Hi all... I need help... I would like to understand why squid refuse the SSL upload command using 'ldapauth' here it is the debug events : 2011/05/19 12:39:17.931| httpParseInit: Request buffer is CONNECT lennyleonard.wetransfer.com:443 HTTP/1.0 Host: lennyleonard.wetransfer.com:443 2011/05/19 12:39:17.931| HttpMsg.cc(445) parseRequestFirstLine: parsing possible request: CONNECT lennyleonard.wetransfer.com:443 HTTP/1.0 Host: lennyleonard.wetransfer.com:443 Host: lennyleonard.wetransfer.com:443 Host: lennyleonard.wetransfer.com:443 2011/05/19 12:39:17.931| urlParse: Split URL 'lennyleonard.wetransfer.com:443' into proto='', host='lennyleonard.wetransfer.com', port='443', path='' Host: lennyleonard.wetransfer.com:443 2011/05/19 12:39:17.933| aclMatchDomainList: checking 'lennyleonard.wetransfer.com' 2011/05/19 12:39:17.933| aclMatchDomainList: 'lennyleonard.wetransfer.com' NOT found 2011/05/19 12:39:17.933| aclMatchDomainList: checking 'lennyleonard.wetransfer.com' 2011/05/19 12:39:17.933| aclMatchDomainList: 'lennyleonard.wetransfer.com' NOT found 2011/05/19 12:39:17.934| aclMatchDomainList: checking 'lennyleonard.wetransfer.com' 2011/05/19 12:39:17.934| aclMatchDomainList: 'lennyleonard.wetransfer.com' NOT found 2011/05/19 12:39:17.935| aclRegexData::match: checking 'lennyleonard.wetransfer.com:443' 2011/05/19 12:39:17.935| The request CONNECT lennyleonard.wetransfer.com:443 is DENIED, because it matched 'ldapauth' 2011/05/19 12:39:17.935| Access Denied: lennyleonard.wetransfer.com:443 Here it is the squid.conf acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.1/32 acl manager proto cache_object auth_param basic credentialsttl 2 hour authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds #--------- LDAP AUTH settings #Authentification mode, building using squid compiled for 127.0.0.1:389 auth_param basic program /usr/lib/squid3/squid_ldap_auth -b "dc=my-domain,dc=com" -D "cn=myuser,dc=my-domain,dc=com" -w "mypassword" -f "(&(objectClass=userAccount)(uid=%s))" -v 3 -h 127.0.0.1 -p 389 #--------- GLOBAL external_acl_type ldap_group %LOGIN /usr/lib/squid3/squid_ldap_group -D "cn=myuser,dc=my-domain,dc=com" -w "mypassword" -b "dc=my-domain,dc=com" -f "(&(objectClass=posixGroup)(gidNumber=%a)(memberUid=%v))" -S -v 3 -h 127.0.0.1 -p 389 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server acl ldapauth proxy_auth REQUIRED #--------- TWEEKS PERFORMANCESsquid-users@xxxxxxxxxxxxxxx # http://blog.last.fm/2007/08/30/squid-optimization-guide memory_pools off quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off buffered_logs on half_closed_clients off #--------- UfdbGuard url_rewrite_program /usr/bin/ufdbgclient -l /var/log/squid url_rewrite_children 20 startup=5 idle=1 concurrency=0 #--------- SQUID PARENTS (feature not enabled) #--------- acls acl blockedsites url_regex "/etc/squid3/squid-block.acl" acl CONNECT method CONNECT acl purge method PURGE acl FTP proto FTP acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$ acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$ acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$ acl multimedia_rep rep_mime_type -i ^image/ acl multimedia_rep rep_mime_type -i ^video acl multimedia_rep rep_mime_type -i ^audio acl multimedia_rep rep_mime_type -i ^application/x-dvi$ acl multimedia_rep rep_mime_type -i ^application/x-isoview acl multimedia_browsers browser -i ^.*player acl bigfiles_types urlpath_regex -i \.(deb|rpm|iso|tar\.gz|gz|bz|tar| cue|nrg|crf|bwi|bwt|lcd|ccd|mdf|mds|vcd|cif|vdi|img)((\?|&).*)?$ acl office_network src 192.168.0.0/24 10.0.0.0/8 acl group_password external ldap_group #--------- GROUPS definition #no groups #--------- MAIN RULES... always_direct allow FTP # --------- SAFE ports acl Safe_ports port 80 #http acl Safe_ports port 22 #ssh acl Safe_ports port 443 563 #https, snews acl Safe_ports port 1863 #msn acl Safe_ports port 70 #gopher acl Safe_ports port 210 #wais acl Safe_ports port 1025-65535 #unregistered ports acl Safe_ports port 280 #http-mgmt acl Safe_ports port 488 #gss-http acl Safe_ports port 591 #filemaker acl Safe_ports port 777 #multiling http acl Safe_ports port 631 #cups acl Safe_ports port 873 #rsync acl Safe_ports port 901 #SWAT acl Safe_ports port 20 #ftp-data acl