Search squid archive

Re: Squid and SSL Bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 13/01/18 02:00, Yoinier Hernandez Nieves wrote:

The user ynieves is member of ad groups “internet”, “socialNetwork”, “youtube” and “moderadoresSocNet"


So most of your http_access lines end with group checks. That could be a problem later. Right now its not clear which would be rejecting with that auth message, and the status being 403 indicates a hard failure rather than re-auth.


I suggest doing the usual thing of placing a single "http_access deny !users" line first, then appending " all" to the lines that normally end with a group check.

Like:

  http_access deny !users

  http_access allow cubaDomains cubaPC all
  http_access allow cubaDomains national all
  http_access allow cubaDomains internet all
  http_access deny SQUISHED1 all

  http_access allow socialDomains moderadoresSocNet all
  http_access allow socialTime socialDomains socialNetwork all
  http_access allow socialTime youtubeDomains youtuber all


For the delay pools there is no need to re-authenticate at all. Use the "note" ACL type to check that a username exists. Like so:

  acl loggedIn note user .

  delay_access 2 allow loggedIn workTime \
    !extDownloads !extDocuments !delaysFree


Also, the pool using only "-1/-1" as its paremeters should be removed. Squid links multiple pools to a transaction, so it is not doing what you think it does. To make certain transactions unlimited simply deny them being added to the other pools. That will also make your existing rules much simpler:

  denya_access 2 deny delaysFree
  delay_access 2 allow loggedIn workTime !extDownloads !extDocuments !
  delay_access 2 deny all


Also, your media and mediapr checks are slow regex tests. They should be placed after the default security checks.


If the problem remains after all the above changes are made you will need to track down what is generating the error page using cache.log trace with "debug_options ALL,5".

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux