Date: Thu, 27 Feb 2003 15:11:00 -0500 From: "Jamie Beekhuis" <jbeekhuis@wmptl.com> To: <questions@freebsd.org> Subject: problems with squid/authentication from just some client machines Message-ID: <NOEMINECMMFIPKGODEDGMEOOCBAA.jbeekhuis@wmptl.com>
next in thread | raw e-mail | index | archive | help
We're having some 'weirdness' come about the last few months regarding our access control to the internet via squid. It only happens to some users, and not to others, with no apparent differences between the setup of each of the users' machines. Here's the deal: We're running FreeBSD 4.7-RELEASE, with squid-2.5.STABLE1 on a relatively small dual-homed machine. the Machine has a single internal interface to one network (10.0.0.0/24) and a second interface to the internet. The machine is running a firewall using ipfw, but it allows all traffic from any to any 10.0.0.0/24 via any 10.0.0.0/24. We've got squid configured to do the following, (in this order): -only allow access from src 10.0.0.0/255.255.255.0 -allow http/ftp access to any src 10.0.0.XX 10.0.0.XY etc (list of managers' machines) -disallow http/ftp access to any sites matching a regexp in the file "bad-sites.txt" -allow http/ftp access to any sites matching a regexp in the file "good-sites.txt" -require proxy_auth via ncsa_auth external program to access anything else via http/ftp The long(er) version of the problem: The setup has worked well now for a little over 3 years. That is, up until most recently. When a user brings up internet explorer (usually from a Win2K host, all patched up/updated) they first get an 'access denied' reply from squid. If the user hits 'enter' from the address bar (thus making a second request for the same page), then squid requires them to login/authenticate themselves and allows them access from there on. The problem now of course being that squid doesn't just ask for the user's password the first time, with no apparent reason why. The logs don't give any reasoning, just state 'denied to http... whatever'. The oddest part being that it only does this for a handful of users, with no apparent reason. Almost all machines have the same configuration, and all machines are always kept up to date regarding patches/service packs, (all but a few client machines are running windows; those in question with the problem are all running Win2K Pro, though there are those that are running properly with 95,98se,NT4,W2KPro, and Xp Pro). The short version: - why do some machines not attempt to authenticate through the proxy on their first attempt to reach a site which requires it, while other machines do? - is anyone else experiencing similar issues? - if so, what have they done about them? If we could provide any more useful information or insight into this issue, we'd be happy to do so; obviously we're looking to find a resolution. Since we're totally stumped at this point as to why this happens we'd appreciate any ideas, directions, or comments on the subject. Please reply directly to itstaff@wmptl.com as we are not subscribed to freebsd-questions anymore. -- Jamie Beekhuis Computer Systems Engineer Windsor Match Plate and Tool Ltd. 1-519-945-6371 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NOEMINECMMFIPKGODEDGMEOOCBAA.jbeekhuis>