[squid-users] DENIED and ALLOWED at once?

Sergio Belkin sebelk at gmail.com
Fri Aug 19 16:33:36 UTC 2016 

Hi,

I've configured squid 3.5.19 to allow only AD authenticated users, the
strange thing I've found is that the same domain is both denied and
allowed.

In some browsers I had problem with yahoo.com that won't load correctly the
pages. Besides that, I used squidanalyzer, and it's a problem that count
some urls as denied when most of cases is allowed:

## Log files

/var/log/squid/access.log
192.168.50.41 - - [19/Aug/2016:12:19:45 -0300] "CONNECT
beap-bc.yahoo.com:443 HTTP/1.1" 407 4634 "-" "Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TCP_DENIED:HIER_NONE
192.168.50.41 - juan.perez [19/Aug/2016:12:19:45 -0300] "CONNECT
beap-bc.yahoo.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TAG_NONE:HIER_DIRECT

## /var/log/squid/cache.log

It's long so you can take a look at
http://pastebin.com/P2Ey6XcH

Please could you explain me?

## Configuration:

etc/squid/squid.conf:

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpSites ssl::server_name "/etc/squid/acls/nobumpSites.txt"
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
acl social_ips dst "/etc/squid/acls/social_ips"
acl social_dom dstdomain "/etc/squid/acls/social_dom"
acl whitelist_ips src "/etc/squid/acls/whitelist_ips"
auth_param negotiate program /usr/lib64/squid/negotiate_wrapper_auth -d
--ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=EXAMPLE --kerberos /usr/lib64/squid/negotiate_kerberos_auth -d -s
GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl kerb_auth proxy_auth REQUIRED
ssl_bump peek step1 all               # at step 1 we're peeking at client
TLS-request in order to find the "SNI"
ssl_bump peek step2 nobumpSites       # here we're peeking at server
certificate
ssl_bump splice step3 nobumpSites     # here we're splicing connections
which match the whitelist
ssl_bump stare step2                  # here we're staring at server
certificate
ssl_bump bump step3                   # finally we're bumping all other SSL
connections at step 3
http_access allow localhost
http_access deny  !kerb_auth
http_access allow kerb_auth whitelist_ips
http_access deny social_ips
http_access deny social_dom
acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
http_access deny connect numeric_IPs all
http_access allow localnet
http_access deny all
always_direct allow all
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
visible_hostname kanban.example.local
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl_cert/myCA.pem
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
url_rewrite_program /usr/sbin/ufdbgclient –l /var/ufdbguard/logs
url_rewrite_children 64
access_log daemon:/var/log/squid/access.log combined
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh %mt
debug_options ALL,1 33,2 28,9

EOF

Thanks in advance!

-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160819/da71b27e/attachment-0001.html>

More information about the squid-users mailing list