Re: [squid-users] Question about "proxy_auth REQUIRED" and the case of flushing the authentication-cache from Amos Jeffries on 2013-02-25 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 26 Feb 2013 16:30:14 +1300

On 26/02/2013 2:31 p.m., Amos Jeffries wrote:
> On 25/02/2013 8:27 p.m., Tom Tom wrote:
>> I've attached both cache-traces (squid 3.2.7).
>>
>> "without_407.txt" has the following configuration:
>> ...
>> ...
>> external_acl_type SQUID_KERB_LDAP ttl=7200 children-max=10
>> children-startup=1 children-idle=1 negative_ttl=7200 %LOGIN
>> /usr/local/squid/libexec/ext_kerberos_ldap_group_acl -g
>> "INTERNET_USERS"
>> acl INTERNET_ACCESS external SQUID_KERB_LDAP
>> acl AUTHENTICATED proxy_auth REQUIRED
>> http_access deny !INTERNET_ACCESS
>> http_access deny !AUTHENTICATED
>> http_access allow INTERNET_ACCESS AUTHENTICATED
>> http_access allow localhost
>> http_access deny all
>> ...
>> ...
>
> Note for anyone else reading this:
> The above was a copy-n-paste typo. The without-407 config has no
> AUTHENTICATED access control definition.
>
>> In this case, the access.log shows the following:
>> Mon Feb 25 08:14:23 2013 15 10.X.X.X TCP_REFRESH_UNMODIFIED/304
>> 283 GET http://imagesrv.adition.com/banners/750/683036/dummy.gif
>> user_at_EXAMPLE.COM HIER_DIRECT/217.79.188.10 image/gif
>>
>>
>>
>> "with_407.txt" has the following configuration:
>> ...
>> ...
>> external_acl_type SQUID_KERB_LDAP ttl=7200 children-max=10
>> children-startup=1 children-idle=1 negative_ttl=7200 %LOGIN
>> /usr/local/squid/libexec/ext_kerberos_ldap_group_acl -g
>> "INTERNET_USERS"
>> acl INTERNET_ACCESS external SQUID_KERB_LDAP
>> acl AUTHENTICATED proxy_auth REQUIRED
>> http_access deny !INTERNET_ACCESS
>> http_access deny !AUTHENTICATED
>> http_access allow INTERNET_ACCESS
>> http_access allow localhost
>> http_access deny all
>> ...
>> ...
>>
>>
>> In this case, the access.log shows the following:
>> Mon Feb 25 08:14:22 2013 0 10.X.X.X TCP_DENIED/407 4136 GET
>> http://imagesrv.adition.com/banners/750/683036/dummy.gif - HIER_NONE/-
>> text/html
>> Mon Feb 25 08:14:22 2013 56 10.X.X.X TCP_REFRESH_UNMODIFIED/304
>> 354 GET http://imagesrv.adition.com/banners/750/683036/dummy.gif
>> user_at_EXAMPLE.COM HIER_DIRECT/217.79.188.10 image/gif
>>
>> The only different between config1 and config2 is the
>> "AUTHENTICATED"-flag on the "http_access allow INTERNET_ACCESS" line.
>>
>> Many thanks.
>> Kind regards,
>> Tom
>
> Thank you. I have an explanation for you. But I'm not exactly happy
> with it how it is working in practice ...
>
>

Actually. Screw that, my eyes not working right. It is not even getting
as far as the proxy_auth test in the with_407 trace. The credentials
retrieval is where it is triggering re-validate in the with-407. I'm
going to have to think about this for a few more hours.

Amos
Received on Tue Feb 26 2013 - 03:30:19 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 26 2013 - 12:00:04 MST