[squid-users] Fwd: The user/password pair is correct, yet squid keeps sending me TCP_DENIED/407
Yanko Hernández Álvarez
yhdezalvarez at gmail.com
Tue Feb 16 15:31:30 UTC 2021
I just realized gmail was using the wrong reply address. Sorry about that.
> > acl GRP2 external ADGroup CN=UsuariosInternet,OU=UsersOU,DC=example,DC=com
> > acl GRP3 external ADGroup CN=GRP3,OU=UsersOU,DC=example,DC=com
> > acl GRP4 external ADGroup CN=GRP4,OU=UsersOU,DC=example,DC=com
>
> All these group checks will trigger re-authenticate if the user is not a
> member of the group(s) being checked - in case a different login would work.
>
> This issue is where the "all hack" comes from. Put "all" at the end of
> the deny lines which need to end with a group check. Or where possible
> rearrange the ACL checks to put some other ACL type after the group check.
>
>
> For example: ...
>
> > http_access deny !GRP3 !GRP2 !GRP4
>
> ... here:
>
> http_access deny !GRP3 !GRP2 !GRP4 all
>
>
> > http_access deny !InternalSites GRP3 !GRP2
>
> ... here:
> http_access deny GRP3 !GRP2 !InternalSites
>
>
> > http_access allow SocialNetworks GRP4
>
> ... here:
> http_access allow GRP4 SocialNetworks
holly ..., that is a tricky detail!!!!
I just read https://wiki.squid-cache.org/action/show/Features/Authentication.
The squid team should put some warning on the config file or something
to bring this detail to prominence.
THANK YOU VERY MUCH!!!!
>
> > http_access deny SocialNetworks
> > acl BlackListedDomains1 dstdomain -n
> > '/etc/squid/Sites/Forbidden/BlackListedDomains1'
> > http_access deny BlackListedDomains1
> > acl BlackListedDomains2 dstdomain -n
> > '/etc/squid/Sites/Forbidden/BlackListedDomains2'
> > http_access deny BlackListedDomains2
> > acl BlackListedDomains3 dstdomain -n
> > '/etc/squid/Sites/Forbidden/BlackListedDomains3'
> > http_access deny BlackListedDomains3
> > acl BlackListedDomains4 dstdomain -n
> > '/etc/squid/Sites/Forbidden/BlackListedDomains4'
> > http_access deny BlackListedDomains4
>
> Any particular reason for some many different blacklists?
>
> It is a faster check and simpler config file to either have one
> blacklist file, or to load all the files as one ACL name.
Easy maintenance. I want to know/remember why I blacklisted some
specific domain. Keep in mind I "anonymised" the config file before
posting, so the generic names, the example.com domain, etc.
> > acl REBlackListedDomains1 dstdom_regex -i
> > '/etc/squid/Sites/Forbidden/REBlackListedDomains1'
> > http_access deny REBlackListedDomains1
> > acl REBlackListedDomains2 dstdom_regex -i
> > '/etc/squid/Sites/Forbidden/REBlackListedDomains2'
> > http_access deny REBlackListedDomains2
> > acl REBlackListedDomains3 dstdom_regex -i
> > '/etc/squid/Sites/Forbidden/REBlackListedDomains3'
> > http_access deny REBlackListedDomains3
>
> Same for the regex blacklists.
>
Same for the regex blacklists. ;-)
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list