[squid-users] The user/password pair is correct, yet squid keeps sending me TCP_DENIED/407

Amos Jeffries squid3 at treenet.co.nz
Tue Feb 16 04:28:51 UTC 2021


On 16/02/21 4:16 am, Yanko Hernández Álvarez wrote:
 > On Fri, Feb 12, 2021 at 5:36 PM Amos Jeffries wrote:
 >>
 >> On 13/02/21 9:29 am, Yanko Hernández Álvarez wrote:
 >>> Hello :-)
 >>>
 >>> How is it possible that some user tried to log in with the correct
 >>> password and squid response was a TCP_DENIED/407?
 >>>
 >> ...
 >>> http_access deny !LoggedIn # LoggedIn = proxy_auth REQUIRED
 >>>
 >>
 >> What rules follow this one? and what ACL types are they?
 >>
 >
 > "Normal" http_access access/deny rules (TCP_DENIED/403). None Auth
 > related (no TCP_DENIED/407 possible):
 >
 > acl TooManyIPs max_user_ip -s 1
 > acl GRP1 external ADGroup CN=GRP1,OU=Roles,OU=UsersOU,DC=example,DC=com
 > http_access deny TooManyIPs !GRP1
 > acl GRP2 external ADGroup 
CN=UsuariosInternet,OU=UsersOU,DC=example,DC=com
 > acl GRP3 external ADGroup CN=GRP3,OU=UsersOU,DC=example,DC=com
 > acl GRP4 external ADGroup CN=GRP4,OU=UsersOU,DC=example,DC=com

All these group checks will trigger re-authenticate if the user is not a 
member of the group(s) being checked - in case a different login would work.

This issue is where the "all hack" comes from.  Put "all" at the end of 
the deny lines which need to end with a group check. Or where possible 
rearrange the ACL checks to put some other ACL type after the group check.


For example:  ...

 > http_access deny !GRP3 !GRP2 !GRP4

... here:

   http_access deny !GRP3 !GRP2 !GRP4 all


 > http_access deny !InternalSites GRP3 !GRP2

... here:
   http_access deny GRP3 !GRP2 !InternalSites


 > http_access allow SocialNetworks GRP4

... here:
   http_access allow GRP4 SocialNetworks


 > http_access deny SocialNetworks
 > acl BlackListedDomains1 dstdomain -n
 > '/etc/squid/Sites/Forbidden/BlackListedDomains1'
 > http_access deny BlackListedDomains1
 > acl BlackListedDomains2 dstdomain -n
 > '/etc/squid/Sites/Forbidden/BlackListedDomains2'
 > http_access deny BlackListedDomains2
 > acl BlackListedDomains3 dstdomain -n
 > '/etc/squid/Sites/Forbidden/BlackListedDomains3'
 > http_access deny BlackListedDomains3
 > acl BlackListedDomains4 dstdomain -n
 > '/etc/squid/Sites/Forbidden/BlackListedDomains4'
 > http_access deny BlackListedDomains4

Any particular reason for some many different blacklists?

It is a faster check and simpler config file to either have one 
blacklist file, or to load all the files as one ACL name.



 > acl REBlackListedDomains1 dstdom_regex -i
 > '/etc/squid/Sites/Forbidden/REBlackListedDomains1'
 > http_access deny REBlackListedDomains1
 > acl REBlackListedDomains2 dstdom_regex -i
 > '/etc/squid/Sites/Forbidden/REBlackListedDomains2'
 > http_access deny REBlackListedDomains2
 > acl REBlackListedDomains3 dstdom_regex -i
 > '/etc/squid/Sites/Forbidden/REBlackListedDomains3'
 > http_access deny REBlackListedDomains3

Same for the regex blacklists.


Amos


More information about the squid-users mailing list