Hi,
I've configured squid 3.5.19 to allow only AD authenticated users, the strange thing I've found is that the same domain is both denied and allowed. In some browsers I had problem with yahoo.com that won't load correctly the pages. Besides that, I used squidanalyzer, and it's a problem that count some urls as denied when most of cases is allowed:
## Log files
/var/log/squid/access.log
192.168.50.41 - - [19/Aug/2016:12:19:45 -0300] "CONNECT beap-bc.yahoo.com:443 HTTP/1.1" 407 4634 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TCP_DENIED:HIER_NONE
192.168.50.41 - juan.perez [19/Aug/2016:12:19:45 -0300] "CONNECT beap-bc.yahoo.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TAG_NONE:HIER_DIRECT
## /var/log/squid/cache.log
It's long so you can take a look at
http://pastebin.com/P2Ey6XcH
## Log files
/var/log/squid/access.log
192.168.50.41 - - [19/Aug/2016:12:19:45 -0300] "CONNECT beap-bc.yahoo.com:443 HTTP/1.1" 407 4634 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TCP_DENIED:HIER_NONE
192.168.50.41 - juan.perez [19/Aug/2016:12:19:45 -0300] "CONNECT beap-bc.yahoo.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TAG_NONE:HIER_DIRECT
## /var/log/squid/cache.log
It's long so you can take a look at
http://pastebin.com/P2Ey6XcH
Please could you explain me?
## Configuration:
etc/squid/squid.conf:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpSites ssl::server_name "/etc/squid/acls/nobumpSites.txt"
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
acl social_ips dst "/etc/squid/acls/social_ips"
acl social_dom dstdomain "/etc/squid/acls/social_dom"
acl whitelist_ips src "/etc/squid/acls/whitelist_ips"
auth_param negotiate program /usr/lib64/squid/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE --kerberos /usr/lib64/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl kerb_auth proxy_auth REQUIRED
ssl_bump peek step1 all # at step 1 we're peeking at client TLS-request in order to find the "SNI"
ssl_bump peek step2 nobumpSites # here we're peeking at server certificate
ssl_bump splice step3 nobumpSites # here we're splicing connections which match the whitelist
ssl_bump stare step2 # here we're staring at server certificate
ssl_bump bump step3 # finally we're bumping all other SSL connections at step 3
http_access allow localhost
http_access deny !kerb_auth
http_access allow kerb_auth whitelist_ips
http_access deny social_ips
http_access deny social_dom
acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
http_access deny connect numeric_IPs all
http_access allow localnet
http_access deny all
always_direct allow all
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
visible_hostname kanban.example.local
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl_cert/myCA.pem
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
url_rewrite_program /usr/sbin/ufdbgclient –l /var/ufdbguard/logs
url_rewrite_children 64
access_log daemon:/var/log/squid/access.log combined
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh %mt
debug_options ALL,1 33,2 28,9
EOF
Thanks in advance!
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
