Re: [squid-users] Weird issue with Chrome

Hi Amos,

Sorry but I don't understand what you mean by "allow context". Could
you please explain it?
Don't worry about IDENT. We know what you are saying and we have our
own security method in order to let users modify IDENT response text.

Yes, we end the file with "http_access deny all".

Thanks,

Jaime.

>>> Amos Jeffries <squid3_at_treenet.co.nz> 20/09/2012 13:27 >>>
On 20/09/2012 10:50 p.m., Jaime Gomez wrote:
> Hi Amos,
> Thanks for your quick response. I try to answer all your questions:
> 1.- Yes, the Chrome requests show up in squid access.log
> 2.- The Required issue: you are right. It was my fault. I didn't
check
> the conf file properly.
> 3.- WebUsers group content: people that are not allowed to visit
> certain web pages. For instance: john.doe

"not" allowed? but you use it only in an "allow" context. If it matches

anything the user will be allowed unlimited access. Also note that
ident
is a user-supplied detail, meaning knowledgable users are free to set
their own IDENT reponse text.

> SocialNet: web pages like this: .facebook.com, .twitter.com and so
on.
> 4.- That is the end of the file. Am I missing something?

There is no "http_access deny all" to clarify that it is the end of the

config. Just checking that you did not have anything else to allow
stuff.

Amos

> Thanks in advance,
> Regards,
> Jaime.
>
> >>> El día 20/09/2012 a las 5:39, en el mensaje
> <505A8FED.8070309_at_treenet.co.nz>, Amos Jeffries
<squid3_at_treenet.co.nz>
> escribió:
> On 19/09/2012 9:18 p.m., Jaime Gomez wrote:
> > Hi Amos,
> >
> > You are right, I didn't explain myself properly. We use ident to
> identify our users. One user with IE or firefox wants to go to one
> Facebook. He receives a wonderful deny message saying that he is not

> allowed. Same user with Chrome does the same and he is able to access

> to Facebook. After doing some research I found out that this only
> happens if I use https.
>
> Are the Chrome requests showing up in squid access.log?
>
> > Here is the conf file. I've made a little modifications just to
show
> the important things:
> >
> > cache_effective_user proxy
> > cache_effective_group proxy
> > visible_hostname x.x.x.x
> > unique_hostname x.x.x.x
> > coredump_dir /data/squid
> >
> > http_port 3128
> > cache_access_log /data/squid/logs/access.log
> > cache_access_log /data/squid/logs/access.log
> > cache_store_log /data/squid/logs/store.log
> > cache_log /data/squid/logs/cache.log
> > pid_filename /data/squid/logs/squid.pid
> > logfile_rotate 2
> > via off
> > forwarded_for off
> >
> > dns_nameservers x.x.x.x
> > positive_dns_ttl 8 hours
> > negative_dns_ttl 30 seconds
> >
> > cache_replacement_policy heap LFUDA
> > cache_swap_low 90
> > cache_swap_high 95
> > maximum_object_size_in_memory 20 KB
> > cache_dir aufs /data/squid/cache 16000 16 256
> > cache_mem 16 MB
> > memory_pools off
> > maximum_object_size 64 MB
> > quick_abort_min 0 KB
> > quick_abort_max 0 KB
> > log_icp_queries off
> > client_db off
> > buffered_logs on
> > half_closed_clients off
> > negative_ttl 0 minutes
> >
> > external_acl_type myIdent children=15 %SRC %IDENT /usr/bin/perl
> /data/squid/scripts/myIdentUsers.pl
> > acl ident_auth external myIdent REQUIRED
>
> "REQUIRED" ? looks like you do not understand what is going on.
>
> 'REQUIRED' is a magic value for proxy_auth ACL type. It has nothing
to
> do with any others.
>
> When used on the external ACL, the helper will be passed the three
> strings: client IP address, client provided IDENT label, ... and
the
> textual word "REQUIRED".
>
>
> >
> > acl WebUsers ident "/data/squid/groups/WebUsers"
> >
> > acl Socialnet dstdomain "/data/squid/blacklists/socialnet/domains"
>
> and what is this files content?
>
> >
> > http_access deny Socialnet
> >
> > http_access allow WebUsers
>
>
> anything else afterwards?
>
>
> Amos
>
> >
> > Thanks for your help.
> >
> > Regards.
> >
> >>>> Amos Jeffries <squid3_at_treenet.co.nz> 19/09/2012 2:53 >>>
> > On 19/09/2012 1:45 a.m., Jaime Gomez wrote:
> >> Hi all,
> >>
> >> We have a very weird issue. I've been googling but couldn't find
> the answer. We have our Squid (Squid Cache: Version 3.1.18)
configured
> in order to do some content filter. For instance: some people can
> access Facebook and other social Webpages while others don't. The
> weird issue is that people with Chrome can skip this acl. With IE and

> Firefox it works. How is this possible?
> > It might be because you configured it to happen. Or that Chrome is
> > simply not using the proxy.
> >
> > Some information about what your configuration actually is would
help
> > (details please).
> >
> > Amos
> >
>
Received on Thu Sep 20 2012 - 11:43:23 MDT