2016-08-19 17:22 GMT-03:00 Antony Stone <antony.st...@squid.open.source.it>:
> On Friday 19 August 2016 at 20:41:11, Jok Thuau wrote: > > > On Fri, Aug 19, 2016 at 9:33 AM, Sergio Belkin <seb...@gmail.com> wrote: > > > /var/log/squid/access.log > > > 192.168.50.41 - - [19/Aug/2016:12:19:45 -0300] "CONNECT > > > beap-bc.yahoo.com:443 HTTP/1.1" 407 4634 "-" "Mozilla/5.0 (Windows NT > > > 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TCP_DENIED:HIER_NONE > > > > This is unauthenticated (notice the "- -" after the IP) > > > > > 192.168.50.41 - juan.perez [19/Aug/2016:12:19:45 -0300] "CONNECT > > > beap-bc.yahoo.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT > 6.1; > > > WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TAG_NONE:HIER_DIRECT > > > > This one is authenticated (juan.perez). The code 407 in the first request > > means "proxy request authentication". So what happened here is that the > > user browsed, was asked for credentials (and maybe those were provided > > automatically), and then the request was resent with the creds included. > > Given the timestamps (both 12:19:45; no time for a human to enter > credentials > at a prompt) the browser did this automatically, and invisibly to the user. > Exactly it does so, but I wonder if TCP_DENIED is the proper message here. It's a case of "client must first authenticate itself with the proxy" ( https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), perhaps I'm wrong, but would something such as TCP_UNAUTHORIZED be better? However, I've found that I can create a rule in order to exclude such a messages in the logs: http://squid-web-proxy-cache.1019090.n4.nabble.com/Too-many-TCP-DENIED-407-when-using-Kerberos-authentication-td4662372.html And squid-analyzer has a directive to exclude them too: ExcludedCodes TCP_DENIED/407 Thanks! > > http_access deny !kerb_auth > > > > > http_access allow kerb_auth whitelist_ips > > > > And here is the config that causes that -- it's totally normal... > > > > Thanks, > > Antony. > > -- > "In fact I wanted to be John Cleese and it took me some time to realise > that > the job was already taken." > > - Douglas Adams > > Please reply to the > list; > please *don't* CC > me. > -- -- Sergio Belkin LPIC-2 Certified - http://www.lpi.org
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
