Authentication Pop-Ups with Explicit Deny ACLs

Last Modified: 16-September-2009; 08:20 WST; adrian

This document covers the behaviour of Squid when an explicit deny ACL is used with authentication.

Overview

Squid will explicitly re-attempt authentication when a "http_access" ACL contains a "deny" directive in combination with an ACL entry which requires authentication.

The "proxy_auth" and "proxy_auth_regex" ACL types require authentication and using these in a "deny" directive will retry authentication.

The "external" ACL type may require authentication. If the external ACL uses the proxy authentication results at all then it will retry authentication.

Details

The clientAccessCheckDone() function in src/client_side.c checks the result of "http_access" and will set the require_auth variable as appropriate. This check sets require_auth if the ACL result is ACCESS_REQ_PROXY_AUTH (ie, the ACL return status is "please attempt authentication before re-trying the ACL) or aclIsProxyAuth() returns true. aclIsProxyAuth() returns true if the ACL requires authentication - ie, proxy_auth, proxy_auth_regex or external with proxy authentication.

Workarounds

The easiest workaround is to not create deny ACL statements which reference ACL types that reference authentication.

This however has drawbacks - specifically, that there is now no method of easily short-circuiting the "http_access" ACL statement evaluation. All subsequent "http_access" ACL statements will need to be evaluated and this will result in higher CPU utilisation.

The second workaround is to patch Squid-2.7 as found below. This adds a new configuration directive, auth_required_on_auth_acl_deny, which controls whether Squid will request authentication or simply fail the request.

Patches

References