Hi list. I have a strange problem with ACLs and http_access rules. Our squid are using winbind for NTLM auth. We need to achieve user's auth for https.
Here is a example that makes problems for us: ============= 1) http_access allow CONNECT HTTPS_DOMAINS_BLACKLIST WebVIP 2) http_access allow CONNECT Webusers_whitelist_domains Webusers 3) http_access allow localnetwork CONNECT SSL_ports 4) http_access allow CONNECT WebVIP 5) http_access allow CONNECT Webusers ============= - WebVIP - users group from AD - Webusers - users group from AD - HTTPS_DOMAINS_BLACKLIST - black list for bad addresses - Webusers_whitelist_domains - white list for Webusers First two lines works as expected - only users from WebVIP and Webusers can access https sites from black/white lists. We can see they user ID's in squid's access.log. If I put last tree lines (4-5) before 3 then I got 407 errors in access.log, and no one is able to use https anymore. So there is a problem! That is why we need to use line Nr 3 - it just allows all CONNECT from our IP subnet without auth. I'm completely lost and frustrated. Why first two lines works and last two do not? Is there any hint? And may be some one knows - is there any third party tools to make squid.conf analyzing for logical errors? As more as I'm using Squid, as more I want to find some tool what will be able to catch logical errors according to squid's design. Any hint please? Thanks in advance.
