>> uri_whitespace encode > >Hmm. Accepting whitespace in URLs is a risky choice. One can never be >completely sure how third-party agents in the network are handling it >before the request arrived. > >If (big IF) you are able to use "uri_whitespace deny" this proxy would >be a bit more secure. This is just a suggestion, you know best here.
I think that was a workaround for a vulnerability. If it was, it may no longer be needed. > >> acl trellix_phone_cloud dstdomain amcore-ens.rest.gti.trellix.com >> http_access deny trellix_phone_cloud >> external_acl_type host_based_filter children-max=15 ttl=0 0X0P+0CL >> acl >> HostBasedRules external host_based_filter >> http_access allow HostBasedRules >> auth_param digest program /usr/lib/squid/digest_file_auth -c >> /etc/squid/passwd >> auth_param digest realm squid >> auth_param digest children 2 >> auth_param basic program /usr/lib/squid/basic_ncsa_auth >> /etc/squid/basic_passwd >> auth_param basic children 2 >> auth_param basic realm squidb >> auth_param basic credentialsttl 2 hours > >> acl auth_users proxy_auth REQUIRED >> external_acl_type custom_acl_db children-max=15 ttl=0 0X0P+0CL >> acl >> CustomAclDB external custom_acl_db >> http_access allow CustomAclDB > > >Hmm, this use of combined authentication+authorization is a bit tricky >with two layers of asynchronous helper lookups going on. That alone >might be what is going on with the weird 403's. > > >A better sequence would be: > ># ensure login is performed >http_access deny !auth_users > ># check the access permissions for whichever user logged in >http_access allow CustomAclDB The first call the the external_acl is to process unauthenticated requests. Is the suggestion to replace acl auth_users proxy_auth REQUIRED with http_access deny !auth_users before the second external_acl (for authenticated requests)? Thanks again, very much Kevin
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users