Re: [squid-users] negative ACL

From: Eliezer Croitoru <>
Date: Fri, 20 Jul 2012 02:18:06 +0300

On 7/19/2012 10:47 PM, Rick Chisholm wrote:
> I have an NTLM auth proxy, but a number of apps do not seem to be smart
> enough to pass credentials and this generates numerous squid
> authentication pop-ups for users. I'm trying to eliminate this.
> I was thinking of creating a browser ACL with entries the will cover the
> browsers in use on the network and then try to use a NOT operator like
> http_access allow !known_browsers
> before the auth required setting.
> thoughts?
this is a very very bad exploit so i wodn't ever cosider it.
it means that every user that will change the broeser id (firefox->
about:config -> change variable ->done)
can use your proxy.
if you will do such a thing at least but not least use
http_access allow localnet !known_browsers

i would suggest to analyze these apps.
they do use most of the time specific domains that you can allow without
any ntlm auth.


Eliezer Croitoru
IT consulting for Nonprofit organizations
eliezer <at>
Received on Thu Jul 19 2012 - 23:18:14 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 20 2012 - 12:00:01 MDT