RE: [squid-users] RDP, Certificates and Squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 24 Feb 2011 11:07:10 +1300

 On Wed, 23 Feb 2011 13:55:54 -0500, Chad Naugle wrote:
> I am not certain with my response, but I have some ideas.
>
> - Your ACL ordering, that is often the case, is most likely to blame.
> Squid applies ACL's in order, top-down, and checks each ACL in their
> order when "http_access" is being applied.
> - I believe the ACL blocking access may be the 'PURGE' ACL, since the
> server could be sending them "no-cache" headers. -- I may need
> clarification on this behavior from another person, but you can
> attempt
> to comment it out to see if this is true, or add something such as
> "http_access allow PURGE GoDaddy".

 Not PURGE, that is just a method type ACL. Albeit a performance sapping
 one.

> - Any of your explicit "src / dstdomain" allows will not log
> usernames
> returned by the "InternetUsers" ACL.
> - Does the "Internet_Denied" and/or "FacebookUsers" nt_groups involve
> a
> login prompt, or blind authentication?
> - All Explicit allows / deny's should be placed _before_
> authentication
> routines.

 :) its pretty much always ordering.

 In this case the block is 407, so look for things which require
 authentication to be tested.

 ...
>
>>>> Damian Teasdale 2/23/2011 1:27 PM >>>
> This is the whole list from what I can tell.
>
 <snip>

> acl InternetDenied external nt_group Internet_Denied
> acl FacebookUsers external nt_group FacebookUsers

 These are missing their external_acl_type definition, but something
 called "nt_group" is a safe bet that its doing a login.

 <snip>
> acl InternetUsers proxy_auth REQUIRED

 And this glaring auth ACL.

 <snip>
>
> http_access deny InternetDenied

 ... AND the first thing Squid does is check one of those nt_group ACLs.

  ** This is very, very likely the problem.

> no_cache deny Itrade

 NP: time to remove the "no_" bit off the front of that directive.

> http_access allow PURGE localhost
> http_access deny PURGE
> http_access allow GC
> http_access allow Facebook FacebookUsers

 ... somewhat later facebook users are checked, but only if they are
 visiting facebook.
 This auth ACL will not be the problem.

> http_access deny Facebook
> http_access allow Blackberry
> http_access allow Citrix
> http_access allow WindowsUpdate
> http_access allow BusinessObjects
> http_access allow MapInfo
> http_access allow MindLeaders
> http_access allow DiscoverLink
> http_access allow Knotia
> http_access allow Chep
> http_access allow Auditors
> http_access allow pdr
> http_access allow GoDaddy
> http_access allow InternetUsers

 ... then finally anyone who can login is permitted.

>
> # And finally deny all other access to this proxy
> http_access deny all
>
> Thanks
>
> Damian Teasdale
>

 <snip>
>
> The Oppenheimer Group ---- CONFIDENTIAL

 NP: Posted to a public mailing list archived in perppetuity.

 Amos
Received on Wed Feb 23 2011 - 22:07:14 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 24 2011 - 12:00:03 MST