[squid-users] TCP_DENIED/403 after Upgrading from 3.4.4 to 3.4.7 (ssl_bump enabled)

Tom Tom tomtux007 at gmail.com
Mon Oct 6 09:59:14 UTC 2014 

Hi

After upgrading squid 3.4.4 to 3.4.7 (64Bit, self-compiled, the same
configure-options, the same config-file, ssl_bump with "ssl_bump
server-first all" enabled), I'm no more able to access bumped
https-sites because of a TCP_DENIED/403.


#---------------------- relevant parts of squid.conf ----------------------#
auth_param negotiate program /usr/local/squid/libexec/
negotiate_kerberos_auth
auth_param negotiate children 50 startup=10 idle=5
auth_param negotiate keep_alive on
acl AUTHENTICATED proxy_auth REQUIRED

external_acl_type SQUID_KERB_LDAP ttl=7200 children-max=50
children-startup=20 children-idle=5 negative_ttl=7200 %LOGIN
/usr/local/squid/libexec/ext_kerberos_ldap_group_acl -g "Internet
Users"
acl INTERNET_ACCESS external SQUID_KERB_LDAP
acl DENY_USERS_LOCAL proxy_auth_regex -i "/etc/squid/DENY_USERS_LOCAL"
...
...
http_access deny DENY_USERS_LOCAL all
http_access deny !INTERNET_ACCESS all
http_access deny !AUTHENTICATED all
http_access allow INTERNET_ACCESS AUTHENTICATED
http_access deny all
#---------------------- relevant parts of squid.conf ----------------------#

The meaning of the "DENY_USERS_LOCAL"-file is to insert all users (by
AD-username), which shouldn't have internet-access. In squid 3.4.4, I
had no restrictions with this directive. After upgrading to 3.4.7 (the
same config as in 3.4.4), I always catch a TCP_DENIED/403. The
cache.log with debug actived looks like this:

#---------------------- cache.log ----------------------#
2014/09/09 14:35:24.539 kid2| Acl.cc(177) matches: checked: http_access#4 = 0
2014/09/09 14:35:24.540 kid2| Acl.cc(157) matches: checking http_access#5
2014/09/09 14:35:24.540 kid2| Acl.cc(157) matches: checking DENY_USERS_LOCAL
2014/09/09 14:35:24.540 kid2| Acl.cc(28) AuthenticateAcl: SslBumped
request: It is an  encapsulated request do not authenticate
2014/09/09 14:35:24.540 kid2| Acl.cc(177) matches: checked: DENY_USERS_LOCAL = 1
2014/09/09 14:35:24.540 kid2| Acl.cc(177) matches: checked: http_access#5 = 1
2014/09/09 14:35:24.540 kid2| Acl.cc(177) matches: checked: http_access = 1
2014/09/09 14:35:24.540 kid2| Checklist.cc(55) markFinished: 0x27cfb98
answer DENIED for match
2014/09/09 14:35:24.540 kid2| Checklist.cc(155) checkCallback:
ACLChecklist::checkCallback: 0x27cfb98 answer=DENIED
#---------------------- cache.log ----------------------#


The file "DENY_USERS_LOCAL" is actual empty. Why does squid in the
3.4.7er version blocks me with the "http_access deny DENY_USERS_LOCAL"?
What changed hereby in the current version? How can I enforce the "old
behaviour" (like 3.4.4)?

Many thanks.

Kind regards,
Tom

More information about the squid-users mailing list