[squid-users] RE: 2.4STABLE1 & authentication & FTP - BUG

From: Ken Thomson <Ken.Thomson@dont-contact.us>
Date: Mon, 13 Aug 2001 11:30:17 +1000

I just deleted all but 2 http_access allow lines.

The only allow lines I have now are :
http_access allow manager localhost
http_access allow password

The ACLs for these 2 are:
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl password proxy_auth REQUIRED

The search exception lines I deleted only contained very specific words,
which would be unlikely to occur in many FTP URLs (eg. acl noporn3 url_regex
-i ethicsexam). Whereas it was allowing access to all FTP URLs which I
tried (and I did pick ones which wouldn't have had the search exceptions).

It is still rendering the FTP directories before asking for authentication
even after the http_access allows have been deleted.

Interesting.

The only other possibility is we do patch our version of squid with
SmartFilter from Secure Computing (v3 for squid 2.4s1). Maybe its patch is
making the difference.

Regards,
Ken.

-----Original Message-----
From: Robert Collins [mailto:robert.collins@itdomain.com.au]
Sent: Monday, August 13, 2001 10:59
To: Ken Thomson
Cc: 'squid-users@squid-cache.org'
Subject: RE: 2.4STABLE1 & authentication & FTP - BUG

On 13 Aug 2001 10:33:15 +1000, Ken Thomson wrote:
> Hi Robert,
>
> I have had a look at my ACLs and http_access sections in squid.conf . I
> can't see how they could be causing this.
>
> There are no proto ACLs specified anywhere - so nothing specific to FTP.
I
> do not deny non-authenticated users, rather I only allow authenticated
> users. Does this sound correct?
>
> The order of my http_access statements are:
> allow manager locahost
> deny manager elsewhere
> allow URLPATH keyword search exceptions (many lines)
> deny URLPATH keyword search (many lines)
> deny specific filetypes / urls (many lines)
> deny client source addresses (via a file)
> deny specific users (via a file)
> allow authenticated users
> deny all
>
> As a note, when you cancel the authentication on rendered FTP directories
> the 'anthony' icons are not displayed.. but the filenames and subdirs are.

This fits my expectation - the url for the icons is different from the
url for the ftp listing.
If I was a gambler I would bet large sums of $$$ that your
allow URLPATH keyword search exceptions (many lines)
lines have something that matches ftp urls. As you know squid stops as
soon as an allow statement is met, meaning that the user checking code
will not be invoked for url's that match those "allow URLPATH ...
lines".

Rob

> I don't have a spare machine at the moment to test 2.5 - but will see what
I
> can do.
>
> Regards,
> Ken.
>
> -----Original Message-----
> From: Robert Collins [mailto:robert.collins@itdomain.com.au]
> Sent: Friday, August 10, 2001 15:45
> To: Ken Thomson
> Cc: 'squid-users@squid-cache.org'
> Subject: Re: [squid-users] 2.4STABLE1 & authentication & FTP - BUG
>
>
> On 10 Aug 2001 15:06:34 +1000, Ken Thomson wrote:
> > I have noticed what appears to be a bug in Squid 2.4STABLE1.
> >
> > If you have user authentication (ie. an acl with proxy_auth REQUIRED set
> on)
> > and try to access a FTP site via squid and cancel the authentication
> request
> > windows, you can still get at any directory/file and start a file
> download.
> > You do not need to be authenticated!
> >
> > The reason for this is that Squid renders the FTP directory in the
browser
> > prior to prompting for authentication. So you can cancel the
> authentication
> > and proceed as normal by clicking links and continually cancelling the
> > authentication requests.
>
> Thats very strange... the authentication test should be done before any
> communication to the FTP server. I'd guess that what you have happening
> is something like
> http_access allow ftp
> http_access deny notauthed
>
> so that squid is actually asking you to authenticate for the graphics on
> the ftp directory list, not the ftp listing itself.
>
> > Anyone else experience this?
>
> Nope. If you can confirm that it's not an acl issue, please try with the
> current 2.5 devel version and see if it's any different.
>
> Rob
>
> > Regards,
> > Ken.
>

-- 
_____________________________
Robert Collins
CEO
IT Domain Pty Limited
Your Application Solution Partner
02 9476 4223   Mobile: 0414 693 367
www.itdomain.com.au
_____________________________
 
Received on Sun Aug 12 2001 - 19:30:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:35 MST