Hi, You require to deny the db_auto just after the allow statement (See below ). I hope that will work. Thanks/regards, Vishal Agarwal -----Original Message----- From: Milen Pankov [mailto:mail@xxxxxxxxxxxxxxx] Sent: Monday, March 19, 2012 5:34 AM To: squid-users@xxxxxxxxxxxxxxx Subject: SSL sites bypass authentication Hi, I have been using squid with basic authentication from quite some time without problems while recently I discovered that anyone can open https addresses trough the proxy without authenticating. If someone refuses the authentication dialog (clicks on Cancel) and receives a squid access denied error page after that he can type an https address in the address bar and it will open fine. I can't seem to find something wrong with the configuration and I can't seem to find any info on this behavior anywhere. Would appreciate if someone helps. I am using squid 3.1.6. Here is the relevant part of the configuration: auth_param basic program /usr/lib/squid3/squid_db_auth --dsn "DBI:mysql:host=myhostname:database=mydatabase" --user "myuser" --password "mypassword" --table "myusers" --usercol "myusername" --passwdcol "mypassword" --cond "cond1=0 and cond2=1" --md5 --persist auth_param basic children 5 auth_param basic realm HTTP Proxy auth_param basic credentialsttl 1 minute auth_param basic casesensitive on acl db_auth proxy_auth REQUIRED authenticate_ip_ttl 10 minutes acl only_one_conn max_user_ip -s 1 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow localhost http_access deny only_one_conn http_access allow db_auth http_access deny db_auth # Insert this line http_access deny all Thanks, Milen
