[squid-users] Squid 3.5.22 Bug when using Mimetype Detection? rep_mime_type

Amos Jeffries squid3 at treenet.co.nz
Tue Jan 10 04:51:27 UTC 2017


On 10/01/2017 3:31 a.m., Flashdown wrote:
> Hi Amos,
> 
> sry that my reply took that long.
> 
> I've tested with Squid 3.5.23 on Debian Stretch and the issue is still
> present. Also I was able to create the same issue with the Online OTRS
> Demo website as I had with our internal one.
> 
> I did run it with the debug options you gave me. Since you requested
> more info about my config, I stripped a lot out and made sure the issue
> is still the same. XXXXXXXXXXXX indicates that I replaced the whole line
> with XXX.. to ensure no sensitive data is leaked.
> 
> So I found out when allowing an IP without authentication and without
> group membership before the real auth is required for everything else,
> then the issue is triggered when Mimetype detection is used. I could'nt
> find a way to avoid the issue. unless I remove the http_access line for
> the target that should be accessible without authentication and without
> group membership. Or I remove the Mimetype Detection lines or better the
> exception for my group.

The problem there is that reply time is too late to begin authentication
of the group membership.

> 
> I hope you can confirm this as a bug or tell me what I made wrong.
> 

You need to have http_reply_access bypassing authentication and group
checks when http_access does.


Regarding your config:

> 
> acl SSL_ports port 443
> acl wwwports port 80 443 8082 7212
> acl CONNECT method CONNECT
> 
> # Testing against otrs-demo website http://otrs-demo.otrs.com/otrs/index.pl
> acl testing dst 178.63.99.24
> http_access allow testing
> 
> acl ntlm_users proxy_auth REQUIRED
> http_access deny !ntlm_users all

The 'all' on the end prevents authentication being done. BUT no security
aware client software will send credentials without an auth challenge.
So the above should be essentially "deny all".


> 
> dns_v4_first on
> 
> acl cache_all src all
> acl cache_out dst all
> cache deny cache_all cache_out

The above is equivalent to "cache deny all".

To properly disable HTTP caching configure:
  cache deny all
  cache_mem 0

> 
> acl IT external nt_group IT
> 
> acl block_mimetypes rep_mime_type "/etc/squid/mimetype_blacklist.acl"
> deny_info ERR_BLOCKED_FILES block_mimetypes
> 
> acl mime_IT rep_mime_type application/octet-stream
> 
> http_reply_access allow IT mime_IT
> 
> 
> http_reply_access deny block_mimetypes
> 
> #Added just for fun, somehow same behavior ;) before I used something like http_access allow IT wwwports
> http_access allow all
> 
> http_access deny all
> 
> http_access allow manager localhost
> http_access deny manager
> 
> http_access deny !wwwports
> http_access deny CONNECT !SSL_ports
> 
> http_access allow localhost
> http_access deny all

Amos



More information about the squid-users mailing list