[squid-users] Squid with proxy

Amos Jeffries squid3 at treenet.co.nz
Fri May 22 11:26:13 UTC 2015 

On 22/05/2015 10:35 p.m., Silvio Siefke wrote:
> On Fri, 22 May 2015 15:39:19 +1200 Amos Jeffries wrote:
> 
>> I dont know why you should have to. ziproxy should be perfectly
>> capable of contacting Internet services to respond to the requests
>> sent from Squid.
> 
> Yes it works but im not sure is right, when NextProxy in ziproxy.conf
> is not set. When saw the log all work, but in all tutorials which read
> they say ziproxy.conf need set NextProxy="127.0.0.1" for "routing" back
> to squid. But so it work all without NextProxy. What is now correct?
> 

Without NextProxy is correct if ziproxy is on the "outside" of Squid.
Like so:

 client -> Squid -> ziproxy -> Internet


If you set ziproxy to pass *requests* to Squid, the traffic will enter a
loop:
  client -> Squid -> ziproxy -> Squid -> ziproxy -> ...

Via header would have protected against that loop by aborting the
traffic. But you disabled via. So the only thing preventing your setup
DoS'ing itself by consuming all available TCP ports on the mahine is
that login popup. Ouch.

> 
>> I am not quite understanding what you are talking about auth for. So
>> can't answer that question. Hopefully the above answer is enough to
>> solve your problem though.
> 
> Squid use auth for connecting with it, when i has activated NextProxy in
> ziproxy.conf then Browser ask and ask for login stuff. When not activated
> NextProxy in ziproxy.conf then one time come login window and after login
> all work. But what is now right, set NextProxy or not. But self when set 
> NextProxy in ziproxy.conf then squid can not ask for login to ziproxy,  cause
> localhost has free traffic or not?

In your squid.conf all traffic requires authenticating. Nothing is
allowed through without it. Although anything from localhost is allowed
to send wrong credentials and get through :-( .


Your rules:
> 
> # http access
> http_access allow checkpw all
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access deny ads
> http_access deny all

- "deny ads" is not useful like this, anything getting to that check
will also be blocked by the "deny all" which follows it and is a faster
check.

- also missing the basic HTTP abuse and DoS security protections.

To let localhost I would write them like this:

 # basic security potections.
 # To let special ports through; check carefully its not abuse
 # then adjust Safe_ports and SSL_ports appropriately
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_Ports

 # To use the deny ads ACL it would go here in the ordering,
 # before the allow rules.
 http_access deny ads

 # localhost does not require authentication
 http_access allow localhost

 # manager access only permitted from localhost
 http_access deny !localhost manager

 # anyone with a valid auth credentials is allowed
 http_access allow checkpw

 http_access deny all


You will need to re-add the CONNECT, Safe_ports and SSL_Ports ACL
definitions from the default config.


You dont really need to exempt localhost from authentication. But that
is your choice.

Amos

More information about the squid-users mailing list