Bug #10749
closed
squid + captive portal authentication not working
0%
Description
https://forum.netgate.com/topic/155148/squid-captive-portal-authentication:
Since the last update (2.4.5-RELEASE-p1), i can't get to work my squid with Captive Portal authentication. If i enable it, all request on internet show "Access denied", HTTP or HTTPS. When i disable authentication on squid conf, Internet browsing is OK. Someone have the same problem?
After enabling Captive Portal authentication, I can helper error on each connection attempt:
2020/07/10 14:29:11 kid1| Starting Squid Cache version 4.10 for amd64-portbld-freebsd12.1... 2020/07/10 14:29:11 kid1| Service Name: squid 2020/07/10 14:29:14 kid1| WARNING: check_cp #Hlpr1 exited 2020/07/10 14:29:14 kid1| ERROR: The check_cp helpers are crashing too rapidly, need help! 2020/07/10 14:29:15 kid1| WARNING: check_cp #Hlpr2 exited 2020/07/10 14:29:15 kid1| ERROR: The check_cp helpers are crashing too rapidly, need help!
Seems Squid 4 issue,
but changing external_acl_type to the correct format (%>a instead of %SRC, see http://www.squid-cache.org/Doc/config/external_acl_type/), doesn't help
'echo "192.168.1.10" | /usr/local/bin/check_ip.php' works fine
Updated by Christophe PLUMEL almost 4 years ago
I have same problem (WPAD + explicit Squid with Captive Portal authentication) since I update pfSense to 2.4.5 and squid package to 0.4.44_28
Everything works perfectly before update
Symptom : no user authentication in Squid and access denied (TCP_DENIED/403).
I've tried a lot of things but nothing work, it's not a network setting problem.
I hope someone will find a solution! :)
Updated by Bruno Le Fellic over 3 years ago
Hello,
I have the same problem on a fresh new installation with versions :
- pfSense 2.4.4-RELEASE-p1
- Squid 0.4.44_32
The authenticated user is seen as Logged in page "Status > Capture Portal". It get always 403 error except for domains in ACLs whitelist of squid config.
Regards,
Bruno
Updated by Brendan Gallagher over 3 years ago
It appears that squid is passing an extra "-" after the ip address to check_ip.php
e.g. 10.10.10.10 -
I am not proficient in modifying the squid config file so my workaround was to modify check_ip.php
replace
$check_ip = trim(fgets(STDIN));
with
$check_ip = preg_replace('/[^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}]/', '', fgets(STDIN));
Not sure if it will work in all cases but it seams to work for me.
Updated by Viktor Gurov over 3 years ago
Fixes/improvements in this PR:
- Regexp for STDIN
- Checks all enabled CP DBs
- Checks if client's IP is in 'Allowed IP Addresses' list
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/3
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR merged. Thanks!
Updated by Viktor Gurov over 3 years ago
- Status changed from Feedback to Resolved
pfSense-pkg-squid 0.4.44_34
works as expected
Updated by Viktor Gurov over 3 years ago
- Status changed from Resolved to New
small improvement - Use IP as username for allowedip hosts:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/4
Updated by Renato Botelho over 3 years ago
- Status changed from New to Feedback
Viktor Gurov wrote:
small improvement - Use IP as username for allowedip hosts:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/4
Merged. Thanks!
Updated by Viktor Gurov over 3 years ago
- Status changed from Feedback to New
'The check_cp helpers are crashing too rapidly' fix:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/13
Updated by Renato Botelho over 3 years ago
- Status changed from New to Feedback
PR has been merged. Thanks!
Updated by Azamat Khakimyanov over 3 years ago
- Status changed from Feedback to Resolved
Tested on 2.4.5_p1 (Squid package: 0.4.44_36) and on 2.5-DEV (built on Thu Jan 07 21:49:58 EST 2021) (Squid package: 0.4.44_37)
Squid + Captive Portal authentication is working, no problem.
This bug can be marked RESOLVED.