Hello everyone! I'm a bit lost with the behavior of Google Chrome 69.0 for Win 64 and my squid rules 3.5.20. Until a few days ago when browsing denied sites Chrome threw the error "ERR_TUNNEL_CONNECTION_FAILED" which was fine for me. Firefox 62 threw the error "The proxy server is refusing connections" which was also fine for me. Now Chrome shows me the login window every time I visit a denied site. I suspect Chrome has been updated and changed its behavior. I'm currently studying that possibility. I'm also rethinking whether the way I'm denying sites is the right one. I leave my settings so that someone with more experience can give me some feedback. I am very grateful for any indication. Best regards, Gabriel. squid.conf ### Negotiate/NTLM and Negotiate/Kerberos authentication auth_param negotiate program /usr/sbin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME auth_param negotiate children 200 auth_param negotiate keep_alive on ### standard allowed ports acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT ### destination domains to be blocked in a HTTP access control policy acl LS_adult dstdomain -i "/etc/squid/DBL/adult.txt" acl LS_anonvpn dstdomain -i "/etc/squid/DBL/anonvpn.txt" acl LS_hacking dstdomain -i "/etc/squid/DBL/hacking.txt" acl LS_malicius dstdomain -i "/etc/squid/DBL/malicius.txt" acl LS_remotecontrol dstdomain -i "/etc/squid/DBL/remotecontrol.txt" acl LS_warez dstdomain -i "/etc/squid/DBL/warez.txt" acl LS_youtube dstdomain -i "/etc/squid/DBL/youtube.txt" ### acl for proxy authentication (kerberos or ntlm) acl auth proxy_auth REQUIRED ### LDAP group membership sources ### external_acl_type AD_WEB_ACCESS %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -R -b "OU=NETGOL,DC=netgol,DC=local" -D ldap -W "/etc/squid/ldap_pass.txt" -f "(&(sAMAccountname=%u)(memberof=cn=%g,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local))" -h s-dc1.netgol.local acl WEB_ACCESS_1 external AD_WEB_ACCESS WEB_ACCESS_1 acl WEB_ACCESS_2 external AD_WEB_ACCESS WEB_ACCESS_2 acl WEB_ACCESS_3 external AD_WEB_ACCESS WEB_ACCESS_3 acl WEB_ACCESS_YT_ONLY external AD_WEB_ACCESS WEB_ACCESS_YT_ONLY ### HTTP access control policies http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny !auth http_access allow localhost http_access deny LS_malicius # malicius sites denied for all http_access allow WEB_ACCESS_1 # WEB_ACCESS_1 member users can browse without restrictions http_access deny WEB_ACCESS_2 LS_remotecontrol # WEB_ACCESS_2 member users can't browse Remote Control sites http_access deny WEB_ACCESS_2 LS_warez # WEB_ACCESS_2 member users can't browse Warez sites http_access allow WEB_ACCESS_2 # WEB_ACCESS_2 member users can browse the rest of the sites not bloqued http_access deny WEB_ACCESS_3 LS_adult # WEB_ACCESS_3 member users can't browse Adult sites http_access deny WEB_ACCESS_3 LS_anonvpn # WEB_ACCESS_3 member users can't browse Anonymous VPN sites http_access deny WEB_ACCESS_3 LS_hacking # WEB_ACCESS_3 member users can't browse Hacking sites http_access deny WEB_ACCESS_3 LS_remotecontrol # WEB_ACCESS_3 member users can't browse Remote Control sites http_access deny WEB_ACCESS_3 LS_warez # WEB_ACCESS_3 member users can't browse Warez sites http_access allow WEB_ACCESS_3 # WEB_ACCESS_3 member users can browse the rest of the sites not bloqued http_access allow WEB_ACCESS_YT_ONLY LS_youtube # WEB_ACCESS_YT_ONLY member users can browse YouTube http_access deny WEB_ACCESS_YT_ONLY # WEB_ACCESS_YT_ONLY member users can't browse the rest of sites http_access deny all ### PERSONALIZATION ### http_port 8080 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 quick_abort_min 0 KB quick_abort_max 0 KB read_timeout 5 minutes request_timeout 3 minutes shutdown_lifetime 15 seconds ipcache_size 2048 fqdncache_size 4096 forwarded_for off httpd_suppress_version_string on Mi lab scenario: - A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC. - My VM is attached to my domain W2012R2 (following this post https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/) to achieve kerberos authentication transparent to the user. SElinux disabled. Owner permissions to user squid in all folders/files involved. - squid 3.5.20 -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
