Re: [squid-users] Problems with Custom Error Pages from Amos Jeffries on 2014-01-31 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 01 Feb 2014 03:08:53 +1300

On 1/02/2014 1:52 a.m., Puschmann, Sven wrote:
> Hi There,
>
> i have a big Problem, I'm Configuring an Squid Proxy for our Company and want to Show Custom Errors.
>
> The Proxy Uses ActiveDirectory Authentication with Groupbased Policies.
>
> Now I want to Show Errorpages in our Corporate Identity.
>
> Here's my Config (I need use <!Full all> in the http_access Rule to prevent showing Reauthentication Windows):
> http_access allow prioritysites
>
> http_access deny !Safe_ports !ftp
> http_access deny CONNECT !SSL_ports !ftp
> http_access allow CONNECT SSL_ports ftp
>
> deny_info ERR_DENIED_AUTH !auth

First problem;
the deny_info directive is just for linking an ACL to the response
content which should be displayed whenever that ACL is the reason for
the deny.

The correct way to write the above line is:
deny_info ERR_DENIED_AUTH auth
...

> http_access deny !auth

... which will be sent to the clients ofor any authentication rejection
done by the login line above.

> http_access allow allowedsites
> deny_info ERR_DENIED_BLOCKED Blocked
> http_access deny Blocked

NP: since the thing you are going to do with "Full" is allow it. Why not
allow it up here before doing any of the below denies?

> deny_info ERR_DENIED_URLBS blockedsites !Full all

NP: hark back to the first problem. deny_info takes *one* ACL name for
the custom page to be linked to. Not a set of ACLs.

> http_access deny blockedsites !Full all

Second problem;
"blockedsites" is not the last ACL on the line, so it is not the reason
for denial. It is just one of the steps to get to that reason. "all" is
the reason here.

NP: you can create dummy ACLs for linking to the deny_info like this:

  acl dummy_urlbs src all
  deny_info ERR_DENIED_URLBS dummy_urlbs
  http_access deny blockedsites !Full dummy_urlbs

> deny_info ERR_DENIED_BADKEY bad_keywords !Full all
> http_access deny bad_keywords !Full all
> deny_info ERR_DENIED_URLBL urlblacklist !Full all
> http_access deny !urlblacklist !Full all
> http_access allow Standard
> http_access allow Full
> deny_info ERR_DENIED_SONST all
> http_access deny all
>
>
> The Problem is, that my Squid always shows the Blocked Sites Error Page, even when the Bad-Keyword ACL acts.

Dont you mean its always showing the ERR_DENIED_SONST page?
That is because that page was linked to the "all" ACL, and the "all"
ACL is the last one on most of your deny lines.

Amos
Received on Fri Jan 31 2014 - 14:09:10 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 31 2014 - 12:00:09 MST