[squid-users] Squid ACL, SSL-BUMP and authentication questions

squid at icshk.com squid at icshk.com
Fri Nov 7 07:51:41 UTC 2014 

Hi,

 

Sorry for my poor English. I think maybe I have figure out how to do this. Seems I need to explicitly specific allow “google” for “my_auth” users.

 

Add this:

http_access     allow   google                 my_auth

before

http_access     allow   my_auth                all

 

auth_param basic children 5

auth_param basic realm Welcome to Our Website!

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_user

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

 

acl my_auth proxy_auth REQUIRED

 

acl SSL_ports port 443

acl Safe_ports port 443         # https

acl CONNECT method CONNECT

 

acl     GoogleMaps           url_regex -i    ^https://www.google.com/maps*.

acl     test_net                 src             192.168.1.253/32

acl     google                    dstdomain    www.google.com <http://www.google.com> 

http_access deny CONNECT !SSL_ports

 

http_access     allow                           GoogleMaps

 

http_access     allow   CONNECT                 google

http_access     deny    CONNECT                 google                 my_auth

#http_access    allow   CONNECT                 test_net                 google

 

http_access     allow   google                 my_auth

http_access     allow   my_auth                all

 

http_access     deny                            all

 

 

From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of squid-list
Sent: Friday, November 07, 2014 3:36 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid ACL, SSL-BUMP and authentication questions

 

Hi,

"Access to google maps(https://www.google.com/maps) should prevent any authentication need"

I could understand that all users should be able to access the google maps link without any authentication. For this you could add the site acl before the authentication part in the squid conf. So that users will not prompt for the authentication when the user try to access the google map site. But when they try to access any other site authentication will be prompted.

(i.e)
        acl     GoogleMaps           url_regex -i    ^https://www.google.com/maps*.
        acl allow GoogleMaps all

        auth_param basic children 5

        auth_param basic realm Welcome to Our Website!

        auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_user

        auth_param basic credentialsttl 2 hours

        auth_param basic casesensitive off    

        ....
        ....

I am not clear about the remaining part of the content.

Regards,
ViSolve Squid

On 11/07/2014 08:55 AM, squid at icshk.com <mailto:squid at icshk.com>  wrote:

Hello all,

 

As our company policy only allow some machines to access to some SSL website URL(eg. https://www.google.com/maps). However, they do not have access to https://www.google.com/ Before, we tried to implement authentication, everything works fine. We try to allow https access to https://www.google.com/maps and “CONNECT” request to www.google.com <http://www.google.com>  using SSL bump. Now, I want to preserve this config, and let user to authenicate to access to any website. Access to google maps(https://www.google.com/maps) should prevent any authentication need. However, I am not success to figure this out. I have tried different kinds of configuration, some will prompt for authentication. Some will not allow the authenticated users to access to https://www.google.com. From the access log, after I authenticate and try to access to https://www.google.com, the authentication information is not displayed. Seems squid do not use the authentication information when matching the this rule: “http_access     allow   CONNECT                 google”.

The “CONNECT” method is success. Then, the squid will continue use no authentication information to process the “GET” command, causing the authenticated user to denied access to https://www.google.com.

Can I make squid always use the authentication information if already authenticate ? Or any suggestion to implement this policy.

Thanks.

 

Here is an extracted version of config which should state the related configuration:

 

auth_param basic children 5

auth_param basic realm Welcome to Our Website!

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_user

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

 

acl my_auth proxy_auth REQUIRED

 

acl SSL_ports port 443

acl Safe_ports port 443         # https

acl CONNECT method CONNECT

 

acl     GoogleMaps           url_regex -i    ^https://www.google.com/maps*.

acl     test_net                 src             192.168.1.253/32

acl     google                    dstdomain    www.google.com <http://www.google.com> 

http_access deny CONNECT !SSL_ports

 

http_access     allow                           GoogleMaps

 

http_access     allow   CONNECT                 google

http_access     deny    CONNECT                 google                 my_auth

#http_access    allow   CONNECT                 test_net                 google

 

http_access     allow   my_auth                all

 

http_access     deny                            all

 





_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org> 
http://lists.squid-cache.org/listinfo/squid-users

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141107/98c4be01/attachment-0001.html>

More information about the squid-users mailing list