Hi Does anyone have some ideas/hints concerning this problem? Many thanks. Tom On Wed, Oct 8, 2014 at 8:16 PM, Tom Tom <tomtux007@xxxxxxxxx> wrote: > I still get a TCP_DENIED/403 while accessing a bumped https-site after > putting a "-" or even "^root$" in /etc/squid/DENY_USERS_LOCAL. The > cache.log with "debug_options 29,3 28,9" activated looks like this: > > 014/10/08 20:03:00.539 kid2| Acl.cc(157) matches: checking DENY_USERS_LOCAL > 2014/10/08 20:03:00.539 kid2| Acl.cc(28) AuthenticateAcl: SslBumped > request: It is an encapsulated request do not authenticate > 2014/10/08 20:03:00.539 kid2| Acl.cc(177) matches: checked: DENY_USERS_LOCAL = 1 > 2014/10/08 20:03:00.539 kid2| Acl.cc(177) matches: checked: http_access#2 = 1 > 2014/10/08 20:03:00.540 kid2| Acl.cc(177) matches: checked: http_access = 1 > 2014/10/08 20:03:00.540 kid2| Checklist.cc(55) markFinished: 0x2905728 > answer DENIED for match > 2014/10/08 20:03:00.540 kid2| Checklist.cc(155) checkCallback: > ACLChecklist::checkCallback: 0x2905728 answer=DENIED > 2014/10/08 20:03:00.540 kid2| Gadgets.cc(103) aclIsProxyAuth: > aclIsProxyAuth: called for DENY_USERS_LOCAL > 2014/10/08 20:03:00.540 kid2| Acl.cc(118) FindByName: ACL::FindByName > 'DENY_USERS_LOCAL' > 2014/10/08 20:03:00.540 kid2| Gadgets.cc(108) aclIsProxyAuth: > aclIsProxyAuth: returning 1 > 2014/10/08 20:03:00.540 kid2| Gadgets.cc(71) aclGetDenyInfoPage: got > called for DENY_USERS_LOCAL > > > The concerning entries in squid.conf looks like this: > acl DENY_USERS_LOCAL proxy_auth_regex -i "/etc/squid/DENY_USERS_LOCAL" > ... > http_access deny DENY_USERS_LOCAL > ... > > > The meaning of the entries in the file DENY_USERS_LOCAL is denying > kerberos-authenticated AD-users. With squid 3.4.4, this worked fine. > > Kind regards, > Tom > > > On Wed, Oct 8, 2014 at 4:26 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 9/10/2014 3:21 a.m., Amos Jeffries wrote: >>> On 9/10/2014 2:09 a.m., Tom Tom wrote: >>>> I think, this behaviour was introduced with squid 3.4.4.1 >>>> (http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13113.patch). >>> >>>> I don't exactly understand this behaviour. Any hints for this? >>> >>> Aha. I am guessing it is a combination of: * the previous >>> ssl-bumped traffic was brokenly finding "invalid" credentials * an >>> "empty" regex actually contains .* (is matching anything valid). >>> >>> Meaning previously the "invalid" credentials would prevent the >>> regex being even attempted. Now that the credentials validity is >>> fixed the regex tests out and matches. >>> >>> Try putting a single entry of "-" in /etc/squid/DENY_USERS_LOCAL. >> >> Actually that would match any users with hyphen in their username. >> >> For production use, if the experiment above actually works, use ^root$ >> or another username shich will never be assigned with explicit start >> and end anchors. >> >> Amos >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.22 (MingW32) >> >> iQEcBAEBAgAGBQJUNUmhAAoJELJo5wb/XPRjxUwH/3Y3gDn7Cbt4ikAFyhAq+BlJ >> tnvu2lC/WK5et8aWSsGGUtxDcOZtJoW9hYGWVIJs7wukqMlldvH7oWdGpJ/pS4tQ >> KVpABF55n0Kt1ayRTpHzoE6eNDgVZt5lMcUk1OJnjW/wbibC5n6+BpBwyjg+Hf1X >> StvV6y99kMvqWkHNgBYcwLXblV83GdtnX5xmCV6CnPZSry50bMc+m/4fiLSJojvG >> unCMccmkw09697sPzJvZRe0CZbq8r3TRLfGJQEYqVem2FumpCoPQVDHIk82Q0B/y >> nyMHOndz5PVnYr9VpuYy7pVokA74jJ5HstLVQsIW/i1TMjarUP/1dFYpG8sEDL4= >> =/mvM >> -----END PGP SIGNATURE----- >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
