I have used debug_options 11,2 in squid.conf file. After I have following results in logs files:
/var/log/squid3/access.log 1473026084.048 253 192.168.200.85 TCP_MISS_ABORTED/000 0 POST http://m.addthis.com/live/red_lojson/100eng.json? marcio HIER_NONE/- - 1473026086.275 0 192.168.200.85 TCP_DENIED/407 3792 CONNECT tiles.services.mozilla.com:443 - HIER_NONE/- text/html 1473026086.778 0 192.168.200.85 TCP_DENIED/407 3995 GET http://start.ubuntu.com/14.04/Google/? - HIER_NONE/- text/html 1473026088.908 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT shavar.services.mozilla.com:443 - HIER_NONE/- text/html 1473026091.932 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT self-repair.mozilla.org:443 - HIER_NONE/- text/html 1473026096.418 180 192.168.200.85 TCP_MISS/200 960 POST http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8 application/ocsp-response 1473026096.467 85 192.168.200.85 TCP_MISS/200 960 POST http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8 application/ocsp-response 1473026102.051 525 192.168.200.85 TCP_REFRESH_UNMODIFIED/200 2907 GET http://start.ubuntu.com/14.04/Google/? marcio HIER_DIRECT/91.189.90.41 text/html 1473026102.091 0 192.168.200.85 TCP_HIT/200 22099 GET http://start.ubuntu.com/12.04/sprite.png marcio HIER_NONE/- image/png 1473026104.855 0 10.133.85.3 TCP_DENIED/407 3929 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - HIER_NONE/- text/html 1473026146.453 83 192.168.200.85 TCP_MISS/200 960 POST http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8 application/ocsp-response 1473026147.447 83 192.168.200.85 TCP_MISS/200 960 POST http://ocsp.digicert.com/ marcio HIER_DIRECT/192.16.58.8 application/ocsp-response 1473026148.923 0 192.168.200.85 TCP_DENIED/407 3796 CONNECT shavar.services.mozilla.com:443 - HIER_NONE/- text/html 1473026157.117 61506 192.168.200.85 TCP_MISS/200 3525 CONNECT tiles.services.mozilla.com:443 marcio HIER_DIRECT/52.24.123.95 - 1473026157.195 61584 192.168.200.85 TCP_MISS/200 4521 CONNECT self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 - 1473026160.190 63085 192.168.200.85 TCP_MISS/200 5449 CONNECT self-repair.mozilla.org:443 marcio HIER_DIRECT/54.69.9.44 - 1473026204.518 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT safebrowsing.google.com:443 - HIER_NONE/- text/html 1473026207.807 62056 192.168.200.85 TCP_MISS/200 3686 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 - 1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 - 1473026207.808 61159 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 - 1473026207.808 61160 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 - 1473026207.809 61160 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 - 1473026207.814 61165 192.168.200.85 TCP_MISS/200 390 CONNECT incoming.telemetry.mozilla.org:443 marcio HIER_DIRECT/52.89.83.186 - 1473026207.866 61052 192.168.200.85 TCP_MISS/200 3821 CONNECT aus5.mozilla.org:443 marcio HIER_DIRECT/52.34.235.152 - 1473026212.687 116018 192.168.200.85 TCP_MISS/200 61971 CONNECT normandy.cdn.mozilla.net:443 marcio HIER_DIRECT/52.84.177.125 - 1473026264.532 0 192.168.200.85 TCP_DENIED/407 3780 CONNECT safebrowsing.google.com:443 - HIER_NONE/- text/html 1473026299.647 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT iecvlist.microsoft.com:443 - HIER_NONE/- text/html 1473026335.221 0 10.133.85.3 TCP_DENIED/407 3813 CONNECT ieonline.microsoft.com:443 - HIER_NONE/- text/html 1473026592.061 6624 10.133.85.3 TCP_MISS/200 3582 CONNECT forum.zentyal.org:443 marcio HIER_DIRECT/162.13.13.134 - 1473026793.073 0 192.168.200.96 TCP_DENIED/407 3780 CONNECT safebrowsing.google.com:443 - HIER_NONE/- text/html /var/log/squid3/cache.log ---------- 2016/09/04 19:06:33.073 kid1| client_side.cc(2407) parseHttpRequest: HTTP Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1 2016/09/04 19:06:33.073 kid1| client_side.cc(2408) parseHttpRequest: HTTP Client REQUEST: --------- CONNECT safebrowsing.google.com:443 HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 Proxy-Connection: keep-alive Connection: keep-alive Host: safebrowsing.google.com:443 ---------- 2016/09/04 19:06:33.073 kid1| client_side.cc(1459) sendStartOfMessage: HTTP Client local=192.168.200.7:3128 remote=192.168.200.96:56302 FD 12 flags=1 2016/09/04 19:06:33.073 kid1| client_side.cc(1460) sendStartOfMessage: HTTP Client REPLY: --------- HTTP/1.1 407 Proxy Authentication Required Server: squid/3.4.8 Mime-Version: 1.0 Date: Sun, 04 Sep 2016 22:06:33 GMT Content-Type: text/html Content-Length: 3357 X-Squid-Error: *ERR_CACHE_ACCESS_DENIED 0* Proxy-Authenticate: Basic realm="CMS" X-Cache: MISS from proxy.cms.ensino.br X-Cache-Lookup: NONE from proxy.cms.ensino.br:3128 Via: 1.1 proxy.cms.ensino.br (squid/3.4.8) Connection: keep-alive ---------- Sorry, but I didn't discover the problem! Anybody have an idea? Regards, Márcio 2016-09-02 11:10 GMT-03:00 Amos Jeffries <squ...@treenet.co.nz>: > On 2/09/2016 3:21 p.m., Marcio Demetrio Bacci wrote: > > In my Windows workstations the authentication works correctly, however in > > Ubuntu 14.04 the user and password are asked twice. > > > > I am using the basic_ncsa_auth with Squid 3.4.8 > > > > Is there any setting that I do in Squid? > > > > Bellow is my squid.conf > > > ... > > > > auth_param basic program /usr/lib/squid3/basic_ncsa_auth > /etc/squid3/passwd > > auth_param basic children 5 > > auth_param basic realm AUTENTICACAO > > auth_param basic credentialsttl 2 hours > > auth_param basic casesensitive off > > > ... > > > > ### Regras iniciais do Squid > > http_access allow localhost > > http_access allow purge localhost > > http_access deny purge > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > Please re-order the above security rules to be: > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access deny purge > > > > > ### Exige autenticacao > > acl autenticados proxy_auth REQUIRED > > http_access allow autenticados > > > > ### Bloqueia extensoes de arquivos > > acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes- > proibidas" > > > > ### Liberar alguns sites > > acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos" > > > > ### Bloqueia sites por URL > > acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos" > > > > #bloqueios basicos > > http_access allow sites_liberados > > http_access deny extensoes_bloqueadas > > http_access deny sites_bloqueados > > > > ### LAN ##### > > acl rede_lan src 192.168.200.0/22 > > > > ### Nega acesso de quem nao esta na rede local do CMB > > http_access allow rede_lan > > > > #negando o acesso para todos que nao estiverem nas regras anteriores > > http_access deny all > > > ... > > > With your config Squid will only challenge the browser to send some if > they are completely missing. It will not deny access when invalid > credentials are sent. > > That means the browser probably does not have access to any Basic auth > credentials it can send. > > The two popups are probably from two TCP connections being made with no > credentials (maybe the result of the "Happy Eyeballs" algorithm doing > its thing). You can check for that with "debug_options 11,2" and seeing > what HTTP messages are happening with what IP:port details. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
