Squid Proxy does not prompt for authentication and denies every request

Question

I have a problem with a squid proxy that always denies requests. The bad part is, i never get to see an authentication pop-up...

Squid is running on an Ubuntu 14.04 vserver.

I'll provide you my squid.conf:

# acls
### local net
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

### safe ports
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#set squid port
http_port 3128

hierarchy_stoplist cgi-bin ?

forwarded_for delete

# authentification with username and password
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/squid_user
acl foo proxy_auth REQUIRED
http_access allow foo

## disable ident lookup
ident_lookup_access deny all

# last rule to block all without other valid rule
http_access deny all

The worst part is, that i already got exactly that configuration running on several other vserver instance over the last few months - and i can't figure out what's wrong...

Here is the output of netstat -l and the last few log entries from /var/log/squid3/access.log

netstat -l

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp6       0      0 [::]:3128               [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
udp        0      0 Ubuntu-1404-trusty-:ntp *:*                                
udp        0      0 localhost.localdoma:ntp *:*                                
udp        0      0 *:ntp                   *:*                                
udp        0      0 *:45391                 *:*                                
udp6       0      0 Ubuntu-1404-trusty-:ntp [::]:*                             
udp6       0      0 fe80::21c:14ff:fe01:ntp [::]:*                             
udp6       0      0 ip6-localhost:ntp       [::]:*                             
udp6       0      0 [::]:ntp                [::]:*                             
udp6       0      0 [::]:46534              [::]:*                             
raw        0      0 *:icmp                  *:*                     7          
raw6       0      0 [::]:ipv6-icmp          [::]:*                  7          
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     9030     /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     7254     @/com/ubuntu/upstart
unix  2      [ ACC ]     STREAM     LISTENING     7803     /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     SEQPACKET  LISTENING     7624     /run/udev/control

The last few entries of /var/log/squid3/access.log

1407774496.214      0 188.40.117.68 TCP_DENIED/403 4167 GET http://www.google.de/ - HIER_NONE/- text/html
1407774496.346      0 188.40.117.68 TCP_DENIED/403 3963 GET http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
1407774496.398      0 188.40.117.68 TCP_DENIED/403 4200 GET http://www.google.de/favicon.ico - HIER_NONE/- text/html
1407774496.419      0 188.40.117.68 TCP_DENIED/403 4200 GET http://www.google.de/favicon.ico - HIER_NONE/- text/html
1407774498.431      0 188.40.117.68 TCP_DENIED/403 4203 GET http://www.google.de/ - HIER_NONE/- text/html

Thank you for your time - i really appreciate any help. If you need further information just say so and i will try to provide it.

Enable debugging, and see if you get any useful errors?http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F — Zoredache, Aug 11 '14 at 17:22
The only thing i get in the cache.log is *2014/08/11 21:16:38| Squid is already running! Process ID 2313*, @Zoredache... This seems kinda strange to me, to be honest. If i check *service --status-all* i don't see a squid process running... — mhr, Aug 11 '14 at 19:17
And you have attempted to send some requests through the proxy? The verbose debugging only happens when you actually attempt to access something. Those debug settings should make your logs extremely noisy. — Zoredache, Aug 11 '14 at 19:19
Yes, i did. I'm not too familiar with the logging in squid. What is this section 33 in this command? *debug_options ALL,1 33,2* Is this general the acl part or do i have to change that for a certain line in my config? — mhr, Aug 11 '14 at 19:22

score 0 · Accepted Answer · answered Aug 30 '14 at 06:59

0

I solved it. At least kinda... It seems like it was an issue with the created user. After changing the username to all-lowercase it started working.

answered Aug 30 '14 at 06:59

mhr

103
1
8

Squid Proxy does not prompt for authentication and denies every request

1 Answers1