[squid-users] Strange problem with ACL and CONNECT method

From: Dmitrijs Demidovs <dmitrijs.demidovs_at_datakom.lv>
Date: Tue, 31 Aug 2010 15:52:09 +0300

Hi list.

I have a strange problem with ACLs and http_access rules.
Our squid are using winbind for NTLM auth. We need to achieve user's auth for https.

Here is a example that makes problems for us:
=============
1) http_access allow CONNECT HTTPS_DOMAINS_BLACKLIST WebVIP
2) http_access allow CONNECT Webusers_whitelist_domains Webusers

3) http_access allow localnetwork CONNECT SSL_ports

4) http_access allow CONNECT WebVIP
5) http_access allow CONNECT Webusers
=============

- WebVIP - users group from AD
- Webusers - users group from AD
- HTTPS_DOMAINS_BLACKLIST - black list for bad addresses
- Webusers_whitelist_domains - white list for Webusers

First two lines works as expected - only users from WebVIP and Webusers can access
https sites from black/white lists. We can see they user ID's in squid's access.log.

If I put last tree lines (4-5) before 3 then I got 407 errors in access.log,
and no one is able to use https anymore. So there is a problem! That is why we
need to use line Nr 3 - it just allows all CONNECT from our IP subnet without auth.

I'm completely lost and frustrated. Why first two lines works and last two do not?
Is there any hint?

And may be some one knows - is there any third party tools to make squid.conf
analyzing for logical errors? As more as I'm using Squid, as more I want to find some
tool what will be able to catch logical errors according to squid's design.
Any hint please?

Thanks in advance.
Received on Tue Aug 31 2010 - 12:52:13 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 31 2010 - 12:00:03 MDT