[squid-users] Squid and SSL Bump

[Amos Jeffries]

On 13/01/18 02:00, Yoinier Hernandez Nieves wrote:
> 
> The user ynieves is member of ad groups “internet”, “socialNetwork”, “youtube” and “moderadoresSocNet"
> 

So most of your http_access lines end with group checks. That could be a 
problem later. Right now its not clear which would be rejecting with 
that auth message, and the status being 403 indicates a hard failure 
rather than re-auth.


I suggest doing the usual thing of placing a single "http_access deny 
!users" line first, then appending " all" to the lines that normally end 
with a group check.

Like:

   http_access deny !users

   http_access allow cubaDomains cubaPC all
   http_access allow cubaDomains national all
   http_access allow cubaDomains internet all
   http_access deny SQUISHED1 all

   http_access allow socialDomains moderadoresSocNet all
   http_access allow socialTime socialDomains socialNetwork all
   http_access allow socialTime youtubeDomains youtuber all


For the delay pools there is no need to re-authenticate at all. Use the 
"note" ACL type to check that a username exists. Like so:

   acl loggedIn note user .

   delay_access 2 allow loggedIn workTime \
     !extDownloads !extDocuments !delaysFree


Also, the pool using only "-1/-1" as its paremeters should be removed. 
Squid links multiple pools to a transaction, so it is not doing what you 
think it does. To make certain transactions unlimited simply deny them 
being added to the other pools. That will also make your existing rules 
much simpler:

   denya_access 2 deny delaysFree
   delay_access 2 allow loggedIn workTime !extDownloads !extDocuments !
   delay_access 2 deny all


Also, your media and mediapr checks are slow regex tests. They should be 
placed after the default security checks.


If the problem remains after all the above changes are made you will 
need to track down what is generating the error page using cache.log 
trace with "debug_options ALL,5".

Amos