Package: squid Version: 4.6.1 Severity: minor Dear Maintainer,
squid is configured to deliver certain websites to an authorized user. If this user requests any website outside of his scope, squid shall deny that request. In the following example, the user calls the website http://www.wetter24.de/ This site links to meteogroup.com (allowed), facebook (denied), twitter (denied) and youtube (denied). Here my configuration: ----------- squid.conf ------------------ cache deny all http_port 8080 access_log daemon:/var/log/squid/access.log combined error_default_language de auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/users acl user proxy_auth REQUIRED acl whitelist dstdomain .wetter24.de .meteogroup.com http_access allow user whitelist http_access deny all ----------- squid.conf ------------------ What happens (according to a wireshark dump): - The user opens wetter24.de. - Squid answers 407 Proxy authentication required - the user enters username and password - browser resend request with attached proxy-authorization (PA) - squid delivers website - browser requests embedded element from facebook.com PA - squid answers 403 forbidden Hey, that's absolutely okay, that's what we want. So far... - browser requests GET platform.twitter.com PA - squid answers 403 forbidden - browser requests CONNECT www.youtube.com PA - squid answers 403 forbidden Still all well... - browser requests meteogroup.com PA - squid delivers - browser requests wetter24.de PA - squid delivers - browser requests GET platform.twitter.com PA - squid answers 407 Proxy authentication required Hey, what? The browser sends the same request as some moments before, with the same authentication data - but suddenly squid challenges an authentication again instead to send the correct message 403 forbidden This way, the browser sometimes opens several dozen password challenges for a single site, while the user is perfectly authenticated. This is extremely annoying and renders any web usage nearly impossible for the affected users. In the above example, I could of course simply remove the authentication requirement. But this is a very simplified config, just to show where squid goes wrong. -- System Information: Debian Release: 10.0 (tested under 9.9 as well) APT prefers stable Architecture: amd64 (x86_64) Kernel: 4.19.0-5-amd64