Safe_ports port 21 #ftp# acl SSL_ports port 9000 #Artica acl SSL_ports port 443 #HTTPS acl SSL_ports port 563 #https, snews acl SSL_ports port 6667 #tchat # AOL Instant Messenger to connect to oscar.aol.com acl AIM_ports port 5190 9898 acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com acl AIM_domains dstdomain .messaging.aol.com .aim.com acl AIM_hosts dstdomain login.oscar.aol.com login.glogin.messaging.aol.com toc.oscar.aol.com acl AIM_nets dst 64.12.0.0/255.255.0.0 acl AIM_methods method CONNECT # Permit IRC acl IRC_ports port 6667 acl IRC_domains dstdomain .freenode.net acl IRC_hosts dstdomain irc.freenode.net acl IRC_methods method CONNECT # Permit Yahoo Messenger acl YIM_ports port 5050 acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp acl YIM_methods method CONNECT # Permit Google Talk acl GTALK_ports port 5222 5050 443 acl GTALK_domains dstdomain .google.com acl GTALK_hosts dstdomain talk.google.com acl GTALK_methods method CONNECT # Permit MSN acl MSN_ports port 1863 443 1503 acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com acl MSN_methods method CONNECT acl MULTIMEDIA rep_mime_type -i ^(audio\/x-mpegurl|audio\/mpeg|video \/flv|video\/x-flv|application\/x-shockwave-flash|audio\/ogg|video\/ogg| application\/ogg)$ # --------- RULES DEFINITIONS url_rewrite_access deny localhost url_rewrite_access allow all http_access allow AIM_methods AIM_ports AIM_nets http_access allow AIM_methods AIM_ports AIM_hosts http_access allow IRC_methods IRC_ports IRC_hosts http_access allow IRC_methods IRC_ports IRC_domains http_access allow YIM_methods YIM_ports YIM_hosts http_access allow YIM_methods YIM_ports YIM_domains http_access allow GTALK_ports GTALK_hosts GTALK_methods http_access allow GTALK_methods GTALK_ports GTALK_domains http_access allow MSN_ports MSN_domains MSN_methods http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow manager localhost http_access allow purge localhost http_access deny purge http_access deny blockedsites http_access allow ldapauth http_access allow group_password http_access allow office_network http_access deny to_localhost http_access deny all # --------- ICAP Services.(0 service(s)) # --------- ident_lookup_access hierarchy_stoplist cgi-bin ? # --------- General settings visible_hostname prx01.arqui300.local ignore_expect_100 off # --------- time-out dead_peer_timeout 10 seconds dns_timeout 2 minutes connect_timeout 1600 seconds persistent_request_timeout 3 minutes pconn_timeout 1600 seconds maximum_object_size 300 MB minimum_object_size 4 MB maximum_object_size_in_memory 1024 KB #http/https ports http_port 3128 # --------- SSL Rules # --------- Caches cache_effective_user squid cache_effective_group squid #cache_replacement_policy heap LFUDA cache_mem 411 MB cache_swap_high 90 cache_swap_low 95 # --------- DNS and ip caches ipcache_size 51200 ipcache_low 90 ipcache_high 95 fqdncache_size 51200 # --------- SPECIFIC DNS SERVERS #--------- FTP specific parameters ftp_list_width 32 ftp_passive on ftp_sanitycheck on ftp_epsv on ftp_epsv_all off ftp_telnet_protocol off debug_options ALL,1 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 refresh_pattern \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 refresh_pattern \.(html|htm|css|js)$ 1440 40% 40320 refresh_pattern \.kaspersky-labs\.com/.*?\.(diff|exe|klz|zip)$ 2880 100% 28800 refresh_pattern \.avast\.com/.*?\.(exe|vpu)$ 2880 100% 28800 refresh_pattern \.avira-update\.com/.*?\.gz$ 2880 100% 28800 refresh_pattern global-download\.acer\.com/.*?/Driver/.*?zip 2880 100% 28800 refresh_pattern \.windowsupdate\.com/.*?\.(cab|exe|dll|msi|psf) 10080 100% 43200 refresh_pattern \.microsoft\.com/.*?\.(cab|exe|dll|msi) 10080 100% 43200 refresh_pattern . 0 20% 4320 refresh_pattern -i (/cg-bin/|\?) 0 0% 0 icp_port 3130 #Logs------------------------------------------------- #fqdn is disabled For sarg. log_fqdn off coredump_dir /var/squid/cache cache_store_log /var/log/squid/store.log cache_log /var/log/squid/cache.log pid_filename /var/run/squid.pid access_log none manager access_log /var/log/squid/access.log common access_log /var/log/squid/sarg.log squid cache_dir ufs /var/cache/squid 30000 16 256 # --------- OTHER CACHES cache_dir ufs /var/cache/squid2 30000 16 256
