[squid-users] RE: 2.4STABLE1 & authentication & FTP - BUG

From: Robert Collins <robert.collins@dont-contact.us>
Date: 13 Aug 2001 11:35:14 +1000

On 13 Aug 2001 11:30:17 +1000, Ken Thomson wrote:
> I just deleted all but 2 http_access allow lines.
>
> The only allow lines I have now are :
> http_access allow manager localhost
> http_access allow password
>
> The ACLs for these 2 are:
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl password proxy_auth REQUIRED
>
> The search exception lines I deleted only contained very specific words,
> which would be unlikely to occur in many FTP URLs (eg. acl noporn3 url_regex
> -i ethicsexam). Whereas it was allowing access to all FTP URLs which I
> tried (and I did pick ones which wouldn't have had the search exceptions).
>
> It is still rendering the FTP directories before asking for authentication
> even after the http_access allows have been deleted.
>
> Interesting.
>
> The only other possibility is we do patch our version of squid with
> SmartFilter from Secure Computing (v3 for squid 2.4s1). Maybe its patch is
> making the difference.

I'll cross check tonight (in about 6 hours) this for you. Sounds like
Smartfilter to me though. Shame it's not open source or we could offer
to fix it :].

Rob

> Regards,
> Ken.
>
> -----Original Message-----
> From: Robert Collins [mailto:robert.collins@itdomain.com.au]
> Sent: Monday, August 13, 2001 10:59
> To: Ken Thomson
> Cc: 'squid-users@squid-cache.org'
> Subject: RE: 2.4STABLE1 & authentication & FTP - BUG
>
>
> On 13 Aug 2001 10:33:15 +1000, Ken Thomson wrote:
> > Hi Robert,
> >
> > I have had a look at my ACLs and http_access sections in squid.conf . I
> > can't see how they could be causing this.
> >
> > There are no proto ACLs specified anywhere - so nothing specific to FTP.
> I
> > do not deny non-authenticated users, rather I only allow authenticated
> > users. Does this sound correct?
> >
> > The order of my http_access statements are:
> > allow manager locahost
> > deny manager elsewhere
> > allow URLPATH keyword search exceptions (many lines)
> > deny URLPATH keyword search (many lines)
> > deny specific filetypes / urls (many lines)
> > deny client source addresses (via a file)
> > deny specific users (via a file)
> > allow authenticated users
> > deny all
> >
> > As a note, when you cancel the authentication on rendered FTP directories
> > the 'anthony' icons are not displayed.. but the filenames and subdirs are.
>
> This fits my expectation - the url for the icons is different from the
> url for the ftp listing.
> If I was a gambler I would bet large sums of $$$ that your
> allow URLPATH keyword search exceptions (many lines)
> lines have something that matches ftp urls. As you know squid stops as
> soon as an allow statement is met, meaning that the user checking code
> will not be invoked for url's that match those "allow URLPATH ...
> lines".
>
> Rob
>
> > I don't have a spare machine at the moment to test 2.5 - but will see what
> I
> > can do.
> >
> > Regards,
> > Ken.
> >
> > -----Original Message-----
> > From: Robert Collins [mailto:robert.collins@itdomain.com.au]
> > Sent: Friday, August 10, 2001 15:45
> > To: Ken Thomson
> > Cc: 'squid-users@squid-cache.org'
> > Subject: Re: [squid-users] 2.4STABLE1 & authentication & FTP - BUG
> >
> >
> > On 10 Aug 2001 15:06:34 +1000, Ken Thomson wrote:
> > > I have noticed what appears to be a bug in Squid 2.4STABLE1.
> > >
> > > If you have user authentication (ie. an acl with proxy_auth REQUIRED set
> > on)
> > > and try to access a FTP site via squid and cancel the authentication
> > request
> > > windows, you can still get at any directory/file and start a file
> > download.
> > > You do not need to be authenticated!
> > >
> > > The reason for this is that Squid renders the FTP directory in the
> browser
> > > prior to prompting for authentication. So you can cancel the
> > authentication
> > > and proceed as normal by clicking links and continually cancelling the
> > > authentication requests.
> >
> > Thats very strange... the authentication test should be done before any
> > communication to the FTP server. I'd guess that what you have happening
> > is something like
> > http_access allow ftp
> > http_access deny notauthed
> >
> > so that squid is actually asking you to authenticate for the graphics on
> > the ftp directory list, not the ftp listing itself.
> >
> > > Anyone else experience this?
> >
> > Nope. If you can confirm that it's not an acl issue, please try with the
> > current 2.5 devel version and see if it's any different.
> >
> > Rob
> >
> > > Regards,
> > > Ken.
> >
> --
> _____________________________
> Robert Collins
> CEO
> IT Domain Pty Limited
> Your Application Solution Partner
> 02 9476 4223 Mobile: 0414 693 367
> www.itdomain.com.au
> _____________________________
>

-- 
_____________________________
Robert Collins
CEO
IT Domain Pty Limited
Your Application Solution Partner
02 9476 4223   Mobile: 0414 693 367
www.itdomain.com.au
_____________________________
 
Received on Sun Aug 12 2001 - 19:48:22 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:35 MST