Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 28 Aug 2010 16:17:49 +1200

Tom Tux wrote:
> Hi Amos
>
> Thanks a lot for this informations.
>
> Is it usual/normal, that all https-requests have this error?

100% depends on your configuration file.

> 1282899033.246 0 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
> mail.google.com:443 - NONE/- text/html
>
> As I already mentioned: The sites, which are denied in the access.log,
> are normal accessible and appears correctly (this is, what I don't
> understand....mmmh....).
> I think, that I don't have rules, which explicitly require another
> authentication instead of kerberos. Here is an extract of my

407 does not mean try "other" authentication.

It means "send me your login or go away".

The browser is failing to send kerberos login details so gets sent a
407. It reacts by:
    (a) sending the credentials and being allowed,
or (b) doing a popup for the user,
or (c) showing the user an error page.

> squid.conf:
>
> The ACL "INTERNET_ACCESS" is an external_acl with squid_kerb_ldap:
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> # Block invalid Users
> http_access deny !INTERNET_ACCESS

  * requires login details to be supplied before it can be tested.

If login is not provided already Squid sends 407.

> http_access allow INTERNET_ACCESS

  * requires login details to be supplied before it can be tested.

> http_access deny all
>
> When I trace the http/https-traffic with httpfox (firefox-addon), then
> I got also no errors or denies back.
>
> Thanks a lot for all helps.
> Tom
>

The configuration you have displayed requires login details to be
supplied before *ANY* web request is permitted.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.7
   Beta testers wanted for 3.2.0.1
Received on Sat Aug 28 2010 - 04:17:58 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 28 2010 - 12:00:02 MDT