[squid-users] oddity with squid 3.3.2 and https

From: Brett Lymn <brett.lymn_at_baesystems.com>
Date: Mon, 15 Apr 2013 16:52:10 +0930

I have just updated our proxies to squid 3.3.2 running on rhel 5.8,
mostly this went smoothly apart from some access to https. As a rule
our proxies authenticate users using kerberos but there some "special"
sites that are allowed access to without authentication. When accessing
a https site without authentication I see this in the cache.log:

2013/04/15 15:49:51 kid1| WARNING: never_direct resulted in AUTH_REQUIRED. Username ACLs are not reliable here.

This causes the never_direct to fail but only for https - this causes
cache parent selection to fail which results in the https connection
failing. The never_direct that squid is complaining about is this:

never_direct allow user_rewrite

The ACL user_rewrite is this:

external_acl_type user_rewrite_type children-max=60 children-startup=20
ttl=900 %LOGIN /opt/local/squid/libexec/user_rewrite.pl
acl user_rewrite external user_rewrite_type

The user_rewrite.pl script just strips off the ntlm/kerberos bits in
front of the username so the upstream "security" device sees a username
it understands. I put the ACL on the never_direct because it is a
"slow" ACL evaluation and fires the rewrite in a, supposedly, harmless

Not sure why only https is affected, everything did work with squid

I can work around this by putting a bunch of never_direct deny
statements for all the acl's that permit access without authentication
but this is a bit tedious.

Brett Lymn
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."
Received on Mon Apr 15 2013 - 07:22:20 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 16 2013 - 12:00:04 MDT