Re: [squid-users] Weird issue with Chrome

From: Jaime Gomez <Jaime.Gomez_at_cmcapitalmarkets.es>
Date: Thu, 20 Sep 2012 12:52:42 +0200

Hi Amos,
 
Thanks for your quick response. I try to answer all your questions:
 
1.- Yes, the Chrome requests show up in squid access.log
2.- The Required issue: you are right. It was my fault. I didn't check the conf file properly.
3.- WebUsers group content: people that are not allowed to visit certain web pages. For instance: john.doe
SocialNet: web pages like this: .facebook.com, .twitter.com and so on.
4.- That is the end of the file. Am I missing something?
 
Thanks in advance,
 
Regards,
 
Jaime.

>>> Amos Jeffries <squid3_at_treenet.co.nz> 20/09/2012 5:39 >>>
On 19/09/2012 9:18 p.m., Jaime Gomez wrote:
> Hi Amos,
>
> You are right, I didn't explain myself properly. We use ident to identify our users. One user with IE or firefox wants to go to one Facebook. He receives a wonderful deny message saying that he is not allowed. Same user with Chrome does the same and he is able to access to Facebook. After doing some research I found out that this only happens if I use https.

Are the Chrome requests showing up in squid access.log?

> Here is the conf file. I've made a little modifications just to show the important things:
>
> cache_effective_user proxy
> cache_effective_group proxy
> visible_hostname x.x.x.x
> unique_hostname x.x.x.x
> coredump_dir /data/squid
>
> http_port 3128
> cache_access_log /data/squid/logs/access.log
> cache_access_log /data/squid/logs/access.log
> cache_store_log /data/squid/logs/store.log
> cache_log /data/squid/logs/cache.log
> pid_filename /data/squid/logs/squid.pid
> logfile_rotate 2
> via off
> forwarded_for off
>
> dns_nameservers x.x.x.x
> positive_dns_ttl 8 hours
> negative_dns_ttl 30 seconds
>
> cache_replacement_policy heap LFUDA
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size_in_memory 20 KB
> cache_dir aufs /data/squid/cache 16000 16 256
> cache_mem 16 MB
> memory_pools off
> maximum_object_size 64 MB
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> log_icp_queries off
> client_db off
> buffered_logs on
> half_closed_clients off
> negative_ttl 0 minutes
>
> external_acl_type myIdent children=15 %SRC %IDENT /usr/bin/perl /data/squid/scripts/myIdentUsers.pl
> acl ident_auth external myIdent REQUIRED

"REQUIRED" ? looks like you do not understand what is going on.

'REQUIRED' is a magic value for proxy_auth ACL type. It has nothing to
do with any others.

When used on the external ACL, the helper will be passed the three
strings: client IP address, client provided IDENT label, ... and the
textual word "REQUIRED".

>
> acl WebUsers ident "/data/squid/groups/WebUsers"
>
> acl Socialnet dstdomain "/data/squid/blacklists/socialnet/domains"

and what is this files content?

>
> http_access deny Socialnet
>
> http_access allow WebUsers

anything else afterwards?

Amos

>
> Thanks for your help.
>
> Regards.
>
>>>> Amos Jeffries <squid3_at_treenet.co.nz> 19/09/2012 2:53 >>>
> On 19/09/2012 1:45 a.m., Jaime Gomez wrote:
>> Hi all,
>>
>> We have a very weird issue. I've been googling but couldn't find the answer. We have our Squid (Squid Cache: Version 3.1.18) configured in order to do some content filter. For instance: some people can access Facebook and other social Webpages while others don't. The weird issue is that people with Chrome can skip this acl. With IE and Firefox it works. How is this possible?
> It might be because you configured it to happen. Or that Chrome is
> simply not using the proxy.
>
> Some information about what your configuration actually is would help
> (details please).
>
> Amos
>
Received on Thu Sep 20 2012 - 10:52:49 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 20 2012 - 12:00:04 MDT