>> uri_whitespace encode
>
>Hmm. Accepting whitespace in URLs is a risky choice. One can never be
>completely sure how third-party agents in the network are handling it
>before the request arrived.
>
>If (big IF) you are able to use "uri_whitespace deny" this proxy would
>be a bit more secure. This is just a suggestion, you know best here.
>
>Hmm. Accepting whitespace in URLs is a risky choice. One can never be
>completely sure how third-party agents in the network are handling it
>before the request arrived.
>
>If (big IF) you are able to use "uri_whitespace deny" this proxy would
>be a bit more secure. This is just a suggestion, you know best here.
I think that was a workaround for a vulnerability. If it was, it may no longer be needed.
>
>> acl trellix_phone_cloud dstdomain amcore-ens.rest.gti.trellix.com
>> http_access deny trellix_phone_cloud
>> external_acl_type host_based_filter children-max=15 ttl=0 0X0P+0CL >> acl HostBasedRules external host_based_filter
>> http_access allow HostBasedRules
>> auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd
>> auth_param digest realm squid
>> auth_param digest children 2
>> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/basic_passwd
>> auth_param basic children 2
>> auth_param basic realm squidb
>> auth_param basic credentialsttl 2 hours
>
>> acl auth_users proxy_auth REQUIRED
>> external_acl_type custom_acl_db children-max=15 ttl=0 0X0P+0CL >> acl CustomAclDB external custom_acl_db
>> http_access allow CustomAclDB
>
>
>Hmm, this use of combined authentication+authorization is a bit tricky
>with two layers of asynchronous helper lookups going on. That alone
>might be what is going on with the weird 403's.
>
>
>A better sequence would be:
>
># ensure login is performed
>http_access deny !auth_users
>
># check the access permissions for whichever user logged in
>http_access allow CustomAclDB
The first call the the external_acl is to process unauthenticated requests. Is the suggestion to replace
acl auth_users proxy_auth REQUIRED
with
http_access deny !auth_users
before the second external_acl (for authenticated requests)?
Thanks again, very much
Kevin
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users