • Zen Apprentice
  • *
  • Posts: 35
  • Karma: +1/-0
    • View Profile
Endless login popups from Proxy
« on: November 09, 2021, 10:49:01 pm »
I've been using Zentyal 2.2 for a long time  but now I'm preparing to migrate to 7.0
I've installed 7.0 but I'm experiencing problems with proxy module:

I need to use a filter profile that lets a group of users surf only to specific sites. So I add those domains in a list with their " allow" rules. I also enable the checkbox "Block not listed domains and URLs".
The problem is that all borwsers keep on asking for login credentials. (Same issue experienced by this users: https://forum.zentyal.org/index.php?topic=22446.0 )

I think I've found the solution.
 According to Squid Wiki: https://wiki.squid-cache.org/action/show/Features/Authentication?action=show&redirect=SquidFaq%2FProxyAuthentication
we could use the "all"  hack in squid.conf. That is, we should add "all" at the end of the deny ACL

excerpt from original  squid.conf
Code: [Select]
http_access allow  authorized grp~MYGROUP fltr2~df~dmn1
http_access deny  authorized grp~MYGROUP

fixed squid.conf
Code: [Select]
http_access allow  authorized grp~MYGROUP fltr2~df~dmn1
http_access deny  authorized grp~MYGROUP all

With this last line squid accepts login credentials from browsers and let users surf to the allowed domains and deny all others. There are no more endless login popups.

Developers: do you think you could add this fix (or a proper one) ?
Thank you!



turalyon

  • Zen Warrior
  • ***
  • Posts: 197
  • Karma: +15/-0
    • View Profile
Re: Endless login popups from Proxy
« Reply #1 on: November 11, 2021, 10:24:06 am »
You should report this bug and provide the solution and the details you can in Github.

* https://github.com/zentyal/zentyal/issues

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever"

Ret

  • Zen Apprentice
  • *
  • Posts: 35
  • Karma: +1/-0
    • View Profile
Re: Endless login popups from Proxy
« Reply #2 on: December 29, 2021, 03:06:15 pm »
UPDATE: Better solution
After using my "all" workaound I've run into a new problem: When a user belongs to multiple groups and those groups have to different profile rules. If any of those profiles uses whitelists that block sites " not listed", squid won't let the user access sites that were whitelisted in another profile.

So, the solutions I've foiund is to remove the lines "http_access deny  authorized grp~MYGROUP" altogether. That's because there's already a rule denying all access to everyone at the end of squid.conf and this way; So that will let squid check if a user can access domains that are whitelisted in a different group before denying access.

Hope this helps!!