Tom Tux wrote:
Hi For every HTTPS-Site I have the following tcp_denied/407-entry in the access.log: 282895826.492 1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT mail.google.com:443 - NONE/- text/html 1282896033.320 1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT secure-www.novell.com:443 - NONE/- text/html The sites, which are denied in the access.log, are though accessible, but I have this errors. For me it seems, that squid needs a user authentication. But this should be given with kerberos-authentication, which works fine. I have the following directives configured (as default): acl SSL_ports port 443 acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports Can someone explain me this behaviour?
CONNECT requests to SSL ports (aka HTTPS) will get past that security barrier and move on to checkig your other rules. One of those other rules involves proxy authentication.
All requests which require authentication but do not provide it get a 407 or 401 response challenging the browser to provided some credentials. This is true for all authentication types.
Working browsers with access to the required credentials will send them on a followup request and get past that challenge.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1
