Problem with squid local user auth and PC outside my network. Getting denied

CubedRoot · Feb 13, 2015, 11:10 PM

I setup Squid, ticked the "allow users on interface" box, and then setup a local user and turned on local auth. I want squid to listen on the WAN for external machines, but use local authentication.

My external machine can connect, it gets prompted for authentication, and succesfully auths. However, when I browse I get this error:

"Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect."

But, if I go to the access control tab, and put my external computers IP address in the unsrestricted ip box, it will work perfectly, except it doesn't prompt for authentication….even after clearing the browsers data and restarting firefox.

If I remove the IP from that box, it will prompt for auth, but give the same above error.
How can I set Squid to listen on the WAN, when a client connects from outside my network it will prompt for local auth, and then allow them to use the proxy?

Thanks in advance!

KOM · Feb 13, 2015, 11:23 PM

IIRC, only the subnet that the proxy is bonded to is allowed to talk to the proxy. Other networks have to be added. I don't know any of your network details so I could be totally wrong. I've set up many proxies before but I've never needed to give access via WAN, it's usually LAN clients going out. I'm curious about what you're doing, if you don't mind.

CubedRoot · Feb 13, 2015, 11:33 PM

I am wanting to use my home internet connection as a proxy for when I am out an about on my PC. Some networks and wifi hotspots block certain ports, etc. So, being able to proxy on my PC to avoid those ports being blocked when I am traveling is handy.

I was wanting to be able to travel with my PC, and then enable the proxy when a port is being blocked by some hotspot. I am not sure how I can accept all "subnets" across the internet in Squid.

I have squid running on a co-located host running CentOS and it works great like this, But I would like to use my home internet connection as its much faster than my co-located host. I figured I could do the same with Squid on pfSense, but its being difficult.

CubedRoot · Feb 13, 2015, 11:35 PM

The error appears to be an access control error from Squid, as I am able to talk to the proxy. Whenever I remove the IP address from teh unrestricted column, my remote pc can talk to the proxy, authenticate succesfully with the proxy, but the proxy is denying access after its authenticated. Almost like an ACL or something.

KOM · Feb 14, 2015, 12:11 AM

Anything in Squid's logs or System log?

CubedRoot · Feb 14, 2015, 12:17 AM

Removing my IP from the unrestricted ip section, will get my authentication back, but gets me denied by squid. So if I do a tail -f on /var/squid/logs/access.log and then try on the remote pc to access anything I get prompted for authentication, succesfully auth, then I see this pop up in the access.log:

1423872154.591 1 12.200.151.18 TCP_DENIED/407 1686 GET http://www.google.com/ - NONE/- text/html
1423872165.173 0 12.200.151.18 TCP_DENIED/403 1368 GET http://www.google.com/ boodaddy NONE/- text/html
1423872165.247 0 12.200.151.18 TCP_DENIED/403 1390 GET http://www.google.com/favicon.ico boodaddy NONE/- text/html
1423872192.214 0 12.200.151.18 TCP_DENIED/403 1366 GET http://ipchicken.com/ boodaddy NONE/- text/html

Nothing shows in system.log

boodaddy is the user that is logging in via local auth on squid.

Now, if I put the IP back into the unrestricted ip box, clear out the cache on the browser and restart it, I am able to get a webpage, without even being prompted for authentication. I have double checke that "Requiere authentication for unrestricted hosts" has been enabled in the auth setting tab. I am able to browse on the remote pc, and ipchicken shows the ip address of my pfsense box.

This is what I see in access.log with the above setup:
1423872482.235 150 12.200.151.18 TCP_MISS/302 705 GET http://www.google.com/ - DIRECT/74.125.196.103 text/html
1423872482.383 30 12.200.151.18 TCP_MISS/200 943 POST http://clients1.google.com/ocsp - DIRECT/66.18.36.84 application/ocsp-response

Nothing shows up in system.log

Are there any other logs I need to be looking at to help troubleshoot?

KOM · Feb 15, 2015, 4:02 AM

Not that I know of, sorry. I'm out of ideas.

CubedRoot · Feb 15, 2015, 8:02 PM

Is there a specific forum for Squid on pfSense I might could ask in? I have tried everything and can't seem to get this working on pfSense.

KOM · Feb 15, 2015, 9:39 PM

Questions about Squid and other packages are usually handled in the Packages forum. Give it a try, although a lot of the regulars check all the active boards.

CubedRoot · Feb 19, 2015, 6:19 AM

I ended up uninstalled Squid and installing Squid3. I am still having some odd issues with local authentication.

Now, everything seems to work OK, except when I turn on local Auth. I keep getting prompted for my password, even though I know its the correct password. I have left a post in the Packages forums hoping someone will respond. If I turn local auth off, it works great. I have tried deleting the squid.passwd and re-creating my users through the web panel, but no luck.