我安装了适用于 Windows 的 squid-2.7-stable8,尝试仅让授权用户访问互联网。但不幸的是,当我在客户端浏览器中输入用户名/密码后,squid 仍然返回HTTP 403 访问被拒绝错误(配置已完成并且 squid 已重新启动)。
我错过了什么?
文件c:\squid\etc\squid.conf(使用默认值,并进行以下修改)
# this is the first uncommented line
include ../etc/squid-acl-cm.conf
#... the default minimum settings
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
include ../etc/squid-http_access-cm.conf
# Here, I disabled/commented localnet
#http_access allow localnet
# And finally deny all other access to this proxy
http_access deny all
文件c:\squid\etc\squid-acl-cm.conf
auth_param basic program ../libexec/ncsa_auth.exe ../etc/password.txt
auth_param basic credentialsttl 8 hours
auth_param basic casesensitive off
acl User_Authorized proxy_auth -i REQUIRED
文件c:\squid\etc\squid-http_access-cm.conf
http_port 8888
error_directory c:/squid/share/errors/Simplify_Chinese
cache_mgr TechSupport
http_access allow User_Authorized
文件c:\squid\etc\password.txt
liuyan:$apr1$JB1IxUS9$t/2b09Xo5GgV08.MeLArH0
密码验证
C:\squid\bin>..\libexec\ncsa_auth.exe ../etc/password.txt
liuyan 123
OK
liuyan 123
ERR Wrong password
liuyan1 123
ERR No such user
而且,Microsoft 网络监视器 3.4从客户端 PC 捕获结果
Frame: Number = 6, Captured Frame Length = 744, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[A6-C8-20-00-02-00],SourceAddress:[02-00-02-00-00-00]
+ Ipv4: Src = 192.168.117.138, Dest = 192.168.115.245, Next Protocol = TCP, Packet ID = 3619, Total IP Length = 730
+ Tcp: Flags=...AP..., SrcPort=1784, DstPort=3128, PayloadLen=678, Seq=2725249880 - 2725250558, Ack=2901852307, Win=32768 (scale factor 0x3) = 262144
- Http: Request, GET http://superuser.com/
Command: GET
+ URI: http://superuser.com/
ProtocolVersion: HTTP/1.1
Host: superuser.com
UserAgent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
ProxyConnection: keep-alive
Referer: http://stackoverflow.com/questions/tagged/java
+ Cookie: **I HAVE ATE MY COOKIES**
HeaderEnd: CRLF
Frame: Number = 7, Captured Frame Length = 500, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[02-00-02-00-00-00],SourceAddress:[A6-C8-20-00-02-00]
+ Ipv4: Src = 192.168.115.245, Dest = 192.168.117.138, Next Protocol = TCP, Packet ID = 13018, Total IP Length = 486
+ Tcp: Flags=...AP..., SrcPort=3128, DstPort=1784, PayloadLen=434, Seq=2901852307 - 2901852741, Ack=2725250558, Win=64857 (scale factor 0x0) = 64857
- Http: Response, HTTP/1.0, Status: Proxy authentication required, URL: http://superuser.com/ , Using Basic realm="Squid proxy-caching web server" Authentication
ProtocolVersion: HTTP/1.0
StatusCode: 407, Proxy authentication required
Reason: Proxy Authentication Required
Server: squid/2.7.STABLE8
Date: Sat, 04 Aug 2012 02:45:46 GMT
+ ContentType: text/html
ContentLength: 1688
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
+ ProxyAuthenticate: Basic realm="Squid proxy-caching web server"
X-Cache: MISS from fileshare.cmcall.com
X-Cache-Lookup: NONE from fileshare.cmcall.com:8888
Via: 1.0 fileshare.cmcall.com:8888 (squid/2.7.STABLE8)
Connection: close
HeaderEnd: CRLF
Frame: Number = 19, Captured Frame Length = 789, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[A6-C8-20-00-02-00],SourceAddress:[02-00-02-00-00-00]
+ Ipv4: Src = 192.168.117.138, Dest = 192.168.115.245, Next Protocol = TCP, Packet ID = 3656, Total IP Length = 775
+ Tcp: Flags=...AP..., SrcPort=1786, DstPort=3128, PayloadLen=723, Seq=3339579759 - 3339580482, Ack=3553182034, Win=32768 (scale factor 0x3) = 262144
- Http: Request, GET http://superuser.com/ , Using Basic Authorization
Command: GET
+ URI: http://superuser.com/
ProtocolVersion: HTTP/1.1
Host: superuser.com
UserAgent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
ProxyConnection: keep-alive
Referer: http://stackoverflow.com/questions/tagged/java
+ Cookie: **I HAVE ATE MY COOKIES**
- ProxyAuthorization: Basic
- Authorization: Basic bGl1eWFuOjEyMw==
WhiteSpace:
- BasicAuthorization:
Scheme: Basic
+ Realm: liuyan:123
HeaderEnd: CRLF
Frame: Number = 22, Captured Frame Length = 408, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[02-00-02-00-00-00],SourceAddress:[A6-C8-20-00-02-00]
+ Ipv4: Src = 192.168.115.245, Dest = 192.168.117.138, Next Protocol = TCP, Packet ID = 15424, Total IP Length = 394
+ Tcp: Flags=...AP..., SrcPort=3128, DstPort=1786, PayloadLen=342, Seq=3553182034 - 3553182376, Ack=3339580482, Win=64812 (scale factor 0x0) = 64812
- Http: Response, HTTP/1.0, Status: Forbidden, URL: http://superuser.com/
ProtocolVersion: HTTP/1.0
StatusCode: 403, Forbidden
Reason: Forbidden
Server: squid/2.7.STABLE8
Date: Sat, 04 Aug 2012 02:45:50 GMT
+ ContentType: text/html
ContentLength: 1142
X-Squid-Error: ERR_ACCESS_DENIED 0
X-Cache: MISS from fileshare.cmcall.com
X-Cache-Lookup: NONE from fileshare.cmcall.com:8888
Via: 1.0 fileshare.cmcall.com:8888 (squid/2.7.STABLE8)
Connection: close
HeaderEnd: CRLF
答案1
删除 proxy_auth acl 中的 -i,它不是必需的。看起来 REQUIRED 关键字写得不正确,或者那里可能有不可打印的字符。删除并重新写入以确保无误。
答案2
对于任何通过搜索来到这里的人来说,需要强调的一件事,也是 Diego 所指出的,那就是:
http_access allow User_Authorized应该前 http_access deny all。