RE: [squid-users] RDP, Certificates and Squid

From: Damian Teasdale <damte_at_oppy.com>
Date: Tue, 1 Mar 2011 11:07:11 -0800

Putting it above the Internet Denied ACL worked. Thanks for the help.

Thanks

Damian Teasdale


-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: February/23/2011 2:07 PM
To: squid-users_at_squid-cache.org
Subject: RE: [squid-users] RDP, Certificates and Squid

 On Wed, 23 Feb 2011 13:55:54 -0500, Chad Naugle wrote:
> I am not certain with my response, but I have some ideas.
>
> - Your ACL ordering, that is often the case, is most likely to blame.
> Squid applies ACL's in order, top-down, and checks each ACL in their
> order when "http_access" is being applied.
> - I believe the ACL blocking access may be the 'PURGE' ACL, since the
> server could be sending them "no-cache" headers. -- I may need
> clarification on this behavior from another person, but you can
> attempt
> to comment it out to see if this is true, or add something such as
> "http_access allow PURGE GoDaddy".

 Not PURGE, that is just a method type ACL. Albeit a performance sapping
 one.

> - Any of your explicit "src / dstdomain" allows will not log
> usernames
> returned by the "InternetUsers" ACL.
> - Does the "Internet_Denied" and/or "FacebookUsers" nt_groups involve
> a
> login prompt, or blind authentication?
> - All Explicit allows / deny's should be placed _before_
> authentication
> routines.


 :) its pretty much always ordering.

 In this case the block is 407, so look for things which require
 authentication to be tested.


 ...
>
>>>> Damian Teasdale 2/23/2011 1:27 PM >>>
> This is the whole list from what I can tell.
>
 <snip>

> acl InternetDenied external nt_group Internet_Denied
> acl FacebookUsers external nt_group FacebookUsers

 These are missing their external_acl_type definition, but something
 called "nt_group" is a safe bet that its doing a login.

 <snip>
> acl InternetUsers proxy_auth REQUIRED

 And this glaring auth ACL.

 <snip>
>
> http_access deny InternetDenied

 ... AND the first thing Squid does is check one of those nt_group ACLs.

  ** This is very, very likely the problem.


> no_cache deny Itrade

 NP: time to remove the "no_" bit off the front of that directive.

> http_access allow PURGE localhost
> http_access deny PURGE
> http_access allow GC
> http_access allow Facebook FacebookUsers

 ... somewhat later facebook users are checked, but only if they are
 visiting facebook.
 This auth ACL will not be the problem.

> http_access deny Facebook
> http_access allow Blackberry
> http_access allow Citrix
> http_access allow WindowsUpdate
> http_access allow BusinessObjects
> http_access allow MapInfo
> http_access allow MindLeaders
> http_access allow DiscoverLink
> http_access allow Knotia
> http_access allow Chep
> http_access allow Auditors
> http_access allow pdr
> http_access allow GoDaddy
> http_access allow InternetUsers

 ... then finally anyone who can login is permitted.

>
> # And finally deny all other access to this proxy
> http_access deny all
>
> Thanks
>
> Damian Teasdale
>

 <snip>
>
> The Oppenheimer Group ---- CONFIDENTIAL

 NP: Posted to a public mailing list archived in perppetuity.


 Amos



The Oppenheimer Group ---- CONFIDENTIAL

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
Received on Tue Mar 01 2011 - 19:07:32 MST

This archive was generated by hypermail 2.2.0 : Wed Mar 02 2011 - 12:00:01 MST