[squid-users] can't explain 403 denied for authenticated

Kevin squid at kretz.net
Thu Jun 6 19:08:36 UTC 2024 

>> uri_whitespace encode 
> 
>Hmm. Accepting whitespace in URLs is a risky choice. One can never be 
>completely sure how third-party agents in the network are handling it 
>before the request arrived. 
> 
>If (big IF) you are able to use "uri_whitespace deny" this proxy would 
>be a bit more secure. This is just a suggestion, you know best here. 

I think that was a workaround for a vulnerability. If it was, it may no longer be needed. 


> 
>> acl trellix_phone_cloud dstdomain amcore-ens.rest.gti.trellix.com 
>> http_access deny trellix_phone_cloud 
>> external_acl_type host_based_filter children-max=15 ttl=0 0X0P+0CL >> acl HostBasedRules external host_based_filter 
>> http_access allow HostBasedRules 
>> auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd 
>> auth_param digest realm squid 
>> auth_param digest children 2 
>> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/basic_passwd 
>> auth_param basic children 2 
>> auth_param basic realm squidb 
>> auth_param basic credentialsttl 2 hours 
> 
>> acl auth_users proxy_auth REQUIRED 
>> external_acl_type custom_acl_db children-max=15 ttl=0 0X0P+0CL >> acl CustomAclDB external custom_acl_db 
>> http_access allow CustomAclDB 
> 
> 
>Hmm, this use of combined authentication+authorization is a bit tricky 
>with two layers of asynchronous helper lookups going on. That alone 
>might be what is going on with the weird 403's. 
> 
> 
>A better sequence would be: 
> 
># ensure login is performed 
>http_access deny !auth_users 
> 
># check the access permissions for whichever user logged in 
>http_access allow CustomAclDB 


The first call the the external_acl is to process unauthenticated requests. Is the suggestion to replace 

acl auth_users proxy_auth REQUIRED 

with 

http_access deny !auth_users 

before the second external_acl (for authenticated requests)? 




Thanks again, very much 


Kevin 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240606/3c223dd9/attachment.htm>

More information about the squid-users mailing list