On 2/10/18 9:28 AM, neok wrote: > As far as I know, nothing's changed. The only thing that could have happened > is that Chrome was updated. I'm reviewing that. > > This say Firefox when try acces to denied site: > The proxy server is refusing connections. > Firefox is configured to use a proxy server that is refusing connections. > As you an see from the access.log Squid is presenting 407 auth challenged in response to these CONNECT requests. It is welcome news to hear Chrome is finally been fixed to actually perform authentication for CONNECT tunnels. While it may have been okay with you the previous behaviour is actually a long-standing Browser bug and violation of HTTP on their part. On 2/10/18 8:53 AM, neok wrote: > > Now Chrome shows me the login window every time I visit a denied site. > I suspect Chrome has been updated and changed its behavior. I'm currently > studying that possibility. > I'm also rethinking whether the way I'm denying sites is the right one. ... > > http_access allow WEB_ACCESS_YT_ONLY LS_youtube > http_access deny WEB_ACCESS_YT_ONLY The "deny WEB_ACCESS_YT_ONLY" line is triggering the re-authentication. When the reason for denial is due to credentials (ie %LOGIN for the external ACL evaluation) a 407 authentication challenge is produced. Notice that in the config I helped you develop a few days ago all the other uses of these external ACL tests for "deny" action are followed by another ACL test that is unrelated to the auth process. Usually a regex or dstdomain check. It is these other ACL checks which prevent any of those lines triggering similar auth challenges as they deny traffic. Since the next thing your config is doing is a "deny all" you can remove this "deny WEB_ACCESS_YT_ONLY" line entirely and the popups should disappear while still having that traffic denied. If you have other config policies to be added later there are some other things you can do. But those will depend on what the other policies are going to require, so I wont cover it now. Just be aware you may have to revisit that YT access rule when adding other policies. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
