[squid-users] can't explain 403 denied for authenticated

Amos Jeffries squid3 at treenet.co.nz
Fri Jun 7 06:43:37 UTC 2024


On 7/06/24 07:08, Kevin wrote:
>  >
>  >> acl trellix_phone_cloud dstdomain amcore-ens.rest.gti.trellix.com
>  >> http_access deny trellix_phone_cloud
>  >> external_acl_type host_based_filter children-max=15 ttl=0 0X0P+0CL 
>  >> acl HostBasedRules external host_based_filter
>  >> http_access allow HostBasedRules
>  >> auth_param digest program /usr/lib/squid/digest_file_auth -c 
> /etc/squid/passwd
>  >> auth_param digest realm squid
>  >> auth_param digest children 2
>  >> auth_param basic program /usr/lib/squid/basic_ncsa_auth 
> /etc/squid/basic_passwd
>  >> auth_param basic children 2
>  >> auth_param basic realm squidb
>  >> auth_param basic credentialsttl 2 hours
>  >
>  >> acl auth_users proxy_auth REQUIRED
>  >> external_acl_type custom_acl_db children-max=15 ttl=0 0X0P+0CL >> 
> acl CustomAclDB external custom_acl_db
>  >> http_access allow CustomAclDB
>  >
>  >
>  >Hmm, this use of combined authentication+authorization is a bit tricky
>  >with two layers of asynchronous helper lookups going on. That alone
>  >might be what is going on with the weird 403's.
>  >
>  >
>  >A better sequence would be:
>  >
>  ># ensure login is performed
>  >http_access deny !auth_users
>  >
>  ># check the access permissions for whichever user logged in
>  >http_access allow CustomAclDB
> 
> 
> The first call the the external_acl is to process unauthenticated 
> requests.   Is the suggestion to replace
> 
> acl auth_users proxy_auth REQUIRED
> 
> with
> 
> http_access deny !auth_users
> 
> before the second external_acl (for authenticated requests)?
> 

No. It is to ensure that "missing credentials" are treated differently 
than "bad credentials". Specifically that any auth challenge response is 
never able to be given "allow" permission.

HTH
Amos


More information about the squid-users mailing list