Yes, I sort of pieced together what I found online, which is probably dangerous. I really need to become familiar with how exactly this works for security's sake if nothing else.
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: j m <acctforjunk@xxxxxxxxx>; "squid-users@xxxxxxxxxxxxxxxxxxxxx" <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, May 26, 2017 2:53 PM
Subject: Re: [squid-users] TCP_DENIED/407 accessing webserver on same machine as squid
Ah, your problem seems to be a misunderstanding of how authentication works.
What Squid receives on messages can have three forms:
1) no credentials at all
2) correct credentials
3) invalid credentials
Your definition of the auth_users ACL using "REQUIRED" takes care of the
(1) situation. Squid will respond with 407 to get credentials from any
client that does not send any. This is what you are seeing on that
second log line of your previous post, and the popup in your tests.
Now the "http_access allow auth_users" line only takes care of situation
(2), permitting valid users.
Which leaves situation (3) undefined. ... All other traffic continues on
to the next http_access line, which is "allow all", ouch.
This is why best practice is to use a "deny" line like so:
http_access deny !auth_users
... which makes it clear what is happening for every non-authenticated
thing, both situation (1) and (2) traffic.
Rules permitting things through without authenticating go above that
http_access line, and things applying to authenticated users go below it.
Amos
What Squid receives on messages can have three forms:
1) no credentials at all
2) correct credentials
3) invalid credentials
Your definition of the auth_users ACL using "REQUIRED" takes care of the
(1) situation. Squid will respond with 407 to get credentials from any
client that does not send any. This is what you are seeing on that
second log line of your previous post, and the popup in your tests.
Now the "http_access allow auth_users" line only takes care of situation
(2), permitting valid users.
Which leaves situation (3) undefined. ... All other traffic continues on
to the next http_access line, which is "allow all", ouch.
This is why best practice is to use a "deny" line like so:
http_access deny !auth_users
... which makes it clear what is happening for every non-authenticated
thing, both situation (1) and (2) traffic.
Rules permitting things through without authenticating go above that
http_access line, and things applying to authenticated users go below it.
Amos
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
