[squid-users] Chrome 69

Service MV service.mv at gmail.com
Tue Oct 2 17:54:28 UTC 2018


Excellent Amos!
I have to admit that I was approaching that conclusion. I did exactly as
you told me and problem solved.
I will consider your recommendations when I need to add more rules.
Best regards!

Gabriel

El lun., 1 de oct. de 2018 a la(s) 18:04, Amos Jeffries (
squid3 at treenet.co.nz) escribió:

> On 2/10/18 9:28 AM, neok wrote:
> > As far as I know, nothing's changed. The only thing that could have
> happened
> > is that Chrome was updated. I'm reviewing that.
> >
> > This say Firefox when try acces to denied site:
> > The proxy server is refusing connections.
> > Firefox is configured to use a proxy server that is refusing connections.
> >
>
> As you an see from the access.log Squid is presenting 407 auth
> challenged in response to these CONNECT requests.
>
> It is welcome news to hear Chrome is finally been fixed to actually
> perform authentication for CONNECT tunnels. While it may have been okay
> with you the previous behaviour is actually a long-standing Browser bug
> and violation of HTTP on their part.
>
>
>
>
> On 2/10/18 8:53 AM, neok wrote:
> >
> > Now Chrome shows me the login window every time I visit a denied site.
> > I suspect Chrome has been updated and changed its behavior. I'm currently
> > studying that possibility.
> > I'm also rethinking whether the way I'm denying sites is the right one.
>
> ...
> >
> > http_access allow WEB_ACCESS_YT_ONLY LS_youtube
> > http_access deny WEB_ACCESS_YT_ONLY
>
> The "deny WEB_ACCESS_YT_ONLY" line is triggering the re-authentication.
>
> When the reason for denial is due to credentials (ie %LOGIN for the
> external ACL evaluation) a 407 authentication challenge is produced.
>
> Notice that in the config I helped you develop a few days ago all the
> other uses of these external ACL tests for "deny" action are followed by
> another ACL test that is unrelated to the auth process. Usually a regex
> or dstdomain check. It is these other ACL checks which prevent any of
> those lines triggering similar auth challenges as they deny traffic.
>
>
> Since the next thing your config is doing is a "deny all" you can remove
> this "deny WEB_ACCESS_YT_ONLY" line entirely and the popups should
> disappear while still having that traffic denied.
>
>
> If you have other config policies to be added later there are some other
> things you can do. But those will depend on what the other policies are
> going to require, so I wont cover it now. Just be aware you may have to
> revisit that YT access rule when adding other policies.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181002/c3128e63/attachment.html>


More information about the squid-users mailing list