[squid-users] DENIED and ALLOWED at once?
Antony Stone
Antony.Stone at squid.open.source.it
Fri Aug 19 20:22:20 UTC 2016
On Friday 19 August 2016 at 20:41:11, Jok Thuau wrote:
> On Fri, Aug 19, 2016 at 9:33 AM, Sergio Belkin <sebelk at gmail.com> wrote:
> > /var/log/squid/access.log
> > 192.168.50.41 - - [19/Aug/2016:12:19:45 -0300] "CONNECT
> > beap-bc.yahoo.com:443 HTTP/1.1" 407 4634 "-" "Mozilla/5.0 (Windows NT
> > 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TCP_DENIED:HIER_NONE
>
> This is unauthenticated (notice the "- -" after the IP)
>
> > 192.168.50.41 - juan.perez [19/Aug/2016:12:19:45 -0300] "CONNECT
> > beap-bc.yahoo.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1;
> > WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TAG_NONE:HIER_DIRECT
>
> This one is authenticated (juan.perez). The code 407 in the first request
> means "proxy request authentication". So what happened here is that the
> user browsed, was asked for credentials (and maybe those were provided
> automatically), and then the request was resent with the creds included.
Given the timestamps (both 12:19:45; no time for a human to enter credentials
at a prompt) the browser did this automatically, and invisibly to the user.
> http_access deny !kerb_auth
>
> > http_access allow kerb_auth whitelist_ips
>
> And here is the config that causes that -- it's totally normal...
>
> Thanks,
Antony.
--
"In fact I wanted to be John Cleese and it took me some time to realise that
the job was already taken."
- Douglas Adams
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list