[squid-users] Chrome 69

Amos Jeffries squid3 at treenet.co.nz
Mon Oct 1 21:03:49 UTC 2018


On 2/10/18 9:28 AM, neok wrote:
> As far as I know, nothing's changed. The only thing that could have happened
> is that Chrome was updated. I'm reviewing that.
> 
> This say Firefox when try acces to denied site:
> The proxy server is refusing connections.
> Firefox is configured to use a proxy server that is refusing connections.
> 

As you an see from the access.log Squid is presenting 407 auth
challenged in response to these CONNECT requests.

It is welcome news to hear Chrome is finally been fixed to actually
perform authentication for CONNECT tunnels. While it may have been okay
with you the previous behaviour is actually a long-standing Browser bug
and violation of HTTP on their part.




On 2/10/18 8:53 AM, neok wrote:
>
> Now Chrome shows me the login window every time I visit a denied site.
> I suspect Chrome has been updated and changed its behavior. I'm currently
> studying that possibility.
> I'm also rethinking whether the way I'm denying sites is the right one.

...
>
> http_access allow WEB_ACCESS_YT_ONLY LS_youtube
> http_access deny WEB_ACCESS_YT_ONLY

The "deny WEB_ACCESS_YT_ONLY" line is triggering the re-authentication.

When the reason for denial is due to credentials (ie %LOGIN for the
external ACL evaluation) a 407 authentication challenge is produced.

Notice that in the config I helped you develop a few days ago all the
other uses of these external ACL tests for "deny" action are followed by
another ACL test that is unrelated to the auth process. Usually a regex
or dstdomain check. It is these other ACL checks which prevent any of
those lines triggering similar auth challenges as they deny traffic.


Since the next thing your config is doing is a "deny all" you can remove
this "deny WEB_ACCESS_YT_ONLY" line entirely and the popups should
disappear while still having that traffic denied.


If you have other config policies to be added later there are some other
things you can do. But those will depend on what the other policies are
going to require, so I wont cover it now. Just be aware you may have to
revisit that YT access rule when adding other policies.


Amos


More information about the squid-users mailing list