[squid-users] RE: 2.4STABLE1 & authentication & FTP - BUG

From: Ken Thomson <Ken.Thomson@dont-contact.us>
Date: Mon, 13 Aug 2001 10:33:15 +1000

Hi Robert,

I have had a look at my ACLs and http_access sections in squid.conf . I
can't see how they could be causing this.

There are no proto ACLs specified anywhere - so nothing specific to FTP. I
do not deny non-authenticated users, rather I only allow authenticated
users. Does this sound correct?

The order of my http_access statements are:
allow manager locahost
deny manager elsewhere
allow URLPATH keyword search exceptions (many lines)
deny URLPATH keyword search (many lines)
deny specific filetypes / urls (many lines)
deny client source addresses (via a file)
deny specific users (via a file)
allow authenticated users
deny all

As a note, when you cancel the authentication on rendered FTP directories
the 'anthony' icons are not displayed.. but the filenames and subdirs are.

I don't have a spare machine at the moment to test 2.5 - but will see what I
can do.

Regards,
Ken.

-----Original Message-----
From: Robert Collins [mailto:robert.collins@itdomain.com.au]
Sent: Friday, August 10, 2001 15:45
To: Ken Thomson
Cc: 'squid-users@squid-cache.org'
Subject: Re: [squid-users] 2.4STABLE1 & authentication & FTP - BUG

On 10 Aug 2001 15:06:34 +1000, Ken Thomson wrote:
> I have noticed what appears to be a bug in Squid 2.4STABLE1.
>
> If you have user authentication (ie. an acl with proxy_auth REQUIRED set
on)
> and try to access a FTP site via squid and cancel the authentication
request
> windows, you can still get at any directory/file and start a file
download.
> You do not need to be authenticated!
>
> The reason for this is that Squid renders the FTP directory in the browser
> prior to prompting for authentication. So you can cancel the
authentication
> and proceed as normal by clicking links and continually cancelling the
> authentication requests.

Thats very strange... the authentication test should be done before any
communication to the FTP server. I'd guess that what you have happening
is something like
http_access allow ftp
http_access deny notauthed

so that squid is actually asking you to authenticate for the graphics on
the ftp directory list, not the ftp listing itself.

> Anyone else experience this?

Nope. If you can confirm that it's not an acl issue, please try with the
current 2.5 devel version and see if it's any different.

Rob
 
> Regards,
> Ken.
Received on Sun Aug 12 2001 - 18:33:24 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:35 MST