[squid-users] Squid and SSL Bump

Amos Jeffries squid3 at treenet.co.nz
Sat Jan 13 18:28:00 UTC 2018

On 13/01/18 02:00, Yoinier Hernandez Nieves wrote:
> The user ynieves is member of ad groups “internet”, “socialNetwork”, “youtube” and “moderadoresSocNet"

So most of your http_access lines end with group checks. That could be a 
problem later. Right now its not clear which would be rejecting with 
that auth message, and the status being 403 indicates a hard failure 
rather than re-auth.

I suggest doing the usual thing of placing a single "http_access deny 
!users" line first, then appending " all" to the lines that normally end 
with a group check.


   http_access deny !users

   http_access allow cubaDomains cubaPC all
   http_access allow cubaDomains national all
   http_access allow cubaDomains internet all
   http_access deny SQUISHED1 all

   http_access allow socialDomains moderadoresSocNet all
   http_access allow socialTime socialDomains socialNetwork all
   http_access allow socialTime youtubeDomains youtuber all

For the delay pools there is no need to re-authenticate at all. Use the 
"note" ACL type to check that a username exists. Like so:

   acl loggedIn note user .

   delay_access 2 allow loggedIn workTime \
     !extDownloads !extDocuments !delaysFree

Also, the pool using only "-1/-1" as its paremeters should be removed. 
Squid links multiple pools to a transaction, so it is not doing what you 
think it does. To make certain transactions unlimited simply deny them 
being added to the other pools. That will also make your existing rules 
much simpler:

   denya_access 2 deny delaysFree
   delay_access 2 allow loggedIn workTime !extDownloads !extDocuments !
   delay_access 2 deny all

Also, your media and mediapr checks are slow regex tests. They should be 
placed after the default security checks.

If the problem remains after all the above changes are made you will 
need to track down what is generating the error page using cache.log 
trace with "debug_options ALL,5".


More information about the squid-users mailing list