Hi After upgrading squid 3.4.4 to 3.4.7 (64Bit, self-compiled, the same configure-options, the same config-file, ssl_bump with "ssl_bump server-first all" enabled), I'm no more able to access bumped https-sites because of a TCP_DENIED/403. #---------------------- relevant parts of squid.conf ----------------------# auth_param negotiate program /usr/local/squid/libexec/ negotiate_kerberos_auth auth_param negotiate children 50 startup=10 idle=5 auth_param negotiate keep_alive on acl AUTHENTICATED proxy_auth REQUIRED external_acl_type SQUID_KERB_LDAP ttl=7200 children-max=50 children-startup=20 children-idle=5 negative_ttl=7200 %LOGIN /usr/local/squid/libexec/ext_kerberos_ldap_group_acl -g "Internet Users" acl INTERNET_ACCESS external SQUID_KERB_LDAP acl DENY_USERS_LOCAL proxy_auth_regex -i "/etc/squid/DENY_USERS_LOCAL" ... ... http_access deny DENY_USERS_LOCAL all http_access deny !INTERNET_ACCESS all http_access deny !AUTHENTICATED all http_access allow INTERNET_ACCESS AUTHENTICATED http_access deny all #---------------------- relevant parts of squid.conf ----------------------# The meaning of the "DENY_USERS_LOCAL"-file is to insert all users (by AD-username), which shouldn't have internet-access. In squid 3.4.4, I had no restrictions with this directive. After upgrading to 3.4.7 (the same config as in 3.4.4), I always catch a TCP_DENIED/403. The cache.log with debug actived looks like this: #---------------------- cache.log ----------------------# 2014/09/09 14:35:24.539 kid2| Acl.cc(177) matches: checked: http_access#4 = 0 2014/09/09 14:35:24.540 kid2| Acl.cc(157) matches: checking http_access#5 2014/09/09 14:35:24.540 kid2| Acl.cc(157) matches: checking DENY_USERS_LOCAL 2014/09/09 14:35:24.540 kid2| Acl.cc(28) AuthenticateAcl: SslBumped request: It is an encapsulated request do not authenticate 2014/09/09 14:35:24.540 kid2| Acl.cc(177) matches: checked: DENY_USERS_LOCAL = 1 2014/09/09 14:35:24.540 kid2| Acl.cc(177) matches: checked: http_access#5 = 1 2014/09/09 14:35:24.540 kid2| Acl.cc(177) matches: checked: http_access = 1 2014/09/09 14:35:24.540 kid2| Checklist.cc(55) markFinished: 0x27cfb98 answer DENIED for match 2014/09/09 14:35:24.540 kid2| Checklist.cc(155) checkCallback: ACLChecklist::checkCallback: 0x27cfb98 answer=DENIED #---------------------- cache.log ----------------------# The file "DENY_USERS_LOCAL" is actual empty. Why does squid in the 3.4.7er version blocks me with the "http_access deny DENY_USERS_LOCAL"? What changed hereby in the current version? How can I enforce the "old behaviour" (like 3.4.4)? Many thanks. Kind regards, Tom _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
