<div dir="ltr"><div><div><div>Hi,<br><br></div>I've configured squid 3.5.19 to allow only AD authenticated users, the strange thing I've found is that the same domain is both denied and allowed. <br><br></div><div>In some browsers I had problem with <a href="http://yahoo.com">yahoo.com</a> that won't load correctly the pages. Besides that, I used squidanalyzer, and it's a problem that count some urls as denied when most of cases is allowed:<br><br>## Log files<br><br>/var/log/squid/access.log<br>192.168.50.41 - -
[19/Aug/2016:12:19:45 -0300] "CONNECT <a href="http://beap-bc.yahoo.com:443">beap-bc.yahoo.com:443</a> HTTP/1.1"
407 4634 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0)
Gecko/20100101 Firefox/41.0" TCP_DENIED:HIER_NONE<br>192.168.50.41 -
juan.perez [19/Aug/2016:12:19:45 -0300] "CONNECT <a href="http://beap-bc.yahoo.com:443">beap-bc.yahoo.com:443</a>
HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0)
Gecko/20100101 Firefox/41.0" TAG_NONE:HIER_DIRECT<br><br>## /var/log/squid/cache.log<br><br>It's long so you can take a look at <br clear="all"><a href="http://pastebin.com/P2Ey6XcH">http://pastebin.com/P2Ey6XcH</a><br></div><div><br>Please could you explain me?<br><br></div><div>## Configuration:<br></div><br>etc/squid/squid.conf:<br><br>acl localnet src <a href="http://10.0.0.0/8">10.0.0.0/8</a> # RFC1918 possible internal network<br>acl localnet src <a href="http://172.16.0.0/12">172.16.0.0/12</a> # RFC1918 possible internal network<br>acl localnet src <a href="http://192.168.0.0/16">192.168.0.0/16</a> # RFC1918 possible internal network<br>acl localnet src fc00::/7 # RFC 4193 local private network range<br>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br>acl SSL_ports port 443<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br>acl CONNECT method CONNECT<br>acl step1 at_step SslBump1<br>acl step2 at_step SslBump2<br>acl step3 at_step SslBump3<br>acl nobumpSites ssl::server_name "/etc/squid/acls/nobumpSites.txt"<br>http_access deny !Safe_ports<br>http_access deny CONNECT !SSL_ports<br>http_access allow localhost manager<br>http_access deny manager<br>acl social_ips dst "/etc/squid/acls/social_ips"<br>acl social_dom dstdomain "/etc/squid/acls/social_dom"<br>acl whitelist_ips src "/etc/squid/acls/whitelist_ips"<br>auth_param negotiate program /usr/lib64/squid/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE --kerberos /usr/lib64/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME<br>auth_param negotiate children 10<br>auth_param negotiate keep_alive on<br>acl kerb_auth proxy_auth REQUIRED<br>ssl_bump peek step1 all # at step 1 we're peeking at client TLS-request in order to find the "SNI"<br>ssl_bump peek step2 nobumpSites # here we're peeking at server certificate<br>ssl_bump splice step3 nobumpSites # here we're splicing connections which match the whitelist<br>ssl_bump stare step2 # here we're staring at server certificate<br>ssl_bump bump step3 # finally we're bumping all other SSL connections at step 3<br>http_access allow localhost<br>http_access deny !kerb_auth<br>http_access allow kerb_auth whitelist_ips<br>http_access deny social_ips<br>http_access deny social_dom<br>acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+<br>acl connect method CONNECT<br>http_access deny connect numeric_IPs all<br>http_access allow localnet<br>http_access deny all<br>always_direct allow all<br>sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB <br>visible_hostname kanban.example.local<br>http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl_cert/myCA.pem<br>coredump_dir /var/spool/squid<br>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern ^gopher: 1440 0% 1440<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>refresh_pattern . 0 20% 4320<br>url_rewrite_program /usr/sbin/ufdbgclient –l /var/ufdbguard/logs<br>url_rewrite_children 64<br>access_log daemon:/var/log/squid/access.log combined<br>logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh %mt<br>debug_options ALL,1 33,2 28,9<br><br></div><div>EOF<br><br></div><div>Thanks in advance!<br></div><div><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">--<br>Sergio Belkin<br>LPIC-2 Certified - <a href="http://www.lpi.org" target="_blank">http://www.lpi.org</a></div></div></div></div>
</div></div>