[squid-users] TCP_DENIED/403 after Upgrading from 3.4.4 to 3.4.7 (ssl_bump enabled)
Tom Tom
tomtux007 at gmail.com
Mon Oct 13 05:26:11 UTC 2014
Hi
Does anyone have some ideas/hints concerning this problem?
Many thanks.
Tom
On Wed, Oct 8, 2014 at 8:16 PM, Tom Tom <tomtux007 at gmail.com> wrote:
> I still get a TCP_DENIED/403 while accessing a bumped https-site after
> putting a "-" or even "^root$" in /etc/squid/DENY_USERS_LOCAL. The
> cache.log with "debug_options 29,3 28,9" activated looks like this:
>
> 014/10/08 20:03:00.539 kid2| Acl.cc(157) matches: checking DENY_USERS_LOCAL
> 2014/10/08 20:03:00.539 kid2| Acl.cc(28) AuthenticateAcl: SslBumped
> request: It is an encapsulated request do not authenticate
> 2014/10/08 20:03:00.539 kid2| Acl.cc(177) matches: checked: DENY_USERS_LOCAL = 1
> 2014/10/08 20:03:00.539 kid2| Acl.cc(177) matches: checked: http_access#2 = 1
> 2014/10/08 20:03:00.540 kid2| Acl.cc(177) matches: checked: http_access = 1
> 2014/10/08 20:03:00.540 kid2| Checklist.cc(55) markFinished: 0x2905728
> answer DENIED for match
> 2014/10/08 20:03:00.540 kid2| Checklist.cc(155) checkCallback:
> ACLChecklist::checkCallback: 0x2905728 answer=DENIED
> 2014/10/08 20:03:00.540 kid2| Gadgets.cc(103) aclIsProxyAuth:
> aclIsProxyAuth: called for DENY_USERS_LOCAL
> 2014/10/08 20:03:00.540 kid2| Acl.cc(118) FindByName: ACL::FindByName
> 'DENY_USERS_LOCAL'
> 2014/10/08 20:03:00.540 kid2| Gadgets.cc(108) aclIsProxyAuth:
> aclIsProxyAuth: returning 1
> 2014/10/08 20:03:00.540 kid2| Gadgets.cc(71) aclGetDenyInfoPage: got
> called for DENY_USERS_LOCAL
>
>
> The concerning entries in squid.conf looks like this:
> acl DENY_USERS_LOCAL proxy_auth_regex -i "/etc/squid/DENY_USERS_LOCAL"
> ...
> http_access deny DENY_USERS_LOCAL
> ...
>
>
> The meaning of the entries in the file DENY_USERS_LOCAL is denying
> kerberos-authenticated AD-users. With squid 3.4.4, this worked fine.
>
> Kind regards,
> Tom
>
>
> On Wed, Oct 8, 2014 at 4:26 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 9/10/2014 3:21 a.m., Amos Jeffries wrote:
>>> On 9/10/2014 2:09 a.m., Tom Tom wrote:
>>>> I think, this behaviour was introduced with squid 3.4.4.1
>>>> (http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13113.patch).
>>>
>>>> I don't exactly understand this behaviour. Any hints for this?
>>>
>>> Aha. I am guessing it is a combination of: * the previous
>>> ssl-bumped traffic was brokenly finding "invalid" credentials * an
>>> "empty" regex actually contains .* (is matching anything valid).
>>>
>>> Meaning previously the "invalid" credentials would prevent the
>>> regex being even attempted. Now that the credentials validity is
>>> fixed the regex tests out and matches.
>>>
>>> Try putting a single entry of "-" in /etc/squid/DENY_USERS_LOCAL.
>>
>> Actually that would match any users with hyphen in their username.
>>
>> For production use, if the experiment above actually works, use ^root$
>> or another username shich will never be assigned with explicit start
>> and end anchors.
>>
>> Amos
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (MingW32)
>>
>> iQEcBAEBAgAGBQJUNUmhAAoJELJo5wb/XPRjxUwH/3Y3gDn7Cbt4ikAFyhAq+BlJ
>> tnvu2lC/WK5et8aWSsGGUtxDcOZtJoW9hYGWVIJs7wukqMlldvH7oWdGpJ/pS4tQ
>> KVpABF55n0Kt1ayRTpHzoE6eNDgVZt5lMcUk1OJnjW/wbibC5n6+BpBwyjg+Hf1X
>> StvV6y99kMvqWkHNgBYcwLXblV83GdtnX5xmCV6CnPZSry50bMc+m/4fiLSJojvG
>> unCMccmkw09697sPzJvZRe0CZbq8r3TRLfGJQEYqVem2FumpCoPQVDHIk82Q0B/y
>> nyMHOndz5PVnYr9VpuYy7pVokA74jJ5HstLVQsIW/i1TMjarUP/1dFYpG8sEDL4=
>> =/mvM
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list