[squid-users] TCP_DENIED/403 after Upgrading from 3.4.4 to 3.4.7 (ssl_bump enabled)
Amos Jeffries
squid3 at treenet.co.nz
Wed Oct 8 14:26:41 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 9/10/2014 3:21 a.m., Amos Jeffries wrote:
> On 9/10/2014 2:09 a.m., Tom Tom wrote:
>> I think, this behaviour was introduced with squid 3.4.4.1
>> (http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13113.patch).
>
>> I don't exactly understand this behaviour. Any hints for this?
>
> Aha. I am guessing it is a combination of: * the previous
> ssl-bumped traffic was brokenly finding "invalid" credentials * an
> "empty" regex actually contains .* (is matching anything valid).
>
> Meaning previously the "invalid" credentials would prevent the
> regex being even attempted. Now that the credentials validity is
> fixed the regex tests out and matches.
>
> Try putting a single entry of "-" in /etc/squid/DENY_USERS_LOCAL.
Actually that would match any users with hyphen in their username.
For production use, if the experiment above actually works, use ^root$
or another username shich will never be assigned with explicit start
and end anchors.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUNUmhAAoJELJo5wb/XPRjxUwH/3Y3gDn7Cbt4ikAFyhAq+BlJ
tnvu2lC/WK5et8aWSsGGUtxDcOZtJoW9hYGWVIJs7wukqMlldvH7oWdGpJ/pS4tQ
KVpABF55n0Kt1ayRTpHzoE6eNDgVZt5lMcUk1OJnjW/wbibC5n6+BpBwyjg+Hf1X
StvV6y99kMvqWkHNgBYcwLXblV83GdtnX5xmCV6CnPZSry50bMc+m/4fiLSJojvG
unCMccmkw09697sPzJvZRe0CZbq8r3TRLfGJQEYqVem2FumpCoPQVDHIk82Q0B/y
nyMHOndz5PVnYr9VpuYy7pVokA74jJ5HstLVQsIW/i1TMjarUP/1dFYpG8sEDL4=
=/mvM
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list