[squid-users] RE: 2.4STABLE1 & authentication & FTP - BUG

From: Robert Collins <robert.collins@dont-contact.us>
Date: 13 Aug 2001 10:58:38 +1000

On 13 Aug 2001 10:33:15 +1000, Ken Thomson wrote:
> Hi Robert,
>
> I have had a look at my ACLs and http_access sections in squid.conf . I
> can't see how they could be causing this.
>
> There are no proto ACLs specified anywhere - so nothing specific to FTP. I
> do not deny non-authenticated users, rather I only allow authenticated
> users. Does this sound correct?
>
> The order of my http_access statements are:
> allow manager locahost
> deny manager elsewhere
> allow URLPATH keyword search exceptions (many lines)
> deny URLPATH keyword search (many lines)
> deny specific filetypes / urls (many lines)
> deny client source addresses (via a file)
> deny specific users (via a file)
> allow authenticated users
> deny all
>
> As a note, when you cancel the authentication on rendered FTP directories
> the 'anthony' icons are not displayed.. but the filenames and subdirs are.

This fits my expectation - the url for the icons is different from the
url for the ftp listing.
If I was a gambler I would bet large sums of $$$ that your
allow URLPATH keyword search exceptions (many lines)
lines have something that matches ftp urls. As you know squid stops as
soon as an allow statement is met, meaning that the user checking code
will not be invoked for url's that match those "allow URLPATH ...
lines".

Rob

> I don't have a spare machine at the moment to test 2.5 - but will see what I
> can do.
>
> Regards,
> Ken.
>
> -----Original Message-----
> From: Robert Collins [mailto:robert.collins@itdomain.com.au]
> Sent: Friday, August 10, 2001 15:45
> To: Ken Thomson
> Cc: 'squid-users@squid-cache.org'
> Subject: Re: [squid-users] 2.4STABLE1 & authentication & FTP - BUG
>
>
> On 10 Aug 2001 15:06:34 +1000, Ken Thomson wrote:
> > I have noticed what appears to be a bug in Squid 2.4STABLE1.
> >
> > If you have user authentication (ie. an acl with proxy_auth REQUIRED set
> on)
> > and try to access a FTP site via squid and cancel the authentication
> request
> > windows, you can still get at any directory/file and start a file
> download.
> > You do not need to be authenticated!
> >
> > The reason for this is that Squid renders the FTP directory in the browser
> > prior to prompting for authentication. So you can cancel the
> authentication
> > and proceed as normal by clicking links and continually cancelling the
> > authentication requests.
>
> Thats very strange... the authentication test should be done before any
> communication to the FTP server. I'd guess that what you have happening
> is something like
> http_access allow ftp
> http_access deny notauthed
>
> so that squid is actually asking you to authenticate for the graphics on
> the ftp directory list, not the ftp listing itself.
>
> > Anyone else experience this?
>
> Nope. If you can confirm that it's not an acl issue, please try with the
> current 2.5 devel version and see if it's any different.
>
> Rob
>
> > Regards,
> > Ken.
>

-- 
_____________________________
Robert Collins
CEO
IT Domain Pty Limited
Your Application Solution Partner
02 9476 4223   Mobile: 0414 693 367
www.itdomain.com.au
_____________________________
 
Received on Sun Aug 12 2001 - 19:11:18 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:35 MST