[squid-users] ACLs help "DENIED, because it matched 'ldapauth'"

From: David Touzeau <david_at_touzeau.eu>
Date: Thu, 19 May 2011 15:27:42 +0200

Hi all...
I need help...
I would like to understand why squid refuse the SSL upload command using
'ldapauth'

here it is the debug events :

2011/05/19 12:39:17.931| httpParseInit: Request buffer is CONNECT
lennyleonard.wetransfer.com:443 HTTP/1.0
Host: lennyleonard.wetransfer.com:443
2011/05/19 12:39:17.931| HttpMsg.cc(445) parseRequestFirstLine: parsing
possible request: CONNECT lennyleonard.wetransfer.com:443 HTTP/1.0
Host: lennyleonard.wetransfer.com:443
Host: lennyleonard.wetransfer.com:443
Host: lennyleonard.wetransfer.com:443
2011/05/19 12:39:17.931| urlParse: Split URL
'lennyleonard.wetransfer.com:443' into proto='',
host='lennyleonard.wetransfer.com', port='443', path=''
Host: lennyleonard.wetransfer.com:443
2011/05/19 12:39:17.933| aclMatchDomainList: checking
'lennyleonard.wetransfer.com'
2011/05/19 12:39:17.933| aclMatchDomainList:
'lennyleonard.wetransfer.com' NOT found
2011/05/19 12:39:17.933| aclMatchDomainList: checking
'lennyleonard.wetransfer.com'
2011/05/19 12:39:17.933| aclMatchDomainList:
'lennyleonard.wetransfer.com' NOT found
2011/05/19 12:39:17.934| aclMatchDomainList: checking
'lennyleonard.wetransfer.com'
2011/05/19 12:39:17.934| aclMatchDomainList:
'lennyleonard.wetransfer.com' NOT found
2011/05/19 12:39:17.935| aclRegexData::match: checking
'lennyleonard.wetransfer.com:443'
2011/05/19 12:39:17.935| The request CONNECT
lennyleonard.wetransfer.com:443 is DENIED, because it matched 'ldapauth'
2011/05/19 12:39:17.935| Access Denied: lennyleonard.wetransfer.com:443

Here it is the squid.conf

acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.1/32
acl manager proto cache_object
auth_param basic credentialsttl 2 hour
authenticate_ttl 1 hour
authenticate_ip_ttl 60 seconds
#--------- LDAP AUTH settings

#Authentification mode, building using squid compiled for 127.0.0.1:389
auth_param basic program /usr/lib/squid3/squid_ldap_auth -b
"dc=my-domain,dc=com" -D "cn=myuser,dc=my-domain,dc=com" -w "mypassword"
-f "(&(objectClass=userAccount)(uid=%s))" -v 3 -h 127.0.0.1 -p 389
#--------- GLOBAL
external_acl_type ldap_group %LOGIN /usr/lib/squid3/squid_ldap_group -D
"cn=myuser,dc=my-domain,dc=com" -w "mypassword" -b "dc=my-domain,dc=com"
-f "(&(objectClass=posixGroup)(gidNumber=%a)(memberUid=%v))" -S -v 3 -h
127.0.0.1 -p 389
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
acl ldapauth proxy_auth REQUIRED

#--------- TWEEKS PERFORMANCESsquid-users_at_squid-cache.org
# http://blog.last.fm/2007/08/30/squid-optimization-guide
memory_pools off
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off

#--------- UfdbGuard
url_rewrite_program /usr/bin/ufdbgclient -l /var/log/squid
url_rewrite_children 20 startup=5 idle=1 concurrency=0

#--------- SQUID PARENTS (feature not enabled)

#--------- acls
acl blockedsites url_regex "/etc/squid3/squid-block.acl"
acl CONNECT method CONNECT
acl purge method PURGE
acl FTP proto FTP
acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$
acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$
acl multimedia_rep rep_mime_type -i ^image/
acl multimedia_rep rep_mime_type -i ^video
acl multimedia_rep rep_mime_type -i ^audio
acl multimedia_rep rep_mime_type -i ^application/x-dvi$
acl multimedia_rep rep_mime_type -i ^application/x-isoview
acl multimedia_browsers browser -i ^.*player
acl bigfiles_types urlpath_regex -i \.(deb|rpm|iso|tar\.gz|gz|bz|tar|
cue|nrg|crf|bwi|bwt|lcd|ccd|mdf|mds|vcd|cif|vdi|img)((\?|&).*)?$
acl office_network src 192.168.0.0/24 10.0.0.0/8
acl group_password external ldap_group

#--------- GROUPS definition
#no groups

#--------- MAIN RULES...
always_direct allow FTP
# --------- SAFE ports
acl Safe_ports port 80 #http
acl Safe_ports port 22 #ssh
acl Safe_ports port 443 563 #https, snews
acl Safe_ports port 1863 #msn
acl Safe_ports port 70 #gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 1025-65535 #unregistered ports
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multiling http
acl Safe_ports port 631 #cups
acl Safe_ports port 873 #rsync
acl Safe_ports port 901 #SWAT
acl Safe_ports port 20 #ftp-data
acl Safe_ports port 21 #ftp#
acl SSL_ports port 9000 #Artica
acl SSL_ports port 443 #HTTPS
acl SSL_ports port 563 #https, snews
acl SSL_ports port 6667 #tchat

