Re: [squid-users] http_reply_access processing

From: Chris Robertson <crobertson@dont-contact.us>
Date: Fri, 06 Apr 2007 12:53:15 -0800

Eugene wrote:
> Hello!
> I've upgraded my squid from 2.5.14 to 2.6.12 and get into trouble with
> http_reply_access rules processing.
>
> In our configuration, client's programs without proxy authentication
> support is allowed to get access to internet by ip using src type acls.
>
> If client matched by 'src' first and if first http_reply_access' rule acl type is 'proxy_auth' , then
> squid requests auth header (gets none), stops processing next
> http_reply_access rules and generates X-Squid-Error: ERR_ACCESS_DENIED 0
>
>
>
>
> -------------------------------
> here is log (debug_options 28,9), sample program is Opera which
> does not provide any proxy auth and expected to be matched as 'domain_comp':
>
> 2007/04/06 16:15:04| aclCheck: checking 'http_reply_access allow domain_user'
> 2007/04/06 16:15:04| aclMatchAclList: checking domain_user
> 2007/04/06 16:15:04| aclMatchAcl: checking 'acl domain_user proxy_auth domain_user'
> 2007/04/06 16:15:04| authenticateValidateUser: Auth_user_request was NULL!
> 2007/04/06 16:15:04| authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header.
> 2007/04/06 16:15:04| aclMatchAcl: returning 0 sending authentication challenge.
> 2007/04/06 16:15:04| aclMatchAclList: no match, returning 0
> 2007/04/06 16:15:04| aclCheck: requiring Proxy Auth header.
> 2007/04/06 16:15:04| aclCheck: match found, returning 2
> 2007/04/06 16:15:04| The reply for GET http://corbis.com/favicon.ico is ALLOWED, because it matched 'domain_user'
>
> -------------------------------
>
> here is config to reproduce issue:
>
> auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 7
>
> auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 7
> auth_param basic realm Proxy password
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
>
>
> acl media urlpath_regex -i \.(mp3|mp3\?.*) #and so on (lots of)
> acl files urlpath_regex -i \.(rar|rar\?.*) #and so on
>
> acl mime_media rep_mime_type audio/mpeg
> acl mime_files rep_mime_type application/octet-stream
>
> acl domain_comp src 10.0.0.34/32
> acl domain_user proxy_auth domain_user
>
> deny_info TCP_RESET files
> deny_info TCP_RESET mime_files
> deny_info TCP_RESET media
> deny_info TCP_RESET mime_media
>
# Allow domain computers to perform updates w/o proxy authentication
http_access allow domain_comp files
# Allow logged in users to access anything
http_access allow domain_user
# Deny non-logged in users anything not explicitly allowed
http_access deny media # Send TCP_RESET
http_access deny files # Send TCP_RESET
http_access deny all

Toss the rest.

> #allow media content to authenticated user
> http_access allow domain_user
> http_access deny all media
>
> #allow programs on comp to perform updates w/o proxy authentication
> http_access allow domain_comp
> http_access deny all files
>
>
> #allow auth. user to get reply
> #trouble for domain_comp starts here because of auth request WHICH IS NOT SUPPORTED BY CLIENT
>

# Allow domain computers replies of octet-stream
http_reply_access allow domain_comp mime_files
# Allow logged in users anything
http_reply_access allow domain_user
# Deny non-logged in users anything not explicitly allowed
http_reply_access deny mime_files # Send TCP_RESET
http_reply_access deny mime_media # Send TCP_RESET
http_reply_access deny all

Toss the rest.

> http_reply_access allow domain_user
>
>
> #blocking media content by mime
> http_reply_access deny all mime_media
>
> #allow comp to dl files
> http_reply_access allow domain_comp
> http_reply_access deny all mime_files
> http_reply_access allow all
>
>

Chris
Received on Fri Apr 06 2007 - 14:53:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue May 01 2007 - 12:00:01 MDT