[squid-users] TCP_DENIED/407 accessing webserver on same machine as squid
Amos Jeffries
squid3 at treenet.co.nz
Fri May 26 19:52:52 UTC 2017
Ah, your problem seems to be a misunderstanding of how authentication works.
What Squid receives on messages can have three forms:
1) no credentials at all
2) correct credentials
3) invalid credentials
Your definition of the auth_users ACL using "REQUIRED" takes care of the
(1) situation. Squid will respond with 407 to get credentials from any
client that does not send any. This is what you are seeing on that
second log line of your previous post, and the popup in your tests.
Now the "http_access allow auth_users" line only takes care of situation
(2), permitting valid users.
Which leaves situation (3) undefined. ... All other traffic continues on
to the next http_access line, which is "allow all", ouch.
This is why best practice is to use a "deny" line like so:
http_access deny !auth_users
... which makes it clear what is happening for every non-authenticated
thing, both situation (1) and (2) traffic.
Rules permitting things through without authenticating go above that
http_access line, and things applying to authenticated users go below it.
Amos
More information about the squid-users
mailing list