Re: [squid-users] oddity with squid 3.3.2 and https

From: Brett Lymn <>
Date: Tue, 16 Apr 2013 15:16:47 +0930

On Tue, Apr 16, 2013 at 04:16:49PM +1200, Amos Jeffries wrote:
> >
> >The script just strips off the ntlm/kerberos bits in
> >front of the username so the upstream "security" device sees a username
> >it understands. I put the ACL on the never_direct because it is a
> >"slow" ACL evaluation and fires the rewrite in a, supposedly, harmless
> >manner.
> >Not sure why only https is affected, everything did work with squid
> >3.1.19.
> Probably not just HTTPS. The warning will occur on any request being
> passed to this ACL without authentication credentials.

Well, for some reason only peer selection for unauthenticated CONNECTs
fails. I am not sure why, I have no rules for cache peer access that
involve CONNECT.

> The result you are getting is telling you that the request is *not*
> authenticated which the config file is assuming.
> The %LOGIN format code requires authentication credentials in order to
> do the helper lookup. never_direct is not a suitable place to be
> performing auth challenge responses, so the warning is displayed instead
> of triggering the auth sequence.

Is this something new? I didn't see this in 3.1.19.

> >I can work around this by putting a bunch of never_direct deny
> >statements for all the acl's that permit access without authentication
> >but this is a bit tedious.
> If you auth-bypass any traffic in http_access you need to do it
> consistently in all the other places of your config you are relying on
> credentials. Like these never_direct rules.

I don't rely on authentication for never_direct - I don't need to do
that. All I need to do is have the external ACL evaluatated so that the
username gets rewritten. I may have misinterpreted what you said but a
while back when you helped me with setting up the rewrite I thought you
said that never_direct was a safe place to put this. That must have
changed I guess.

> The best solution would probably be to place this ACL on the http_access
> line where you are accepting auth credentials.

You mean something like:

acl auth proxy_auth REQUIRED
http_access allow auth user_rewrite

Brett Lymn
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."
Received on Tue Apr 16 2013 - 05:46:57 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 26 2013 - 12:00:04 MDT