2016-08-19 17:22 GMT-03:00 Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxx>:
It's a case of "client must first authenticate itself with the proxy" (https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), perhaps I'm wrong, but would something such as TCP_UNAUTHORIZED be better?
On Friday 19 August 2016 at 20:41:11, Jok Thuau wrote:
> On Fri, Aug 19, 2016 at 9:33 AM, Sergio Belkin <sebelk@xxxxxxxxx> wrote:
> > /var/log/squid/access.log
> > 192.168.50.41 - - [19/Aug/2016:12:19:45 -0300] "CONNECT
> > beap-bc.yahoo.com:443 HTTP/1.1" 407 4634 "-" "Mozilla/5.0 (Windows NT
> > 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TCP_DENIED:HIER_NONE
>
> This is unauthenticated (notice the "- -" after the IP)
>
> > 192.168.50.41 - juan.perez [19/Aug/2016:12:19:45 -0300] "CONNECT
> > beap-bc.yahoo.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1;
> > WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TAG_NONE:HIER_DIRECT
>
> This one is authenticated (juan.perez). The code 407 in the first request
> means "proxy request authentication". So what happened here is that the
> user browsed, was asked for credentials (and maybe those were provided
> automatically), and then the request was resent with the creds included.
Given the timestamps (both 12:19:45; no time for a human to enter credentials
at a prompt) the browser did this automatically, and invisibly to the user.
Exactly it does so, but I wonder if TCP_DENIED is the proper message here.
It's a case of "client must first authenticate itself with the proxy" (https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), perhaps I'm wrong, but would something such as TCP_UNAUTHORIZED be better?
However, I've found that I can create a rule in order to exclude such a messages in the logs:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Too-many-TCP-DENIED-407-when-using-Kerberos-authentication-td4662372.html
http://squid-web-proxy-cache.1019090.n4.nabble.com/Too-many-TCP-DENIED-407-when-using-Kerberos-authentication-td4662372.html
And squid-analyzer has a directive to exclude them too:
ExcludedCodes TCP_DENIED/407
ExcludedCodes TCP_DENIED/407
Thanks!
Antony.
> http_access deny !kerb_auth
>
> > http_access allow kerb_auth whitelist_ips
>
> And here is the config that causes that -- it's totally normal...
>
> Thanks,
--
"In fact I wanted to be John Cleese and it took me some time to realise that
the job was already taken."
- Douglas Adams
Please reply to the list;
please *don't* CC me.
--
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
