Project

General

Profile

Bug #10749

squid + captive portal authentication not working

Added by Viktor Gurov 4 months ago. Updated 2 days ago.

Status:
New
Priority:
Normal
Assignee:
Category:
Squid
Target version:
-
Start date:
07/10/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

https://forum.netgate.com/topic/155148/squid-captive-portal-authentication:
Since the last update (2.4.5-RELEASE-p1), i can't get to work my squid with Captive Portal authentication. If i enable it, all request on internet show "Access denied", HTTP or HTTPS. When i disable authentication on squid conf, Internet browsing is OK. Someone have the same problem?

After enabling Captive Portal authentication, I can helper error on each connection attempt:

2020/07/10 14:29:11 kid1| Starting Squid Cache version 4.10 for amd64-portbld-freebsd12.1...
2020/07/10 14:29:11 kid1| Service Name: squid
2020/07/10 14:29:14 kid1| WARNING: check_cp #Hlpr1 exited
2020/07/10 14:29:14 kid1| ERROR: The check_cp helpers are crashing too rapidly, need help!
2020/07/10 14:29:15 kid1| WARNING: check_cp #Hlpr2 exited
2020/07/10 14:29:15 kid1| ERROR: The check_cp helpers are crashing too rapidly, need help!

Seems Squid 4 issue,
but changing external_acl_type to the correct format (%>a instead of %SRC, see http://www.squid-cache.org/Doc/config/external_acl_type/), doesn't help

'echo "192.168.1.10" | /usr/local/bin/check_ip.php' works fine

History

#1 Updated by Christophe PLUMEL 4 months ago

I have same problem (WPAD + explicit Squid with Captive Portal authentication) since I update pfSense to 2.4.5 and squid package to 0.4.44_28
Everything works perfectly before update
Symptom : no user authentication in Squid and access denied (TCP_DENIED/403).

I've tried a lot of things but nothing work, it's not a network setting problem.

I hope someone will find a solution! :)

#2 Updated by Bruno Le Fellic 6 days ago

Hello,
I have the same problem on a fresh new installation with versions :
- pfSense 2.4.4-RELEASE-p1
- Squid 0.4.44_32
The authenticated user is seen as Logged in page "Status > Capture Portal". It get always 403 error except for domains in ACLs whitelist of squid config.
Regards,
Bruno

#3 Updated by Brendan Gallagher 3 days ago

It appears that squid is passing an extra "-" after the ip address to check_ip.php
e.g. 10.10.10.10 -
I am not proficient in modifying the squid config file so my workaround was to modify check_ip.php
replace
$check_ip = trim(fgets(STDIN));
with
$check_ip = preg_replace('/[^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}]/', '', fgets(STDIN));
Not sure if it will work in all cases but it seams to work for me.

#4 Updated by Viktor Gurov 3 days ago

Fixes/improvements in this PR:
- Regexp for STDIN
- Checks all enabled CP DBs
- Checks if client's IP is in 'Allowed IP Addresses' list

https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/3

#5 Updated by Jim Pingle 3 days ago

  • Status changed from New to Pull Request Review

#6 Updated by Renato Botelho 2 days ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR merged. Thanks!

#8 Updated by Viktor Gurov 2 days ago

  • Status changed from Resolved to New

small improvement - Use IP as username for allowedip hosts:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/4

Also available in: Atom PDF