Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...

From: Tom Tux <tomtux80_at_gmail.com>
Date: Fri, 27 Aug 2010 11:07:58 +0200

Hi Amos

Thanks a lot for this informations.

Is it usual/normal, that all https-requests have this error?
1282899033.246 0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
mail.google.com:443 - NONE/- text/html

As I already mentioned: The sites, which are denied in the access.log,
are normal accessible and appears correctly (this is, what I don't
understand....mmmh....).
I think, that I don't have rules, which explicitly require another
authentication instead of kerberos. Here is an extract of my
squid.conf:

The ACL "INTERNET_ACCESS" is an external_acl with squid_kerb_ldap:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Block invalid Users
http_access deny !INTERNET_ACCESS
http_access allow INTERNET_ACCESS
http_access deny all

When I trace the http/https-traffic with httpfox (firefox-addon), then
I got also no errors or denies back.

Thanks a lot for all helps.
Tom

2010/8/27 Amos Jeffries <squid3_at_treenet.co.nz>:
> Tom Tux wrote:
>>
>> Hi
>>
>> For every HTTPS-Site I have the following tcp_denied/407-entry in the
>> access.log:
>> 282895826.492      1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
>> mail.google.com:443 - NONE/- text/html
>> 1282896033.320      1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT
>> secure-www.novell.com:443 - NONE/- text/html
>>
>> The sites, which are denied in the access.log, are though accessible,
>> but I have this errors. For me it seems, that squid needs a user
>> authentication. But this should be given with kerberos-authentication,
>> which works fine.
>>
>> I have the following directives configured (as default):
>> acl SSL_ports port 443
>> acl CONNECT method CONNECT
>> http_access deny CONNECT !SSL_ports
>>
>>
>> Can someone explain me this behaviour?
>
> CONNECT requests to SSL ports (aka HTTPS) will get past that security
> barrier and move on to checkig your other rules. One of those other rules
> involves proxy authentication.
>
> All requests which require authentication but do not provide it get a 407 or
> 401 response challenging the browser to provided some credentials. This is
> true for all authentication types.
>
> Working browsers with access to the required credentials will send them on a
> followup request and get past that challenge.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.7
>  Beta testers wanted for 3.2.0.1
>
Received on Fri Aug 27 2010 - 09:08:07 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 28 2010 - 12:00:02 MDT