Re: [squid-users] The user/password pair is correct, yet squid keeps sending me TCP_DENIED/407

Amos Jeffries Mon, 15 Feb 2021 20:32:42 -0800

On 16/02/21 4:16 am, Yanko Hernández Álvarez wrote:
> On Fri, Feb 12, 2021 at 5:36 PM Amos Jeffries wrote:
>>
>> On 13/02/21 9:29 am, Yanko Hernández Álvarez wrote:
>>> Hello :-)
>>>
>>> How is it possible that some user tried to log in with the correct
>>> password and squid response was a TCP_DENIED/407?
>>>
>> ...
>>> http_access deny !LoggedIn # LoggedIn = proxy_auth REQUIRED
>>>
>>
>> What rules follow this one? and what ACL types are they?
>>
>
> "Normal" http_access access/deny rules (TCP_DENIED/403). None Auth
> related (no TCP_DENIED/407 possible):
>
> acl TooManyIPs max_user_ip -s 1
> acl GRP1 external ADGroup CN=GRP1,OU=Roles,OU=UsersOU,DC=example,DC=com
> http_access deny TooManyIPs !GRP1

> acl GRP2 external ADGroupCN=UsuariosInternet,OU=UsersOU,DC=example,DC=com

> acl GRP3 external ADGroup CN=GRP3,OU=UsersOU,DC=example,DC=com
> acl GRP4 external ADGroup CN=GRP4,OU=UsersOU,DC=example,DC=com

All these group checks will trigger re-authenticate if the user is not amember of the group(s) being checked - in case a different login would work.

This issue is where the "all hack" comes from. Put "all" at the end ofthe deny lines which need to end with a group check. Or where possiblerearrange the ACL checks to put some other ACL type after the group check.



For example:  ...

> http_access deny !GRP3 !GRP2 !GRP4

... here:

  http_access deny !GRP3 !GRP2 !GRP4 all


> http_access deny !InternalSites GRP3 !GRP2

... here:
  http_access deny GRP3 !GRP2 !InternalSites


> http_access allow SocialNetworks GRP4

... here:
  http_access allow GRP4 SocialNetworks


> http_access deny SocialNetworks
> acl BlackListedDomains1 dstdomain -n
> '/etc/squid/Sites/Forbidden/BlackListedDomains1'
> http_access deny BlackListedDomains1
> acl BlackListedDomains2 dstdomain -n
> '/etc/squid/Sites/Forbidden/BlackListedDomains2'
> http_access deny BlackListedDomains2
> acl BlackListedDomains3 dstdomain -n
> '/etc/squid/Sites/Forbidden/BlackListedDomains3'
> http_access deny BlackListedDomains3
> acl BlackListedDomains4 dstdomain -n
> '/etc/squid/Sites/Forbidden/BlackListedDomains4'
> http_access deny BlackListedDomains4

Any particular reason for some many different blacklists?

It is a faster check and simpler config file to either have oneblacklist file, or to load all the files as one ACL name.




> acl REBlackListedDomains1 dstdom_regex -i
> '/etc/squid/Sites/Forbidden/REBlackListedDomains1'
> http_access deny REBlackListedDomains1
> acl REBlackListedDomains2 dstdom_regex -i
> '/etc/squid/Sites/Forbidden/REBlackListedDomains2'
> http_access deny REBlackListedDomains2
> acl REBlackListedDomains3 dstdom_regex -i
> '/etc/squid/Sites/Forbidden/REBlackListedDomains3'
> http_access deny REBlackListedDomains3

Same for the regex blacklists.


Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] The user/password pair is correct, yet squid keeps sending me TCP_DENIED/407

Reply via email to