1

I set up iptables and squid successfully, now I try to get the proxy authentication running. My squi.conf look the following way:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/proxy_users
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.7.0/24
acl passwd proxy_auth REQUIRED

http_access allow localnet passwd
http_access allow localhost
http_access deny all

So. Its according to the book. It works in so far as that when i start the browser, it hands me on request an "Access denied" page. But I get not chance to authenticate myself! I heard it could be that firefox automatically hands over an anynomous user, which, of course gets denied.

How can I force the browser to pop up an authentication box?

Kai
  • 177
  • 1
  • 3
  • 10
  • AFAIK, running a transparent proxy is completely incompatible with authentication. The browser must be configured use the proxy for it to attempt to authenticate. – Zoredache Nov 02 '11 at 20:21

4 Answers4

4

I'm sorry. Transparent means the browser is redirected to the proxy without knowing it. This implies the browser hasn't got configured any proxy, thus hasn't got configured any proxy authentication. Even more, the HTTP used to talk to a proxy is different than the one in a normal browser - webserver talk.

How exactly are you trying to do authentication mixed with transparent proxy? I've though inmediatly of this, checked google and confirmed it. Everywhere I look it says that it cannot be done.

ata
  • 228
  • 1
  • 4
  • Ha. Well. That sucks. Back to square one. I actually hoped that i could spare my users configuring their browsers to use a proxy...is there another solution? At my university you get redirected with every http request to a special login page. Could that be done? Or is there a user friendly way to do a non-transparent proxy? – Kai Nov 02 '11 at 23:06
  • @Kai, Setup auto proxy detection (google wpad), set the proxy with group policies? The redirection to a login page, is a captive-portal setup. Search for captive portal for lots of results, if what you really want is a captive portal, that is different then setting up squid authentication. – Zoredache Nov 03 '11 at 00:08
2

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F

Interception Proxying works by having an active agent (the proxy) where there should be none. The browser is not expecting it to be there, and it's for all effects and purposes being cheated or, at best, confused. As an user of that browser, I would require it not to give away any credentials to an unexpected party, wouldn't you agree? Especially so when the user-agent can do so without notifying the user, like Microsoft browsers can do when the proxy offers any of the Microsoft-designed authentication schemes such as NTLM (see ../ProxyAuthentication and Features/NegotiateAuthentication).

In other words, it's not a squid bug, but a browser security feature.

http://www.squid-cache.org/Versions/v2/2.7/cfgman/auth_param.html

WARNING: authentication can't be used in a transparently intercepting proxy as the client then thinks it is talking to an origin server and not the proxy. This is a limitation of bending the TCP/IP protocol to transparently intercepting port 80, not a limitation in Squid.

Jayen
  • 1,857
  • 4
  • 16
  • 28
0

Your IP is being rejected as only localnet and localhost are allowed. So add another acl with your IP, or IP range. acl myisp src your.ip.goes.here

http_access allow myisp passwd

Then restart and you should be asked for your username and password.

For future reference, check /var/log/squid/access.log for future squid auth errors.

georgiecasey
  • 169
  • 5
0

You can't.

http://www.cyberciti.biz/faq/squid-proxy-authentication-in-transparent-mode/

If your problem is clients auto-configuration, check for WPAD.

Giovanni Toraldo
  • 2,587
  • 19
  • 27