Topic: SME5.5 using proxy authentication

[Simon]

Hi people,

I'm trying to sort out an issue I have with a new SME5.5 box (stock install) using the squid authentication RPM I found here: http://www.pagefault.org/e-smith/contrib/#proxyauth

The box works perfectly (mail, apache etc) except when users try and browse. When I first tried to access a site after setting authentication to on (worked fine before), it asked me for a username and password and then gave me a denied message along the lines of "access denied by the access control list". Thinking I had just put in the wrong credentials for the test user I created earlier I tried clearing the cache and trying a site again, but the error wouldnt disappear. I also tried logging off the user on the client machine (win2k) completely and trying another user and that didnt work either, they didn't even get asked for a username and password. So now squid isn't asking for a user\pass at all and is going straight to the denied message above. I checked squid.conf and everything appears to be fine in there and I am not sure where to go from here. I am using the /usr/lib/squid/pam_auth module for authentication.

Does anyone have an idea of what the problem could be, or can point me in the right direction? Any help appreciated.

Thank you!

[Cyrus Bharda]

Have you made sure that you have put in the proxy settings into your browser/internet settings?

I havent used that module, but have had great success with the proxy auth module from:

www.e-smith.dyndns.org
e-smith-squid-0.3-2.i386.rpm

Its works fine with my 5.5U2 box, that coupled with squidGuard from Abe and I have all my users locked out who shouldn't have access and those who do cannot access any naughty sites

Cyrus Bharda

[Simon]

I had made sure that the options were set in the browser, that didnt appear to be a problem.

I did end up getting authentication working by turning transparent proxy off (as per the site I had in my first posts instructions) and leaving authentication on. Only problem with this is that I want to force people through the proxy, and it isn't hard to take proxy settings out of a browser, so this is a real problem.

If I download e-smith-squid-0.3-2.i386.rpm from www.e-smith.dyndns.org how do I go about turning authorization on again? Using the same method (/sbin/e-smith/db configuration setprop squid authentication on)?

Thank you for your reply.

[Cyrus Bharda]

I have no idea, probably just set everything back to what it is normally (default values) And then install the new rpm and you will find a "Proxy Users" added to the server manager which has all the controls and bob's your uncle, and if your users remove the proxy settings then it displays a "You are not authorised to veiw this page" type error.

Good Luck,

Cyrus Bharda

[Simon]

Great, thanks again for the reply Cyrus. I'll make sure I let you know how I go with it. I'm thinking I might reinstall SME5.5 anyway when I get home from work as I've done a fair bit of fiddling around trying to get it to work.

Thanks again!

[Simon]

Hi again,

I installed the program from the link you gave me and it seems to work really well (well actually it works which is a good thing). The only real problem I have is once the users authenticate every now and then they seem to get a "Page cannot be displayed" straight after, but if you refresh the site comes straight up. Only seems to happen maybe everything 2-3 times they authenticate. I'm guessing this could be a problem as well.

Also, is there any easy way of supplying users with a proxy password reset facility? The password you set for the proxy authentication seems to be different to their other passwords (eg. for mail and shares).

Thanks, you've done well so far!

[Patrick Schepers]

I'm using e-smith-squid-0.3-2
Works just fine.

[Joao Bento]

hi, I also use this e-smith-squid-0.3-2 but I think it only blocks browsing. What about mail, telnet ftp and p2p apps like kazaa ?

[Simon]

The only real issue I have with the proxy authentication at the moment is the users ability to reset their own proxy password. I wonder if you can sim-link the user file for the proxy authentication (/etc/squid/squidpasswd or what ever it is), to the user\pass file used for the rest of the system (ie. mail and shares?). If not there has to be another web utility somewhere to allow them to change their password?

Joao Bento wrote:
>
> hi, I also use this e-smith-squid-0.3-2 but I think it only
> blocks browsing. What about mail, telnet ftp and p2p apps
> like kazaa ?

I believe that page also contains another application that allows you to do this, though I haven't tested it.

[Cyrus Bharda]

Yeah were you got the working squid proxy auth there is a deny port although kaza is much harder to block than normal p2p progs as it could use any port, I seem to have the "page not found" error only happen with users that have IE 6 or higher, IE 5.5 works fine, just need to authenticate 1nc for that logon, whereas in IE 6 you need to authenticate for each browser you open and you need to hit refresh after authentication, but I can live with that

I dont have any experience with this and Netscape on Windows/Linux systems either so I dont know if it reacts the same way.

One way I have found to stop kaza is but using snort with acid and finding the offening port and forward that port to 1 ip that I have reserved for nothing, so in effect they can connect out, but when they try to get back in the port forwards to an ip that does not have any connections live on it, eventually they just stop trying

Good Luck!

Cyrus Bharda

[Simon]

Thanks for the replies. Anyone have an idea as to a script that allows users to change their proxy passwords?

Thanks!

[Cyrus Bharda]

Or even better, change the e-smith-squid-0.3-2 rpm to just use the passwords from the original passwords assigned when the user was created, then just give the users access to user-manager (https:///user-manager and then they can change their password whenever they wish!

Then they would not have several passwords, one for email/proxy/etc,

Cyrus Bharda

[Simon]

Cyrus Bharda wrote:
>
> Or even better, change the e-smith-squid-0.3-2 rpm to just
> use the passwords from the original passwords assigned when
> the user was created, then just give the users access to
> user-manager (https:///user-manager and then
> they can change their password whenever they wish!
>
> Then they would not have several passwords, one for
> email/proxy/etc,
>
> Cyrus Bharda

Excuse my ignorance but how exactly do I go about changing the RPM so that it just uses their "original passwords" rather than the proxy-users one in the server-manager? As far as I can see there is no way around not specifying a password in the proxy-users section of the server-manager.

I also had a quick fiddle with changing the auth type in /etc/e-smith/templates-custom/etc/squid/squid.conf/40http_access75AllowLocal but that didn't seem to work either, didn't change a thing in the proxy-users.

Your help is appreciated!

[Cyrus Bharda]

It was a suggestion, that if the rpm is changed so that it does use the user's original passwords then they _could_ change their password themselfs, _if_ you have the user-manager rpm installed _because_ that rpm, allows users to change thier passwords for logon (email) and if the proxy auth rpm used that list of passwords then if they changed their password there it would in effect change it for the proxy as well, make sence?

1. Username  Password1  <-----  to logon (email)
2. Username Password2   <----- to gain proxy auth

Why not have:

1. Username Password  <---- to logon and gain proxy auth

then you would only have to turn access on or off, and not specify a password for that user for the proxy.

Cyrus Bharda

[Wesley]

Can anyone give another URL for the RPM below

www.e-smith.dyndns.org
e-smith-squid-0.3-2.i386.rpm

I keep getting a 404 when attempting to connect to the site

Thank You
Happy Holidays
Wesley