Hello!
I've upgraded my squid from 2.5.14 to 2.6.12 and get into trouble with
http_reply_access rules processing.
In our configuration, client's programs without proxy authentication
support is allowed to get access to internet by ip using src type acls.
If client matched by 'src' first and if first http_reply_access' rule acl type is 'proxy_auth' , then
squid requests auth header (gets none), stops processing next
http_reply_access rules and generates X-Squid-Error: ERR_ACCESS_DENIED 0
-------------------------------
here is log (debug_options 28,9), sample program is Opera which
does not provide any proxy auth and expected to be matched as 'domain_comp':
2007/04/06 16:15:04| aclCheck: checking 'http_reply_access allow domain_user'
2007/04/06 16:15:04| aclMatchAclList: checking domain_user
2007/04/06 16:15:04| aclMatchAcl: checking 'acl domain_user proxy_auth domain_user'
2007/04/06 16:15:04| authenticateValidateUser: Auth_user_request was NULL!
2007/04/06 16:15:04| authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header.
2007/04/06 16:15:04| aclMatchAcl: returning 0 sending authentication challenge.
2007/04/06 16:15:04| aclMatchAclList: no match, returning 0
2007/04/06 16:15:04| aclCheck: requiring Proxy Auth header.
2007/04/06 16:15:04| aclCheck: match found, returning 2
2007/04/06 16:15:04| The reply for GET http://corbis.com/favicon.ico is ALLOWED, because it matched 'domain_user'
-------------------------------
here is config to reproduce issue:
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 7
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 7
auth_param basic realm Proxy password
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl media urlpath_regex -i \.(mp3|mp3\?.*) #and so on (lots of)
acl files urlpath_regex -i \.(rar|rar\?.*) #and so on
acl mime_media rep_mime_type audio/mpeg
acl mime_files rep_mime_type application/octet-stream
acl domain_comp src 10.0.0.34/32
acl domain_user proxy_auth domain_user
deny_info TCP_RESET files
deny_info TCP_RESET mime_files
deny_info TCP_RESET media
deny_info TCP_RESET mime_media
#allow media content to authenticated user
http_access allow domain_user
http_access deny all media
#allow programs on comp to perform updates w/o proxy authentication
http_access allow domain_comp
http_access deny all files
#allow auth. user to get reply
#trouble for domain_comp starts here because of auth request WHICH IS NOT SUPPORTED BY CLIENT
http_reply_access allow domain_user
#blocking media content by mime
http_reply_access deny all mime_media
#allow comp to dl files
http_reply_access allow domain_comp
http_reply_access deny all mime_files
http_reply_access allow all
-------------------------------
./squid -v
Squid Cache: Version 2.6.STABLE12
configure options: '--prefix=/usr/local/squid' '--enable-snmp'
'--enable-delay-pools' '--enable-err-languages=Russian-1251'
'--enable-default-err-language=Russian-1251' '--enable-referer-log'
'--enable-removal-policies=lru heap' '--enable-ssl' '--enable-forw-via-db'
'--enable-storeio=ufs diskd null' '--enable-pf-transparent' '--enable-auth=ntlm,basic'
-- Best regards, EugeneReceived on Fri Apr 06 2007 - 08:10:22 MDT
This archive was generated by hypermail pre-2.1.9 : Tue May 01 2007 - 12:00:01 MDT