Re: [squid-users] Redirection on error.
Dave Coventry wrote: Hi, I was hoping to replace the ERR_ACCESS_DENIED page with a logon page which could authenticate the user against a password. It doesn't need to be very secure. The problem is that the logon page cannot call the required CGI scripts from /usr/local/squid/share/errors/English/ Attempting to place the logon page in /var/www/apache2-default/ using deny_info /var/www/apache2-default/login.html ipauthACL generates this error: 2008/03/12 13:33:33| errorTryLoadText: '/usr/local/squid/share/errors/English//var/www/apache2-default/login.html': (2) No such file or directory Using deny_info http://localhost/login.html ipauthACL or deny_info http:/192.168.60.254/login.html ipauthACL appears to work, but subsequent calls to (say) cgi-bin/auth.pl are appended onto the original URL. For example, if the user requests www.toyota.co.za, www.toyota.co.za/cgi-bin/auth.pl is returned. Is there any way of modifying this behavior? By hosting the cgi on a web server that can run it and pointing deny_info at the URI. You may need to setup a deny_info for each ACL you plan on using to block access. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Redirection on error.
Hi, I was hoping to replace the ERR_ACCESS_DENIED page with a logon page which could authenticate the user against a password. It doesn't need to be very secure. The problem is that the logon page cannot call the required CGI scripts from /usr/local/squid/share/errors/English/ Attempting to place the logon page in /var/www/apache2-default/ using deny_info /var/www/apache2-default/login.html ipauthACL generates this error: 2008/03/12 13:33:33| errorTryLoadText: '/usr/local/squid/share/errors/English//var/www/apache2-default/login.html': (2) No such file or directory Using deny_info http://localhost/login.html ipauthACL or deny_info http:/192.168.60.254/login.html ipauthACL appears to work, but subsequent calls to (say) cgi-bin/auth.pl are appended onto the original URL. For example, if the user requests www.toyota.co.za, www.toyota.co.za/cgi-bin/auth.pl is returned. Is there any way of modifying this behavior?
Re: [squid-users] Redirection on error.
Dave Coventry wrote: Amos, Thank you for the reply. I have done a bit more research and I see that the directive is probably not what I require. From what I read, the Error page will still behave in the same way and append any links onto the originally requested URL. I'm not sure what you mean by this? The error response and page as a whole _replaces_ the original URL and page requested _as a whole_. How can you ensure that the links are accessed locally? Would it work if I used http://192.168.60.254/redir/images/logo.gif;? and http://192.168.60.254/cgi-bin/login.pl;? You could alter squid errors/ directory and add your files. Altering the ERR_* file appropriately to use them. That is the old way of doing it and remains very unstable. With server upgrades likely to replace your editing without warning. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Redirection on error.
Thanks for your help. On Sat, Mar 1, 2008 at 11:42 AM, Amos Jeffries wrote: I'm not sure what you mean by this? The error response and page as a whole _replaces_ the original URL and page requested _as a whole_. Well, if I compose an HTML page to replace ERR_ACCESS_DENIED, and the page has an IMG tag which refers to images/logo.jpg, then apache assumes that the location of the logo.jpg file is on the server to which I was attempting to connect before my access was denied. So if I was attempting to view http://www.cricinfo.com, apache assumes that the location of the file logo.jpg is at http://www.cricinfo.com/images/logo.jpg and returns a 404 If the IMG tag is changed to http://localhost/images/logo.jpg; the result is the same. If, however, the IMG tag is changed to http://192.168.60.254/images/logo.jpg; the result is slightly different: the /var/log/apache2/access.log file reveals that apache believes a dummy file has been requested and returns 200. 127.0.0.1 - - [01/Mar/2008:11:52:32 +0200] GET / HTTP/1.0 200 738 - Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6 (internal dummy connection) It may be that Apache is at fault here, and I will research this. But my gut feel is that Squid is spoofing the location of the ERR_ACCESS_DENIED file as being on the server of the requested URL. This is not a big deal as far as the images/logo.jpg is concerned, but it drives a coach and horses through my idea to call a perl cgi script from the ERR_ACCESS_DENIED page.
[squid-users] Redirection on error.
Hi. I need to redirect a user to a log on page if he is refused access. I have changed the ERR_ACCESS_DENIED page to the required page, but any navigation links are built around the originally requested URL. For example, if the user requests www.toyota.co.za and is denied access by my (transparent) proxy, Squid shows the correct page but then attempts to get the Perl CGI from http://www.toyota.co.za/authenticate.cgi?username=fred. I have also tried to use the deny_info err_page_name acl as follows: acl lan src /usr/local/squid/etc/acl deny_info http://192.168.60.254 lan but this does not work either.
Re: [squid-users] Redirection on error.
Dave Coventry wrote: Hi. I need to redirect a user to a log on page if he is refused access. I have changed the ERR_ACCESS_DENIED page to the required page, but any navigation links are built around the originally requested URL. For example, if the user requests www.toyota.co.za and is denied access by my (transparent) proxy, Squid shows the correct page but then attempts to get the Perl CGI from http://www.toyota.co.za/authenticate.cgi?username=fred. I have also tried to use the deny_info err_page_name acl as follows: acl lan src /usr/local/squid/etc/acl deny_info http://192.168.60.254 lan but this does not work either. You require Squid 2.6+ for that directive to work with external URI. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] Redirection on error.
Amos, Thank you for the reply. I have done a bit more research and I see that the directive is probably not what I require. From what I read, the Error page will still behave in the same way and append any links onto the originally requested URL. How can you ensure that the links are accessed locally? Would it work if I used http://192.168.60.254/redir/images/logo.gif;? and http://192.168.60.254/cgi-bin/login.pl;?
