[squid-users] TCP_DENIED/407 accessing webserver on same machine as squid

Amos Jeffries squid3 at treenet.co.nz
Fri May 26 19:52:52 UTC 2017


Ah, your problem seems to be a misunderstanding of how authentication works.

What Squid receives on messages can have three forms:

  1) no credentials at all
  2) correct credentials
  3) invalid credentials

Your definition of the auth_users ACL using "REQUIRED" takes care of the 
(1) situation. Squid will respond with 407 to get credentials from any 
client that does not send any. This is what you are seeing on that 
second log line of your previous post, and the popup in your tests.

Now the "http_access allow auth_users" line only takes care of situation 
(2), permitting valid users.

Which leaves situation (3) undefined. ... All other traffic continues on 
to the next http_access line, which is "allow all", ouch.


This is why best practice is to use a "deny" line like so:
   http_access deny !auth_users

... which makes it clear what is happening for every non-authenticated 
thing, both situation (1) and (2) traffic.

Rules permitting things through without authenticating go above that 
http_access line, and things applying to authenticated users go below it.

Amos



More information about the squid-users mailing list