Amos Jeffries schrieb:
On Wed, 17 Mar 2010 23:21:44 +0100, Thomas Klein
<mailinglist-postfixbuch@xxxxxxxxx> wrote:
Truth Seeker schrieb:
-
http_access deny !AuthorizedUsers
... performs authentication. Which was your problem
with
Java...
order is important!
So does it mean, i need to put them as the following;
### For JAVA
acl Java browser Java/1.4 Java/1.5 Java/1.6
acl testnet src 192.168.7.0/24
acl testnet src 192.168.8.0/24
http_access allow testnet Java
http_access deny !AuthorizedUsers
Yes when i modified as the above, its working fine....
Now another doubt. will this solve the issues related to all the java
sites?
Hi there,
i have actually also the problem that java-applications are in no way
able to get a working connect to the internet, but this workaround with
the example of http://www.dailyfx.com/ doesn't work for me in any
case....
My test-user matches the acl "gruppe_vollzugriff" - i'm using
2.7.STABLE3-4.1 on Debian Lenny with squidguard 1.4. I also use NTLM
auth against a AD.
If I do it in this way:
acl gruppe_standarduser external wbinfo_group Proxygruppe-Standarduser
acl gruppe_vollzugriff external wbinfo_group Proxygruppe-Vollzugriff
acl gruppe_azubis external wbinfo_group Proxygruppe-Azubis
acl gruppe_test external wbinfo_group Proxygruppe-test
acl Java browser Java/1.4 Java/1.5 Java/1.6
acl localnet src 172.1.0.0/19
...
http_access allow localnet Java
http_access allow gruppe_azubis erlaubte_seiten_azubis
http_access allow gruppe_standarduser
http_access allow gruppe_test
http_access allow gruppe_vollzugriff
http_access deny all
I get in access.log the following:
1268863619.997 13 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 -
DIRECT/- -
1268863620.008 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 -
DIRECT/- -
1268863620.022 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 -
DIRECT/- -
1268863620.034 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 -
DIRECT/- -
If i modify the order of the http_access line in this way:
acl gruppe_standarduser external wbinfo_group Proxygruppe-Standarduser
acl gruppe_vollzugriff external wbinfo_group Proxygruppe-Vollzugriff
acl gruppe_azubis external wbinfo_group Proxygruppe-Azubis
acl gruppe_test external wbinfo_group Proxygruppe-test
acl Java browser Java/1.4 Java/1.5 Java/1.6
acl localnet src 172.1.0.0/19
...
http_access allow gruppe_azubis erlaubte_seiten_azubis
http_access allow gruppe_standarduser
http_access allow gruppe_test
http_access allow gruppe_vollzugriff
http_access allow localnet Java
http_access deny all
I get the following output in the log:
1268864049.866 8 172.1.0.128 TCP_DENIED/407 1867 CONNECT
balancer.netdania.com:443 - NONE/- text/html
1268864049.900 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT
balancer.netdania.com:443 - NONE/- text/html
1268864049.914 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT
balancer.netdania.com:443 - NONE/- text/html
1268864049.927 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT
balancer.netdania.com:443 - NONE/- text/html
1268864049.940 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT
balancer.netdania.com:443 - NONE/- text/html
1268864049.965 15 172.1.0.128 TCP_DENIED/407 1841 CONNECT
balancer.netdania.com:443 - NONE/- text/html
1268864049.979 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT
balancer.netdania.com:443 - NONE/- text/html
1268864049.989 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT
balancer.netdania.com:443 - NONE/- text/html
As I described, java isn't able to get a working connect to the
internet. What's wrong in my case? I would be glad if you have a hint
for me....
There is some form of deny line happening outside the set you showed.
Which blocks the first configuration form working. The Java auth problem
blocks the second.
Amos
Thank you for your hint - i'm using squidGuard, and this seems to be the
problem. If I comment out the following line from squid.conf, Java works
fine:
url_rewrite_program /root/squidGuard -c /etc/squid/squidGuard.conf
Ok so far - I'm now a step closer but i'm afraid that's not the
solution, because if I disable the content filter from squidGuard, my
boss will kill me ;)
I checked the squidGuard Logfiles, but there is nothing to find about
authentication and so on.... only the database updates are being logged.
Because the AD-Authentication from squidguard did not work, I'm pulling
with "net rpc group members" every 10 Minutes all members of the
neccessary AD-Groups into a local file for each access group in the
squidguard-Database directory, and squidguard looks into these files for
finding the usernames there.
This works so far for the whole internet access, but Java seems to get
in trouble with this. The case is also strange, that squidguard does not
log any information about authentication or something about the
filtering in its logfiles - don't know if thats ok?!?
Here is the end of my squidGuard.conf, above these lines are only the
allocations for the filter groups:
src standarduser {
userlist squidGuard-standarduser
}
src azubis {
userlist squidGuard-azubis
}
src test {
userlist squidGuard-test
}
acl {
taa-test {
pass !blacklist-test
redirect
http://proxy.domain.local/site_blocked.php?&clientip=%a&userid=%i&clientgroup=%s&filtergroup=%t&r$
}
standarduser {
pass whitelist !blacklist !adv !aggressive !alcohol
!automobile-bikes !automobile-boats !automobile-cars
redirect
http://proxy.domain.local/site_blocked.php?&clientip=%a&userid=%i&clientgroup=%s&filtergroup=%t&r$
}
azubis {
pass azubis-erlaubte-seiten
redirect
http://proxy.domain.local/site_blocked.htm?&clientip=%a&userid=%i&clientgroup=%s&filtergroup=%t&r$
}
vollzugriff {
pass all
}
default {
pass none
redirect http://proxy.domain.local/no_access.htm
}
}
Perhaps you have another good idea to fix this? Thanks in advance for
your assistance....
best regards
Thomas
