[squid-users] squid 3.1 ldap authentication

Amos Jeffries squid3 at treenet.co.nz
Sat Oct 10 05:39:48 UTC 2015 

On 10/10/2015 8:16 a.m., nando mendonca wrote:
> Hi Amos,
> 
> Below is my squid.conf configuration. I can login and browse any site
> entering my ldap username. This is working fine.
> 
> Below i would like to use squid_ldap_group -R to allow certain ldap groups
> to browse only certain sites. Below "admins" and "sales" are two ldap
> groups, can i allow the "admins" group to browse a couple of sites and deny
> all others, and also have the "sales" group browse different sites and deny
> all other ldap groups access?
> 
> When i run 'squid -k parse', i'm not seeing any configuration errors.

Then your Squid is a bit outdated. Please consider an upgrade.
The current Squid will at least complain about the manager and localhost
ACL definitions being built-in.


> #
> # Recommended minimum configuration:
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> 
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 192.168.30.0/24    # RFC1918 possible internal network
> acl localnet src 192.168.20.0/24
> #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> #acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
> machines
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 8080
> acl CONNECT method CONNECT
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -b
> "dc=test,dc=corp,dc=domain,dc=com" -f "uid=%s" test.corp.domain.com
> auth_param basic children 5
> #auth_param basic realm Web-Proxy
> auth_param basic credentialsttl 30 minutes
> acl ldap-auth proxy_auth REQUIRED
> http_access allow ldap-auth

The problem you have is that you are allowing access to anyone who is
authenticated. End of story. No other permissions required. The
remainder of your access control config does nothing.

You ned to do this instead:

 http_access deny !ldap-auth


> 
> #http_access deny all
> visible_hostname proxy-server-01
> 
> 
> ## Block access to Google ##
> #external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R
> -b "dc=test,dc=corp,dc=domain,dc=com" -D
> "ou=Groups,dc=test,dc=corp,dc=domain,dc=com" -f "(&(objectclass=person)
> (sAMAccountName=%v) (memberof=cn=%a,
> ou=Groups,dc=test,dc=corp,dc=domain,dc=com))" -h test.corp.domain.com
> 
> #acl admin external ldap_group admin
> #acl sales external ldap_group sales
> 
> #acl rule1 url_regex -i "/etc/squid/blacklists/admin/domains"
> #acl rule2 url_regex -i "/etc/squid/blacklists/sales/domains"
> 
> #http_access allow admin rule1
> #http_access allow sales rule2
> #http_access deny all
> 

One you are using "deny !ldap-auth" for the auth check these group rules
will have a chance of doing something.


However, all of the above http_access lines should be placed below the
line which says "INSERT YOUR OWN RULE(S) HERE"

> 
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> 

Current best practice is to place these manager rules below the "CONNECT
!SSL_Ports" line.


> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> http_access deny to_localhost
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #

Notice what the line above says. And how your authentication rules are
all up top well above the default rules that protect your system against
DoS and protocol abuse attacks.


> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 

Once you have authentication going you may want to remove these.


> 
> # And finally deny all other access to this proxy
> #http_access deny all
> 

Re-enable that "deny all" rule as the last http_access line.

Amos

More information about the squid-users mailing list