I still get a TCP_DENIED/403 while accessing a bumped https-site after putting a "-" or even "^root$" in /etc/squid/DENY_USERS_LOCAL. The cache.log with "debug_options 29,3 28,9" activated looks like this: 014/10/08 20:03:00.539 kid2| Acl.cc(157) matches: checking DENY_USERS_LOCAL 2014/10/08 20:03:00.539 kid2| Acl.cc(28) AuthenticateAcl: SslBumped request: It is an encapsulated request do not authenticate 2014/10/08 20:03:00.539 kid2| Acl.cc(177) matches: checked: DENY_USERS_LOCAL = 1 2014/10/08 20:03:00.539 kid2| Acl.cc(177) matches: checked: http_access#2 = 1 2014/10/08 20:03:00.540 kid2| Acl.cc(177) matches: checked: http_access = 1 2014/10/08 20:03:00.540 kid2| Checklist.cc(55) markFinished: 0x2905728 answer DENIED for match 2014/10/08 20:03:00.540 kid2| Checklist.cc(155) checkCallback: ACLChecklist::checkCallback: 0x2905728 answer=DENIED 2014/10/08 20:03:00.540 kid2| Gadgets.cc(103) aclIsProxyAuth: aclIsProxyAuth: called for DENY_USERS_LOCAL 2014/10/08 20:03:00.540 kid2| Acl.cc(118) FindByName: ACL::FindByName 'DENY_USERS_LOCAL' 2014/10/08 20:03:00.540 kid2| Gadgets.cc(108) aclIsProxyAuth: aclIsProxyAuth: returning 1 2014/10/08 20:03:00.540 kid2| Gadgets.cc(71) aclGetDenyInfoPage: got called for DENY_USERS_LOCAL The concerning entries in squid.conf looks like this: acl DENY_USERS_LOCAL proxy_auth_regex -i "/etc/squid/DENY_USERS_LOCAL" ... http_access deny DENY_USERS_LOCAL ... The meaning of the entries in the file DENY_USERS_LOCAL is denying kerberos-authenticated AD-users. With squid 3.4.4, this worked fine. Kind regards, Tom On Wed, Oct 8, 2014 at 4:26 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 9/10/2014 3:21 a.m., Amos Jeffries wrote: >> On 9/10/2014 2:09 a.m., Tom Tom wrote: >>> I think, this behaviour was introduced with squid 3.4.4.1 >>> (http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13113.patch). >> >>> I don't exactly understand this behaviour. Any hints for this? >> >> Aha. I am guessing it is a combination of: * the previous >> ssl-bumped traffic was brokenly finding "invalid" credentials * an >> "empty" regex actually contains .* (is matching anything valid). >> >> Meaning previously the "invalid" credentials would prevent the >> regex being even attempted. Now that the credentials validity is >> fixed the regex tests out and matches. >> >> Try putting a single entry of "-" in /etc/squid/DENY_USERS_LOCAL. > > Actually that would match any users with hyphen in their username. > > For production use, if the experiment above actually works, use ^root$ > or another username shich will never be assigned with explicit start > and end anchors. > > Amos > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (MingW32) > > iQEcBAEBAgAGBQJUNUmhAAoJELJo5wb/XPRjxUwH/3Y3gDn7Cbt4ikAFyhAq+BlJ > tnvu2lC/WK5et8aWSsGGUtxDcOZtJoW9hYGWVIJs7wukqMlldvH7oWdGpJ/pS4tQ > KVpABF55n0Kt1ayRTpHzoE6eNDgVZt5lMcUk1OJnjW/wbibC5n6+BpBwyjg+Hf1X > StvV6y99kMvqWkHNgBYcwLXblV83GdtnX5xmCV6CnPZSry50bMc+m/4fiLSJojvG > unCMccmkw09697sPzJvZRe0CZbq8r3TRLfGJQEYqVem2FumpCoPQVDHIk82Q0B/y > nyMHOndz5PVnYr9VpuYy7pVokA74jJ5HstLVQsIW/i1TMjarUP/1dFYpG8sEDL4= > =/mvM > -----END PGP SIGNATURE----- > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
