Re: [squid-users] is this an acl bug ? from Henrik Nordstrom on 2003-03-24 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 24 Mar 2003 09:13:00 +0100

There seems to be a small bug, but it is also a usage question:

> 2003/03/21 15:29:20| authenticateBasicDecodeAuth: cleartext = 'hhhh:'
> 2003/03/21 15:29:20| authenticateBasicDecodeAuth: Disallowing empty
> password,user is 'hhhh'

What looks like it could be a bug is this:

> 2003/03/21 15:29:20| aclMatchAcl: returning 0 sending authentication
> challenge.
> 2003/03/21 15:29:20| aclMatchAclList: checking no_streaming

The check should not have continued into no_streaming if the first acl
failed.

However, at the end it recovers and requests the user to provide valid
credentials:

> 2003/03/21 15:29:20| aclCheck: requiring Proxy Auth header.
> 2003/03/21 15:29:20| aclCheck: match found, returning 2
> 2003/03/21 15:29:20| aclCheckCallback: answer=2
> 2003/03/21 15:29:20| The request GET http://www.google.com./ is DENIED,
> because it matched 'no_streaming'

Regards
Henrik

Chris Brain wrote:
>
> Hi all,
> I am running 2.5 Stable 1 and having a problem with the debug_info
> attached to an acl.
> What is happening is that if a user fails the proxy_auth (we are using ncsa
> but it happens with other auth schemes as well)
> the deny_info that is displayed is wrong. (But the acl actions work
> correctly).
> I am not seeing this with my 2.6 stable 6 units.
>
> This is the acl's and access rules:
>
> acl no_download urlpath_regex -i \.exe$ \.zip$ \.scr$ \.pif$ \.bat$ \.hqz$
> \.bin$ \.sit$ \.dmg$ \.hqx$ \.gz$
> deny_info ERR_NO_DOWNLOAD no_download
> acl streaming_users proxy_auth bill
> acl no_bigbrother url_regex -i http://www.bigbrother.iprimus.com.au
> deny_info ERR_STREAMING_MEDIA no_bigbrother
> acl download_bypass url_regex -i \reuters
> deny_info ERR_NO_DOWNLOAD download_bypass
> acl no_streaming urlpath_regex -i \.asf$ \.ram$ \.asx$ \.mov$ \.avi$ \.mpg$
> \.mpeg$ \.wmf$ \.qt$ \.mp3$ \.wmv$ \.rm$
> deny_info ERR_STREAMING_MEDIA no_streaming
> acl trusted_users proxy_auth bill
> acl password proxy_auth REQUIRED
> deny_info ERR_CACHE_ACCESS_DENIED password
>
> never_direct allow all
>
> http_access deny !streaming_users no_streaming
> http_access deny no_download !trusted_users !download_bypass
> http_access deny !big_brother_hosts no_bigbrother
> http_access allow password
> http_access deny all
>
> Looking at the debug I do not see why it is matching but it does say that it
> is. I had
>
> 2003/03/21 15:29:20| aclCheck: checking 'http_access deny !streaming_users
> no_streaming'
> 2003/03/21 15:29:20| aclMatchAclList: checking !streaming_users
> 2003/03/21 15:29:20| aclMatchAcl: checking 'acl streaming_users proxy_auth
> bill'
> 2003/03/21 15:29:20| authenticateAuthenticate: header Basic aGhoaDo=.
> 2003/03/21 15:29:20| authenticateAuthenticate: This is a new checklist test
> on FD:54
> 2003/03/21 15:29:20| authenticateAuthenticate: no connection authentication
> type
> 2003/03/21 15:29:20| authenticateAuthUserRequestLock auth_user request
> '0x84aa028'.
> 2003/03/21 15:29:20| authenticateAuthUserRequestLock auth_user request
> '0x84aa028' now at '1'.
> 2003/03/21 15:29:20| authenticateDecodeAuth: header = 'Basic aGhoaDo='
> 2003/03/21 15:29:20| authenticateBasicDecodeAuth: cleartext = 'hhhh:'
> 2003/03/21 15:29:20| authenticateBasicDecodeAuth: Disallowing empty
> password,user is 'hhhh'
> 2003/03/21 15:29:20| authBasicDecodeAuth: Creating new user for logging
> 'hhhh'
> 2003/03/21 15:29:20| authenticateAuthUserLock auth_user '0x841bbb0'.
> 2003/03/21 15:29:20| authenticateAuthUserLock auth_user '0x841bbb0' now at
> '1'.
> 2003/03/21 15:29:20| authenticateValidateUser: Validating Auth_user request
> '0x84aa028'.
> 2003/03/21 15:29:20| authenticateValidateUser: Auth_user '0x841bbb0' is
> broken for it's scheme.
> 2003/03/21 15:29:20| authenticateAuthUserRequestLock auth_user request
> '0x84aa028'.
> 2003/03/21 15:29:20| authenticateAuthUserRequestLock auth_user request
> '0x84aa028' now at '2'.
> 2003/03/21 15:29:20| authenticateAuthUserRequestUnlock auth_user request
> '0x84aa028'.
> 2003/03/21 15:29:20| authenticateAuthUserRequestUnlock auth_user_request
> '0x84aa028' now at '1'.
> 2003/03/21 15:29:20| aclMatchAcl: returning 0 sending authentication
> challenge.
> 2003/03/21 15:29:20| aclMatchAclList: checking no_streaming
> 2003/03/21 15:29:20| aclMatchAcl: checking 'acl no_streaming urlpath_regex
> -i \.asf$ \.ram$ \.asx$ \.mov$ \.avi$ \.
> mpg$ \.mpeg$ \.wmf$ \.qt$ \.mp3$ \.wmv$ \.rm$'
> 2003/03/21 15:29:20| aclMatchRegex: checking '/'