# AOL Instant Messenger to connect to oscar.aol.com
acl AIM_ports port 5190 9898
acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com
acl AIM_domains dstdomain .messaging.aol.com .aim.com
acl AIM_hosts dstdomain login.oscar.aol.com
login.glogin.messaging.aol.com toc.oscar.aol.com
acl AIM_nets dst 64.12.0.0/255.255.0.0
acl AIM_methods method CONNECT

# Permit IRC
acl IRC_ports port 6667
acl IRC_domains dstdomain .freenode.net
acl IRC_hosts dstdomain irc.freenode.net
acl IRC_methods method CONNECT

# Permit Yahoo Messenger
acl YIM_ports port 5050
acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp
acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp
acl YIM_methods method CONNECT

# Permit Google Talk
acl GTALK_ports port 5222 5050 443
acl GTALK_domains dstdomain .google.com
acl GTALK_hosts dstdomain talk.google.com
acl GTALK_methods method CONNECT

# Permit MSN
acl MSN_ports port 1863 443 1503
acl MSN_domains
dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_methods method CONNECT

acl MULTIMEDIA rep_mime_type -i ^(audio\/x-mpegurl|audio\/mpeg|video
\/flv|video\/x-flv|application\/x-shockwave-flash|audio\/ogg|video\/ogg|
application\/ogg)$

# --------- RULES DEFINITIONS
url_rewrite_access deny localhost
url_rewrite_access allow all
http_access allow AIM_methods AIM_ports AIM_nets
http_access allow AIM_methods AIM_ports AIM_hosts
http_access allow IRC_methods IRC_ports IRC_hosts
http_access allow IRC_methods IRC_ports IRC_domains
http_access allow YIM_methods YIM_ports YIM_hosts
http_access allow YIM_methods YIM_ports YIM_domains
http_access allow GTALK_ports GTALK_hosts GTALK_methods

            http_access allow GTALK_methods GTALK_ports GTALK_domains
http_access allow MSN_ports MSN_domains MSN_methods

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow manager localhost
http_access allow purge localhost
http_access deny purge
http_access deny blockedsites
http_access allow ldapauth

http_access allow group_password
http_access allow office_network
http_access deny to_localhost
http_access deny all
# --------- ICAP Services.(0 service(s))

# --------- ident_lookup_access
hierarchy_stoplist cgi-bin ?

# --------- General settings
visible_hostname prx01.arqui300.local
ignore_expect_100 off

# --------- time-out
dead_peer_timeout 10 seconds
dns_timeout 2 minutes
connect_timeout 1600 seconds
persistent_request_timeout 3 minutes
pconn_timeout 1600 seconds

maximum_object_size 300 MB
minimum_object_size 4 MB
maximum_object_size_in_memory 1024 KB

#http/https ports
http_port 3128

# --------- SSL Rules

# --------- Caches
cache_effective_user squid
cache_effective_group squid
#cache_replacement_policy heap LFUDA
cache_mem 411 MB
cache_swap_high 90
cache_swap_low 95
# --------- DNS and ip caches
ipcache_size 51200
ipcache_low 90
ipcache_high 95
fqdncache_size 51200

# --------- SPECIFIC DNS SERVERS

#--------- FTP specific parameters
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
ftp_epsv on
ftp_epsv_all off
ftp_telnet_protocol off

debug_options ALL,1
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
refresh_pattern \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200
90% 432000
refresh_pattern \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern \.kaspersky-labs\.com/.*?\.(diff|exe|klz|zip)$ 2880
100% 28800
refresh_pattern \.avast\.com/.*?\.(exe|vpu)$ 2880 100% 28800
refresh_pattern \.avira-update\.com/.*?\.gz$ 2880 100% 28800
refresh_pattern global-download\.acer\.com/.*?/Driver/.*?zip 2880
100% 28800
refresh_pattern \.windowsupdate\.com/.*?\.(cab|exe|dll|msi|psf) 10080
100% 43200
refresh_pattern \.microsoft\.com/.*?\.(cab|exe|dll|msi) 10080 100%
   43200
refresh_pattern . 0 20% 4320
refresh_pattern -i (/cg-bin/|\?) 0 0% 0
icp_port 3130

#Logs-------------------------------------------------
#fqdn is disabled For sarg.
log_fqdn off
coredump_dir /var/squid/cache
cache_store_log /var/log/squid/store.log
cache_log /var/log/squid/cache.log
pid_filename /var/run/squid.pid
access_log none manager
access_log /var/log/squid/access.log common
access_log /var/log/squid/sarg.log squid

cache_dir ufs /var/cache/squid 30000 16 256
# --------- OTHER CACHES
cache_dir ufs /var/cache/squid2 30000 16 256
Received on Thu May 19 2011 - 13:27:51 MDT

This archive was generated by hypermail 2.2.0 : Thu May 19 2011 - 12:00:02 MDT