Score:0

Squid Proxy - Error 407 - Simple Authentication NCSA

kg flag

when running squid (4.10, installed from apt or 5.6 from docker ubuntu/squid:latest) and adding a simple user authentication, all requests are dropped by squid with HTTP 407. The purpose is to have a simple proxy for testing authentication of HTTP/REST calls within an application.

squid.conf:

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm Squid proxy-caching web server
auth_param basic children 5
auth_param basic utf8 on
auth_param basic credentialsttl 60 minutes
auth_param basic casesensitive off
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all
dns_v4_first on
forwarded_for delete
via off
http_port 3128

I have two Users "UserB" (Password "UserB") and "Test" (password "test") in my /etc/squid/passwords file, created with htpasswd:

# cat /etc/squid/passwords
UserB:$apr1$wuSDCp9q$VLoy.ClARK3BRyB5L4rrW0
Test:$apr1$fhr7JXM.$VHHPwrJSTkIoUWpdfDm/K.

Authentication via /usr/lib/squid/basic_ncsa_auth seems to work:

# /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
test test
ERR No such user
Test test
OK 
UserB UserB
OK 
UserB WrongPassword
ERR Wrong password

Password file is readable for Squid (chmod 777):

# ls -alh /etc/squid/passwords
-rwxrwxrwx 1 root root 87 Nov 11 07:50 /etc/squid/passwords

Still all requests, even with correct credentials are dropped with 407 (from /var/squid/access.log):

2022-11-11 11:03:54 1668161034.406      1 172.17.0.1 TCP_DENIED/407 4196 CONNECT www.google.com:443 test HIER_NONE/- text/html
2022-11-11 11:03:54 1668161034.411      1 172.17.0.1 TCP_DENIED/407 4196 CONNECT www.google.com:443 test HIER_NONE/- text/html
2022-11-11 11:03:58 1668161038.434      0 172.17.0.1 TCP_DENIED/407 4196 CONNECT www.google.com:443 test HIER_NONE/- text/html
2022-11-11 11:04:33 1668161073.398      0 172.17.0.1 TCP_DENIED/407 4161 CONNECT www.google.com:443 userb HIER_NONE/- text/html

The application I am testing from is Firefox Portable with dedicated proxy settings: enter image description here

In a setup as simple as that, what else could be wrong?

HannesS avatar
kg flag
Turns out it had to do with "auth_param basic casesensitive off". Tested with lowercase only usernames and passwords it worked, so i removed the line from squid.conf. Still a little confused about why this problem occured in the first place, to be honest - if someone could elaborate on that? "casesensitive" on|off Specifies if usernames are case sensitive. Most user databases are case insensitive allowing the same username to be spelled using both lower and upper case letters, but some are case sensitive. This makes a big difference for user_max_ip ACL processing and similar
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.