[squid-users] Squid and SSL Bump
squid3 at treenet.co.nz
Sat Jan 13 18:28:00 UTC 2018
On 13/01/18 02:00, Yoinier Hernandez Nieves wrote:
> The user ynieves is member of ad groups “internet”, “socialNetwork”, “youtube” and “moderadoresSocNet"
So most of your http_access lines end with group checks. That could be a
problem later. Right now its not clear which would be rejecting with
that auth message, and the status being 403 indicates a hard failure
rather than re-auth.
I suggest doing the usual thing of placing a single "http_access deny
!users" line first, then appending " all" to the lines that normally end
with a group check.
http_access deny !users
http_access allow cubaDomains cubaPC all
http_access allow cubaDomains national all
http_access allow cubaDomains internet all
http_access deny SQUISHED1 all
http_access allow socialDomains moderadoresSocNet all
http_access allow socialTime socialDomains socialNetwork all
http_access allow socialTime youtubeDomains youtuber all
For the delay pools there is no need to re-authenticate at all. Use the
"note" ACL type to check that a username exists. Like so:
acl loggedIn note user .
delay_access 2 allow loggedIn workTime \
!extDownloads !extDocuments !delaysFree
Also, the pool using only "-1/-1" as its paremeters should be removed.
Squid links multiple pools to a transaction, so it is not doing what you
think it does. To make certain transactions unlimited simply deny them
being added to the other pools. That will also make your existing rules
denya_access 2 deny delaysFree
delay_access 2 allow loggedIn workTime !extDownloads !extDocuments !
delay_access 2 deny all
Also, your media and mediapr checks are slow regex tests. They should be
placed after the default security checks.
If the problem remains after all the above changes are made you will
need to track down what is generating the error page using cache.log
trace with "debug_options ALL,5".
More information about the squid-users