[squid-users] TCP_DENIED/403 after Upgrading from 3.4.4 to 3.4.7 (ssl_bump enabled)

[Amos Jeffries]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/10/2014 3:21 a.m., Amos Jeffries wrote:
> On 9/10/2014 2:09 a.m., Tom Tom wrote:
>> I think, this behaviour was introduced with squid 3.4.4.1 
>> (http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13113.patch).
>
>>  I don't exactly understand this behaviour. Any hints for this?
> 
> Aha. I am guessing it is a combination of: * the previous
> ssl-bumped traffic was brokenly finding "invalid" credentials * an
> "empty" regex actually contains .* (is matching anything valid).
> 
> Meaning previously the "invalid" credentials would prevent the
> regex being even attempted. Now that the credentials validity is
> fixed the regex tests out and matches.
> 
> Try putting a single entry of "-" in /etc/squid/DENY_USERS_LOCAL.

Actually that would match any users with hyphen in their username.

For production use, if the experiment above actually works, use ^root$
or another username shich will never be assigned with explicit start
and end anchors.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUNUmhAAoJELJo5wb/XPRjxUwH/3Y3gDn7Cbt4ikAFyhAq+BlJ
tnvu2lC/WK5et8aWSsGGUtxDcOZtJoW9hYGWVIJs7wukqMlldvH7oWdGpJ/pS4tQ
KVpABF55n0Kt1ayRTpHzoE6eNDgVZt5lMcUk1OJnjW/wbibC5n6+BpBwyjg+Hf1X
StvV6y99kMvqWkHNgBYcwLXblV83GdtnX5xmCV6CnPZSry50bMc+m/4fiLSJojvG
unCMccmkw09697sPzJvZRe0CZbq8r3TRLfGJQEYqVem2FumpCoPQVDHIk82Q0B/y
nyMHOndz5PVnYr9VpuYy7pVokA74jJ5HstLVQsIW/i1TMjarUP/1dFYpG8sEDL4=
=/mvM
-----END PGP SIGNATURE-----