Re: [squid-users] TCP_DENIED/407 with SSL-Sites, but the site is accessible...

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 27 Aug 2010 20:25:07 +1200

Tom Tux wrote:
> Hi
>
> For every HTTPS-Site I have the following tcp_denied/407-entry in the
> access.log:
> 282895826.492 1 xx.xx.xx.xx TCP_DENIED/407 3720 CONNECT
> mail.google.com:443 - NONE/- text/html
> 1282896033.320 1 xx.xx.xx.xx TCP_DENIED/407 3744 CONNECT
> secure-www.novell.com:443 - NONE/- text/html
>
> The sites, which are denied in the access.log, are though accessible,
> but I have this errors. For me it seems, that squid needs a user
> authentication. But this should be given with kerberos-authentication,
> which works fine.
>
> I have the following directives configured (as default):
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> http_access deny CONNECT !SSL_ports
>
>
> Can someone explain me this behaviour?

CONNECT requests to SSL ports (aka HTTPS) will get past that security
barrier and move on to checkig your other rules. One of those other
rules involves proxy authentication.

All requests which require authentication but do not provide it get a
407 or 401 response challenging the browser to provided some
credentials. This is true for all authentication types.

Working browsers with access to the required credentials will send them
on a followup request and get past that challenge.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.7
   Beta testers wanted for 3.2.0.1
Received on Fri Aug 27 2010 - 08:25:14 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 27 2010 - 12:00:03 MDT