[squid-users] The user/password pair is correct, yet squid keeps sending me TCP_DENIED/407
Amos Jeffries
squid3 at treenet.co.nz
Tue Feb 16 04:28:51 UTC 2021
On 16/02/21 4:16 am, Yanko Hernández Álvarez wrote:
> On Fri, Feb 12, 2021 at 5:36 PM Amos Jeffries wrote:
>>
>> On 13/02/21 9:29 am, Yanko Hernández Álvarez wrote:
>>> Hello :-)
>>>
>>> How is it possible that some user tried to log in with the correct
>>> password and squid response was a TCP_DENIED/407?
>>>
>> ...
>>> http_access deny !LoggedIn # LoggedIn = proxy_auth REQUIRED
>>>
>>
>> What rules follow this one? and what ACL types are they?
>>
>
> "Normal" http_access access/deny rules (TCP_DENIED/403). None Auth
> related (no TCP_DENIED/407 possible):
>
> acl TooManyIPs max_user_ip -s 1
> acl GRP1 external ADGroup CN=GRP1,OU=Roles,OU=UsersOU,DC=example,DC=com
> http_access deny TooManyIPs !GRP1
> acl GRP2 external ADGroup
CN=UsuariosInternet,OU=UsersOU,DC=example,DC=com
> acl GRP3 external ADGroup CN=GRP3,OU=UsersOU,DC=example,DC=com
> acl GRP4 external ADGroup CN=GRP4,OU=UsersOU,DC=example,DC=com
All these group checks will trigger re-authenticate if the user is not a
member of the group(s) being checked - in case a different login would work.
This issue is where the "all hack" comes from. Put "all" at the end of
the deny lines which need to end with a group check. Or where possible
rearrange the ACL checks to put some other ACL type after the group check.
For example: ...
> http_access deny !GRP3 !GRP2 !GRP4
... here:
http_access deny !GRP3 !GRP2 !GRP4 all
> http_access deny !InternalSites GRP3 !GRP2
... here:
http_access deny GRP3 !GRP2 !InternalSites
> http_access allow SocialNetworks GRP4
... here:
http_access allow GRP4 SocialNetworks
> http_access deny SocialNetworks
> acl BlackListedDomains1 dstdomain -n
> '/etc/squid/Sites/Forbidden/BlackListedDomains1'
> http_access deny BlackListedDomains1
> acl BlackListedDomains2 dstdomain -n
> '/etc/squid/Sites/Forbidden/BlackListedDomains2'
> http_access deny BlackListedDomains2
> acl BlackListedDomains3 dstdomain -n
> '/etc/squid/Sites/Forbidden/BlackListedDomains3'
> http_access deny BlackListedDomains3
> acl BlackListedDomains4 dstdomain -n
> '/etc/squid/Sites/Forbidden/BlackListedDomains4'
> http_access deny BlackListedDomains4
Any particular reason for some many different blacklists?
It is a faster check and simpler config file to either have one
blacklist file, or to load all the files as one ACL name.
> acl REBlackListedDomains1 dstdom_regex -i
> '/etc/squid/Sites/Forbidden/REBlackListedDomains1'
> http_access deny REBlackListedDomains1
> acl REBlackListedDomains2 dstdom_regex -i
> '/etc/squid/Sites/Forbidden/REBlackListedDomains2'
> http_access deny REBlackListedDomains2
> acl REBlackListedDomains3 dstdom_regex -i
> '/etc/squid/Sites/Forbidden/REBlackListedDomains3'
> http_access deny REBlackListedDomains3
Same for the regex blacklists.
Amos
More information about the squid-users
mailing list