[squid-users] DENIED and ALLOWED at once?

Antony Stone Antony.Stone at squid.open.source.it
Fri Aug 19 20:22:20 UTC 2016


On Friday 19 August 2016 at 20:41:11, Jok Thuau wrote:

> On Fri, Aug 19, 2016 at 9:33 AM, Sergio Belkin <sebelk at gmail.com> wrote:
> > /var/log/squid/access.log
> > 192.168.50.41 - - [19/Aug/2016:12:19:45 -0300] "CONNECT
> > beap-bc.yahoo.com:443 HTTP/1.1" 407 4634 "-" "Mozilla/5.0 (Windows NT
> > 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TCP_DENIED:HIER_NONE
> 
> This is unauthenticated (notice the "- -" after the IP)
> 
> > 192.168.50.41 - juan.perez [19/Aug/2016:12:19:45 -0300] "CONNECT
> > beap-bc.yahoo.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1;
> > WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TAG_NONE:HIER_DIRECT
> 
> This one is authenticated (juan.perez). The code 407 in the first request
> means "proxy request authentication". So what happened here is that the
> user browsed, was asked for credentials (and maybe those were provided
> automatically), and then the request was resent with the creds included.

Given the timestamps (both 12:19:45; no time for a human to enter credentials 
at a prompt) the browser did this automatically, and invisibly to the user.

> http_access deny  !kerb_auth
> 
> > http_access allow kerb_auth whitelist_ips
> 
> And here is the config that causes that -- it's totally normal...
> 
> Thanks,

Antony.

-- 
"In fact I wanted to be John Cleese and it took me some time to realise that 
the job was already taken."

 - Douglas Adams

                                                   Please reply to the list;
                                                         please *don't* CC me.


More information about the squid-users mailing list