Eugene wrote:
Hello! I've upgraded my squid from 2.5.14 to 2.6.12 and get into trouble with http_reply_access rules processing. In our configuration, client's programs without proxy authentication support is allowed to get access to internet by ip using src type acls. If client matched by 'src' first and if first http_reply_access' rule acl type is 'proxy_auth' , then squid requests auth header (gets none), stops processing next http_reply_access rules and generates X-Squid-Error: ERR_ACCESS_DENIED 0 ------------------------------- here is log (debug_options 28,9), sample program is Opera which does not provide any proxy auth and expected to be matched as 'domain_comp': 2007/04/06 16:15:04| aclCheck: checking 'http_reply_access allow domain_user' 2007/04/06 16:15:04| aclMatchAclList: checking domain_user 2007/04/06 16:15:04| aclMatchAcl: checking 'acl domain_user proxy_auth domain_user' 2007/04/06 16:15:04| authenticateValidateUser: Auth_user_request was NULL! 2007/04/06 16:15:04| authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header. 2007/04/06 16:15:04| aclMatchAcl: returning 0 sending authentication challenge. 2007/04/06 16:15:04| aclMatchAclList: no match, returning 0 2007/04/06 16:15:04| aclCheck: requiring Proxy Auth header. 2007/04/06 16:15:04| aclCheck: match found, returning 2 2007/04/06 16:15:04| The reply for GET http://corbis.com/favicon.ico is ALLOWED, because it matched 'domain_user' ------------------------------- here is config to reproduce issue: auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 7 auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 7 auth_param basic realm Proxy password auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl media urlpath_regex -i \.(mp3|mp3\?.*) #and so on (lots of) acl files urlpath_regex -i \.(rar|rar\?.*) #and so on acl mime_media rep_mime_type audio/mpeg acl mime_files rep_mime_type application/octet-stream acl domain_comp src 10.0.0.34/32 acl domain_user proxy_auth domain_user deny_info TCP_RESET files deny_info TCP_RESET mime_files deny_info TCP_RESET media deny_info TCP_RESET mime_media
# Allow domain computers to perform updates w/o proxy authentication http_access allow domain_comp files # Allow logged in users to access anything http_access allow domain_user # Deny non-logged in users anything not explicitly allowed http_access deny media # Send TCP_RESET http_access deny files # Send TCP_RESET http_access deny all Toss the rest.
#allow media content to authenticated user http_access allow domain_user http_access deny all media #allow programs on comp to perform updates w/o proxy authentication http_access allow domain_comp http_access deny all files #allow auth. user to get reply #trouble for domain_comp starts here because of auth request WHICH IS NOT SUPPORTED BY CLIENT
# Allow domain computers replies of octet-stream http_reply_access allow domain_comp mime_files # Allow logged in users anything http_reply_access allow domain_user # Deny non-logged in users anything not explicitly allowed http_reply_access deny mime_files # Send TCP_RESET http_reply_access deny mime_media # Send TCP_RESET http_reply_access deny all Toss the rest.
http_reply_access allow domain_user #blocking media content by mime http_reply_access deny all mime_media #allow comp to dl files http_reply_access allow domain_comp http_reply_access deny all mime_files http_reply_access allow all
Chris
