[squid-users] DENIED and ALLOWED at once?

Sergio Belkin sebelk at gmail.com
Tue Aug 23 15:55:41 UTC 2016 

2016-08-19 17:22 GMT-03:00 Antony Stone <Antony.Stone at squid.open.source.it>:

> On Friday 19 August 2016 at 20:41:11, Jok Thuau wrote:
>
> > On Fri, Aug 19, 2016 at 9:33 AM, Sergio Belkin <sebelk at gmail.com> wrote:
> > > /var/log/squid/access.log
> > > 192.168.50.41 - - [19/Aug/2016:12:19:45 -0300] "CONNECT
> > > beap-bc.yahoo.com:443 HTTP/1.1" 407 4634 "-" "Mozilla/5.0 (Windows NT
> > > 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TCP_DENIED:HIER_NONE
> >
> > This is unauthenticated (notice the "- -" after the IP)
> >
> > > 192.168.50.41 - juan.perez [19/Aug/2016:12:19:45 -0300] "CONNECT
> > > beap-bc.yahoo.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT
> 6.1;
> > > WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TAG_NONE:HIER_DIRECT
> >
> > This one is authenticated (juan.perez). The code 407 in the first request
> > means "proxy request authentication". So what happened here is that the
> > user browsed, was asked for credentials (and maybe those were provided
> > automatically), and then the request was resent with the creds included.
>
> Given the timestamps (both 12:19:45; no time for a human to enter
> credentials
> at a prompt) the browser did this automatically, and invisibly to the user.
>


Exactly it does so, but I wonder if TCP_DENIED is the proper message here.

It's a case of "client must first authenticate itself with the proxy" (
https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), perhaps I'm
wrong, but would something such as TCP_UNAUTHORIZED be better?

However, I've found that I can create a rule in order to exclude such a
messages in the logs:

http://squid-web-proxy-cache.1019090.n4.nabble.com/Too-many-TCP-DENIED-407-when-using-Kerberos-authentication-td4662372.html

And squid-analyzer has a directive to exclude them too:

ExcludedCodes  TCP_DENIED/407

Thanks!


> > http_access deny  !kerb_auth
> >
> > > http_access allow kerb_auth whitelist_ips
> >
> > And here is the config that causes that -- it's totally normal...
> >
> > Thanks,
>
> Antony.
>
> --
> "In fact I wanted to be John Cleese and it took me some time to realise
> that
> the job was already taken."
>
>  - Douglas Adams
>
>                                                    Please reply to the
> list;
>                                                          please *don't* CC
> me.
>


-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160823/04bc344f/attachment-0001.html>

More information about the squid-users mailing list