> 2003/03/21 15:29:20| aclMatchRegex: looking for '\.asf$'
> 2003/03/21 15:29:20| aclMatchRegex: looking for '\.ram$'
> 2003/03/21 15:29:20| aclMatchRegex: looking for '\.asx$'
> 2003/03/21 15:29:20| aclMatchRegex: looking for '\.mov$'
> 2003/03/21 15:29:20| aclMatchRegex: looking for '\.avi$'
> 2003/03/21 15:29:20| aclMatchRegex: looking for '\.mpg$'
> 2003/03/21 15:29:20| aclMatchRegex: looking for '\.mpeg$'
> 2003/03/21 15:29:20| aclMatchRegex: looking for '\.wmf$'
> 2003/03/21 15:29:20| aclMatchRegex: looking for '\.qt$'
> 2003/03/21 15:29:20| aclMatchRegex: looking for '\.mp3$'
> 2003/03/21 15:29:20| aclMatchRegex: looking for '\.wmv$'
> 2003/03/21 15:29:20| aclMatchRegex: looking for '\.rm$'
> 2003/03/21 15:29:20| aclMatchAclList: returning 0
> 2003/03/21 15:29:20| aclCheck: requiring Proxy Auth header.
> 2003/03/21 15:29:20| aclCheck: match found, returning 2
> 2003/03/21 15:29:20| aclCheckCallback: answer=2
> 2003/03/21 15:29:20| The request GET http://www.google.com./ is DENIED,
> because it matched 'no_streaming'
> 2003/03/21 15:29:20| authenticateAuthUserRequestLock auth_user request
> '0x84aa028'.
> 2003/03/21 15:29:20| authenticateAuthUserRequestLock auth_user request
> '0x84aa028' now at '2'.
> 2003/03/21 15:29:20| authenticateFixHeader: headertype:34 authuser:0x84aa028
> 2003/03/21 15:29:20| authenticateValidateUser: Validating Auth_user request
> '0x84aa028'.
> 2003/03/21 15:29:20| authenticateValidateUser: Auth_user '0x841bbb0' is
> broken for it's scheme.
> 2003/03/21 15:29:20| authenticateFixErrorHeader: Sending type:34 header:
> 'Basic realm="Proxy Logo
> n"'
> 2003/03/21 15:29:20| authenticateFixHeader: headertype:34 authuser:0x84aa028
> 2003/03/21 15:29:20| aclCheckFast: list: (nil)
> 2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
> 2003/03/21 15:29:20| aclCheckFast: list: (nil)
> 2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
> 2003/03/21 15:29:20| aclCheckFast: list: (nil)
> 2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
> 2003/03/21 15:29:20| aclCheckFast: list: (nil)
> 2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
> 2003/03/21 15:29:20| aclCheckFast: list: (nil)
> 2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
> 2003/03/21 15:29:20| aclCheckFast: list: (nil)
> 2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
> 2003/03/21 15:29:20| aclCheckFast: list: (nil)
> 2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
> 2003/03/21 15:29:20| aclCheckFast: list: (nil)
> 2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
> 2003/03/21 15:29:20| aclCheckFast: list: (nil)
> 2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
> 2003/03/21 15:29:20| aclCheckFast: list: (nil)
> 2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
> 2003/03/21 15:29:20| aclCheckFast: list: 0x87376c0
> 2003/03/21 15:29:20| aclMatchAclList: checking all
> 2003/03/21 15:29:20| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2003/03/21 15:29:20| aclMatchIp: '192.168.1.7' found
> 2003/03/21 15:29:20| aclMatchAclList: returning 1
> 2003/03/21 15:29:20| aclCheckFast: list: 0x86d71e0
> 2003/03/21 15:29:20| aclMatchAclList: checking all
> 2003/03/21 15:29:20| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2003/03/21 15:29:20| aclMatchIp: '192.168.1.7' found
> 2003/03/21 15:29:20| aclMatchAclList: returning 1
> 2003/03/21 15:29:20| The reply for GET http://www.google.com./ is ALLOWED,
> because it matched 'all'
> 2003/03/21 15:29:20| authenticateAuthUserRequestUnlock auth_user request
> '0x84aa028'.
> 2003/03/21 15:29:20| authenticateAuthUserRequestUnlock auth_user_request
> '0x84aa028' now at '1'.
> 2003/03/21 15:29:21| authenticateAuthUserRequestUnlock auth_user request
> '0x84aa028'.
> 2003/03/21 15:29:21| authenticateAuthUserRequestUnlock auth_user_request
> '0x84aa028' now at '0'.
> 2003/03/21 15:29:21| authenticateAuthUserRequestFree: freeing request
> 0x84aa028
> 2003/03/21 15:29:21| authenticateAuthUserUnlock auth_user '0x841bbb0'.
> 2003/03/21 15:29:21| authenticateAuthUserUnlock auth_user '0x841bbb0' now at
> '0'.
> 2003/03/21 15:29:21| authenticateFreeProxyAuthUser: Freeing auth_user
> '0x841bbb0' with refcount '0'.
> 2003/03/21 15:29:21| authenticateBasicFreeUser: Clearing Basic scheme data
>
> Any help would be appreciated.
>
> cheers
>
> > Chris Brain
> > System Support Officer
> >
> > West Australian Newspapers
> > 50 Hasler Road Osborne park
> > e-mail: chris.brain@wanews.com.au
> > Phone: 08 9 482 3386
> > Fax: 08 9 482 3747
> >
> >
Received on Mon Mar 24 2003 - 01:13:57 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:19 MST