Re: Question about "proxy_auth REQUIRED" and the case of flushing the authentication-cache

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 26/02/2013 2:31 p.m., Amos Jeffries wrote:
> On 25/02/2013 8:27 p.m., Tom Tom wrote:
> > I've attached both cache-traces (squid 3.2.7).
> >
> > "without_407.txt" has the following configuration:
> > ...
> > ...
> > external_acl_type SQUID_KERB_LDAP ttl=7200 children-max=10
> > children-startup=1 children-idle=1 negative_ttl=7200 %LOGIN
> > /usr/local/squid/libexec/ext_kerberos_ldap_group_acl -g
> > "INTERNET_USERS"
> > acl INTERNET_ACCESS external SQUID_KERB_LDAP
> > acl AUTHENTICATED proxy_auth REQUIRED
> > http_access deny !INTERNET_ACCESS
> > http_access deny !AUTHENTICATED
> > http_access allow INTERNET_ACCESS AUTHENTICATED
> > http_access allow localhost
> > http_access deny all
> > ...
> > ...
>
> Note for anyone else reading this:
>    The above was a copy-n-paste typo. The without-407 config has no 
> AUTHENTICATED access control definition.
>
> > In this case, the access.log shows the following:
> > Mon Feb 25 08:14:23 2013     15 10.X.X.X TCP_REFRESH_UNMODIFIED/304
> > 283 GET http://imagesrv.adition.com/banners/750/683036/dummy.gif
> > user@xxxxxxxxxxx HIER_DIRECT/217.79.188.10 image/gif
> >
> >
> >
> > "with_407.txt" has the following configuration:
> > ...
> > ...
> > external_acl_type SQUID_KERB_LDAP ttl=7200 children-max=10
> > children-startup=1 children-idle=1 negative_ttl=7200 %LOGIN
> > /usr/local/squid/libexec/ext_kerberos_ldap_group_acl -g
> > "INTERNET_USERS"
> > acl INTERNET_ACCESS external SQUID_KERB_LDAP
> > acl AUTHENTICATED proxy_auth REQUIRED
> > http_access deny !INTERNET_ACCESS
> > http_access deny !AUTHENTICATED
> > http_access allow INTERNET_ACCESS
> > http_access allow localhost
> > http_access deny all
> > ...
> > ...
> >
> >
> > In this case, the access.log shows the following:
> > Mon Feb 25 08:14:22 2013      0 10.X.X.X TCP_DENIED/407 4136 GET
> > http://imagesrv.adition.com/banners/750/683036/dummy.gif - HIER_NONE/-
> > text/html
> > Mon Feb 25 08:14:22 2013     56 10.X.X.X TCP_REFRESH_UNMODIFIED/304
> > 354 GET http://imagesrv.adition.com/banners/750/683036/dummy.gif
> > user@xxxxxxxxxxx HIER_DIRECT/217.79.188.10 image/gif
> >
> > The only different between config1 and config2 is the
> > "AUTHENTICATED"-flag on the "http_access allow INTERNET_ACCESS" line.
> >
> > Many thanks.
> > Kind regards,
> > Tom
>
> Thank you. I have an explanation for you. But I'm not exactly happy 
> with it how it is working in practice ...

Actually. Screw that, my eyes not working right. It is not even getting 
as far as the proxy_auth test in the with_407 trace. The credentials 
retrieval is where it is triggering re-validate in the with-407. I'm 
going to have to think about this for a few more hours.

Amos