Zentyal Forum, Linux Small Business Server

Zentyal Server => Other modules => Topic started by: Ret on November 09, 2021, 10:49:01 pm

Title: Endless login popups from Proxy
Post by: Ret on November 09, 2021, 10:49:01 pm

I've been using Zentyal 2.2 for a long time  but now I'm preparing to migrate to 7.0
I've installed 7.0 but I'm experiencing problems with proxy module:

I need to use a filter profile that lets a group of users surf only to specific sites. So I add those domains in a list with their " allow" rules. I also enable the checkbox "Block not listed domains and URLs".
The problem is that all borwsers keep on asking for login credentials. (Same issue experienced by this users: https://forum.zentyal.org/index.php?topic=22446.0 )

I think I've found the solution.
 According to Squid Wiki: https://wiki.squid-cache.org/action/show/Features/Authentication?action=show&redirect=SquidFaq%2FProxyAuthentication
we could use the "all"  hack in squid.conf. That is, we should add "all" at the end of the deny ACL

excerpt from original  squid.conf

Code: [Select]

http_access allow  authorized grp~MYGROUP fltr2~df~dmn1
http_access deny  authorized grp~MYGROUP
fixed squid.conf

Code: [Select]

http_access allow  authorized grp~MYGROUP fltr2~df~dmn1
http_access deny  authorized grp~MYGROUP all
With this last line squid accepts login credentials from browsers and let users surf to the allowed domains and deny all others. There are no more endless login popups.

Developers: do you think you could add this fix (or a proper one) ?
Thank you!

Title: Re: Endless login popups from Proxy
Post by: turalyon on November 11, 2021, 10:24:06 am

You should report this bug and provide the solution and the details you can in Github.

* https://github.com/zentyal/zentyal/issues

--

“This world is ours, and by the Holy Light we will keep it safe, now and forever"

Title: Re: Endless login popups from Proxy
Post by: Ret on December 29, 2021, 03:06:15 pm

UPDATE: Better solution
After using my "all" workaound I've run into a new problem: When a user belongs to multiple groups and those groups have to different profile rules. If any of those profiles uses whitelists that block sites " not listed", squid won't let the user access sites that were whitelisted in another profile.

So, the solutions I've foiund is to remove the lines "http_access deny  authorized grp~MYGROUP" altogether. That's because there's already a rule denying all access to everyone at the end of squid.conf and this way; So that will let squid check if a user can access domains that are whitelisted in a different group before denying access.

Hope this helps!!