[squid-users] TCP_DENIED/403 after Upgrading from 3.4.4 to 3.4.7 (ssl_bump enabled)

Tom Tom tomtux007 at gmail.com
Wed Oct 8 18:16:47 UTC 2014


I still get a TCP_DENIED/403 while accessing a bumped https-site after
putting a "-" or even "^root$" in /etc/squid/DENY_USERS_LOCAL. The
cache.log with "debug_options 29,3 28,9" activated looks like this:

014/10/08 20:03:00.539 kid2| Acl.cc(157) matches: checking DENY_USERS_LOCAL
2014/10/08 20:03:00.539 kid2| Acl.cc(28) AuthenticateAcl: SslBumped
request: It is an encapsulated request do not authenticate
2014/10/08 20:03:00.539 kid2| Acl.cc(177) matches: checked: DENY_USERS_LOCAL = 1
2014/10/08 20:03:00.539 kid2| Acl.cc(177) matches: checked: http_access#2 = 1
2014/10/08 20:03:00.540 kid2| Acl.cc(177) matches: checked: http_access = 1
2014/10/08 20:03:00.540 kid2| Checklist.cc(55) markFinished: 0x2905728
answer DENIED for match
2014/10/08 20:03:00.540 kid2| Checklist.cc(155) checkCallback:
ACLChecklist::checkCallback: 0x2905728 answer=DENIED
2014/10/08 20:03:00.540 kid2| Gadgets.cc(103) aclIsProxyAuth:
aclIsProxyAuth: called for DENY_USERS_LOCAL
2014/10/08 20:03:00.540 kid2| Acl.cc(118) FindByName: ACL::FindByName
'DENY_USERS_LOCAL'
2014/10/08 20:03:00.540 kid2| Gadgets.cc(108) aclIsProxyAuth:
aclIsProxyAuth: returning 1
2014/10/08 20:03:00.540 kid2| Gadgets.cc(71) aclGetDenyInfoPage: got
called for DENY_USERS_LOCAL


The concerning entries in squid.conf looks like this:
acl DENY_USERS_LOCAL proxy_auth_regex -i "/etc/squid/DENY_USERS_LOCAL"
...
http_access deny DENY_USERS_LOCAL
...


The meaning of the entries in the file DENY_USERS_LOCAL is denying
kerberos-authenticated AD-users. With squid 3.4.4, this worked fine.

Kind regards,
Tom


On Wed, Oct 8, 2014 at 4:26 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 9/10/2014 3:21 a.m., Amos Jeffries wrote:
>> On 9/10/2014 2:09 a.m., Tom Tom wrote:
>>> I think, this behaviour was introduced with squid 3.4.4.1
>>> (http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13113.patch).
>>
>>>  I don't exactly understand this behaviour. Any hints for this?
>>
>> Aha. I am guessing it is a combination of: * the previous
>> ssl-bumped traffic was brokenly finding "invalid" credentials * an
>> "empty" regex actually contains .* (is matching anything valid).
>>
>> Meaning previously the "invalid" credentials would prevent the
>> regex being even attempted. Now that the credentials validity is
>> fixed the regex tests out and matches.
>>
>> Try putting a single entry of "-" in /etc/squid/DENY_USERS_LOCAL.
>
> Actually that would match any users with hyphen in their username.
>
> For production use, if the experiment above actually works, use ^root$
> or another username shich will never be assigned with explicit start
> and end anchors.
>
> Amos
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUNUmhAAoJELJo5wb/XPRjxUwH/3Y3gDn7Cbt4ikAFyhAq+BlJ
> tnvu2lC/WK5et8aWSsGGUtxDcOZtJoW9hYGWVIJs7wukqMlldvH7oWdGpJ/pS4tQ
> KVpABF55n0Kt1ayRTpHzoE6eNDgVZt5lMcUk1OJnjW/wbibC5n6+BpBwyjg+Hf1X
> StvV6y99kMvqWkHNgBYcwLXblV83GdtnX5xmCV6CnPZSry50bMc+m/4fiLSJojvG
> unCMccmkw09697sPzJvZRe0CZbq8r3TRLfGJQEYqVem2FumpCoPQVDHIk82Q0B/y
> nyMHOndz5PVnYr9VpuYy7pVokA74jJ5HstLVQsIW/i1TMjarUP/1dFYpG8sEDL4=
> =/mvM
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list