[squid-users] TCP_DENIED/407 accessing webserver on same machine as squid

j m acctforjunk at yahoo.com
Sat May 27 01:10:30 UTC 2017

Yes, I sort of pieced together what I found online, which is probably dangerous.  I really need to become familiar with how exactly this works for security's sake if nothing else.

      From: Amos Jeffries <squid3 at treenet.co.nz>
 To: j m <acctforjunk at yahoo.com>; "squid-users at lists.squid-cache.org" <squid-users at lists.squid-cache.org> 
 Sent: Friday, May 26, 2017 2:53 PM
 Subject: Re: [squid-users] TCP_DENIED/407 accessing webserver on same machine as squid
Ah, your problem seems to be a misunderstanding of how authentication works.

What Squid receives on messages can have three forms:

  1) no credentials at all
  2) correct credentials
  3) invalid credentials

Your definition of the auth_users ACL using "REQUIRED" takes care of the 
(1) situation. Squid will respond with 407 to get credentials from any 
client that does not send any. This is what you are seeing on that 
second log line of your previous post, and the popup in your tests.

Now the "http_access allow auth_users" line only takes care of situation 
(2), permitting valid users.

Which leaves situation (3) undefined. ... All other traffic continues on 
to the next http_access line, which is "allow all", ouch.

This is why best practice is to use a "deny" line like so:
  http_access deny !auth_users

... which makes it clear what is happening for every non-authenticated 
thing, both situation (1) and (2) traffic.

Rules permitting things through without authenticating go above that 
http_access line, and things applying to authenticated users go below it.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170527/22e9a929/attachment.html>

More information about the squid-users mailing list