Search squid archive

Re: TCP_DENIED/407 accessing webserver on same machine as squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ah, your problem seems to be a misunderstanding of how authentication works.

What Squid receives on messages can have three forms:

 1) no credentials at all
 2) correct credentials
 3) invalid credentials

Your definition of the auth_users ACL using "REQUIRED" takes care of the (1) situation. Squid will respond with 407 to get credentials from any client that does not send any. This is what you are seeing on that second log line of your previous post, and the popup in your tests.

Now the "http_access allow auth_users" line only takes care of situation (2), permitting valid users.

Which leaves situation (3) undefined. ... All other traffic continues on to the next http_access line, which is "allow all", ouch.


This is why best practice is to use a "deny" line like so:
  http_access deny !auth_users

... which makes it clear what is happening for every non-authenticated thing, both situation (1) and (2) traffic.

Rules permitting things through without authenticating go above that http_access line, and things applying to authenticated users go below it.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux