[squid-users] TCP_DENIED/403 after Upgrading from 3.4.4 to 3.4.7 (ssl_bump enabled)

Tom Tom tomtux007 at gmail.com
Wed Oct 8 13:09:59 UTC 2014 

I think, this behaviour was introduced with squid 3.4.4.1
(http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13113.patch).

I don't exactly understand this behaviour.
Any hints for this?

Thanks a lot.
Kind regards,
Tom

On Mon, Oct 6, 2014 at 11:59 AM, Tom Tom <tomtux007 at gmail.com> wrote:
> Hi
>
> After upgrading squid 3.4.4 to 3.4.7 (64Bit, self-compiled, the same
> configure-options, the same config-file, ssl_bump with "ssl_bump
> server-first all" enabled), I'm no more able to access bumped
> https-sites because of a TCP_DENIED/403.
>
>
> #---------------------- relevant parts of squid.conf ----------------------#
> auth_param negotiate program /usr/local/squid/libexec/
> negotiate_kerberos_auth
> auth_param negotiate children 50 startup=10 idle=5
> auth_param negotiate keep_alive on
> acl AUTHENTICATED proxy_auth REQUIRED
>
> external_acl_type SQUID_KERB_LDAP ttl=7200 children-max=50
> children-startup=20 children-idle=5 negative_ttl=7200 %LOGIN
> /usr/local/squid/libexec/ext_kerberos_ldap_group_acl -g "Internet
> Users"
> acl INTERNET_ACCESS external SQUID_KERB_LDAP
> acl DENY_USERS_LOCAL proxy_auth_regex -i "/etc/squid/DENY_USERS_LOCAL"
> ...
> ...
> http_access deny DENY_USERS_LOCAL all
> http_access deny !INTERNET_ACCESS all
> http_access deny !AUTHENTICATED all
> http_access allow INTERNET_ACCESS AUTHENTICATED
> http_access deny all
> #---------------------- relevant parts of squid.conf ----------------------#
>
> The meaning of the "DENY_USERS_LOCAL"-file is to insert all users (by
> AD-username), which shouldn't have internet-access. In squid 3.4.4, I
> had no restrictions with this directive. After upgrading to 3.4.7 (the
> same config as in 3.4.4), I always catch a TCP_DENIED/403. The
> cache.log with debug actived looks like this:
>
> #---------------------- cache.log ----------------------#
> 2014/09/09 14:35:24.539 kid2| Acl.cc(177) matches: checked: http_access#4 = 0
> 2014/09/09 14:35:24.540 kid2| Acl.cc(157) matches: checking http_access#5
> 2014/09/09 14:35:24.540 kid2| Acl.cc(157) matches: checking DENY_USERS_LOCAL
> 2014/09/09 14:35:24.540 kid2| Acl.cc(28) AuthenticateAcl: SslBumped
> request: It is an  encapsulated request do not authenticate
> 2014/09/09 14:35:24.540 kid2| Acl.cc(177) matches: checked: DENY_USERS_LOCAL = 1
> 2014/09/09 14:35:24.540 kid2| Acl.cc(177) matches: checked: http_access#5 = 1
> 2014/09/09 14:35:24.540 kid2| Acl.cc(177) matches: checked: http_access = 1
> 2014/09/09 14:35:24.540 kid2| Checklist.cc(55) markFinished: 0x27cfb98
> answer DENIED for match
> 2014/09/09 14:35:24.540 kid2| Checklist.cc(155) checkCallback:
> ACLChecklist::checkCallback: 0x27cfb98 answer=DENIED
> #---------------------- cache.log ----------------------#
>
>
> The file "DENY_USERS_LOCAL" is actual empty. Why does squid in the
> 3.4.7er version blocks me with the "http_access deny DENY_USERS_LOCAL"?
> What changed hereby in the current version? How can I enforce the "old
> behaviour" (like 3.4.4)?
>
> Many thanks.
>
> Kind regards,
> Tom

More information about the squid-users mailing list