Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...

From: Tom Tux <>
Date: Fri, 27 Aug 2010 11:07:58 +0200

Hi Amos

Thanks a lot for this informations.

Is it usual/normal, that all https-requests have this error?
1282899033.246 0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT - NONE/- text/html

As I already mentioned: The sites, which are denied in the access.log,
are normal accessible and appears correctly (this is, what I don't
I think, that I don't have rules, which explicitly require another
authentication instead of kerberos. Here is an extract of my

The ACL "INTERNET_ACCESS" is an external_acl with squid_kerb_ldap:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Block invalid Users
http_access deny !INTERNET_ACCESS
http_access allow INTERNET_ACCESS
http_access deny all

When I trace the http/https-traffic with httpfox (firefox-addon), then
I got also no errors or denies back.

Thanks a lot for all helps.

2010/8/27 Amos Jeffries <>:
> Tom Tux wrote:
>> Hi
>> For every HTTPS-Site I have the following tcp_denied/407-entry in the
>> access.log:
>> 282895826.492      1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
>> - NONE/- text/html
>> 1282896033.320      1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT
>> - NONE/- text/html
>> The sites, which are denied in the access.log, are though accessible,
>> but I have this errors. For me it seems, that squid needs a user
>> authentication. But this should be given with kerberos-authentication,
>> which works fine.
>> I have the following directives configured (as default):
>> acl SSL_ports port 443
>> acl CONNECT method CONNECT
>> http_access deny CONNECT !SSL_ports
>> Can someone explain me this behaviour?
> CONNECT requests to SSL ports (aka HTTPS) will get past that security
> barrier and move on to checkig your other rules. One of those other rules
> involves proxy authentication.
> All requests which require authentication but do not provide it get a 407 or
> 401 response challenging the browser to provided some credentials. This is
> true for all authentication types.
> Working browsers with access to the required credentials will send them on a
> followup request and get past that challenge.
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.7
>  Beta testers wanted for
Received on Fri Aug 27 2010 - 09:08:07 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 28 2010 - 12:00:02 MDT