I think, this behaviour was introduced with squid 3.4.4.1 (http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13113.patch). I don't exactly understand this behaviour. Any hints for this? Thanks a lot. Kind regards, Tom On Mon, Oct 6, 2014 at 11:59 AM, Tom Tom <tomtux007@xxxxxxxxx> wrote: > Hi > > After upgrading squid 3.4.4 to 3.4.7 (64Bit, self-compiled, the same > configure-options, the same config-file, ssl_bump with "ssl_bump > server-first all" enabled), I'm no more able to access bumped > https-sites because of a TCP_DENIED/403. > > > #---------------------- relevant parts of squid.conf ----------------------# > auth_param negotiate program /usr/local/squid/libexec/ > negotiate_kerberos_auth > auth_param negotiate children 50 startup=10 idle=5 > auth_param negotiate keep_alive on > acl AUTHENTICATED proxy_auth REQUIRED > > external_acl_type SQUID_KERB_LDAP ttl=7200 children-max=50 > children-startup=20 children-idle=5 negative_ttl=7200 %LOGIN > /usr/local/squid/libexec/ext_kerberos_ldap_group_acl -g "Internet > Users" > acl INTERNET_ACCESS external SQUID_KERB_LDAP > acl DENY_USERS_LOCAL proxy_auth_regex -i "/etc/squid/DENY_USERS_LOCAL" > ... > ... > http_access deny DENY_USERS_LOCAL all > http_access deny !INTERNET_ACCESS all > http_access deny !AUTHENTICATED all > http_access allow INTERNET_ACCESS AUTHENTICATED > http_access deny all > #---------------------- relevant parts of squid.conf ----------------------# > > The meaning of the "DENY_USERS_LOCAL"-file is to insert all users (by > AD-username), which shouldn't have internet-access. In squid 3.4.4, I > had no restrictions with this directive. After upgrading to 3.4.7 (the > same config as in 3.4.4), I always catch a TCP_DENIED/403. The > cache.log with debug actived looks like this: > > #---------------------- cache.log ----------------------# > 2014/09/09 14:35:24.539 kid2| Acl.cc(177) matches: checked: http_access#4 = 0 > 2014/09/09 14:35:24.540 kid2| Acl.cc(157) matches: checking http_access#5 > 2014/09/09 14:35:24.540 kid2| Acl.cc(157) matches: checking DENY_USERS_LOCAL > 2014/09/09 14:35:24.540 kid2| Acl.cc(28) AuthenticateAcl: SslBumped > request: It is an encapsulated request do not authenticate > 2014/09/09 14:35:24.540 kid2| Acl.cc(177) matches: checked: DENY_USERS_LOCAL = 1 > 2014/09/09 14:35:24.540 kid2| Acl.cc(177) matches: checked: http_access#5 = 1 > 2014/09/09 14:35:24.540 kid2| Acl.cc(177) matches: checked: http_access = 1 > 2014/09/09 14:35:24.540 kid2| Checklist.cc(55) markFinished: 0x27cfb98 > answer DENIED for match > 2014/09/09 14:35:24.540 kid2| Checklist.cc(155) checkCallback: > ACLChecklist::checkCallback: 0x27cfb98 answer=DENIED > #---------------------- cache.log ----------------------# > > > The file "DENY_USERS_LOCAL" is actual empty. Why does squid in the > 3.4.7er version blocks me with the "http_access deny DENY_USERS_LOCAL"? > What changed hereby in the current version? How can I enforce the "old > behaviour" (like 3.4.4)? > > Many thanks. > > Kind regards, > Tom _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
