[squid-users] External ACL Lookup

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 6 12:42:30 UTC 2016


On 6/04/2016 9:16 a.m., Craddock, Tommy wrote:
> Hello,
> 
> Trying to use an external ACL helper to do a lookup of my user in a group in a Windows AD.  I can test from the command line:
> 
> 
> /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D Squid at example.com -W /etc/squid/password -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))" -h dc01.example.com
> tcraddock at EXAMPLE.COM Full.Access
> OK
> 

I'm always a little suspicious about whitespace in the LDAP parameters.
Such as you have for "ou=Some Group" in the -f filter.

It does depend on how new vs old your Squid is whether that will be
treated as two parameters or one passed to the helper by Squid. The
commmad line test will always pass it as one parameter.

If you can rework your ou= parameter to avoid the whitespace it might
work better (just a maybe, but you do have Squid 3.1).

> 
> In the cache.log w/debug set to ALL,3:
> 
> 2016/04/05 16:54:39.768| aclMatchExternal: memberof user not authenticated (0)
> GETTING KERB TOKEN.....
> ...
> 2016/04/05 16:54:39.780| authenticateAuthUserAddIp: user 'tcraddock at EXAMPLE.COM' has been seen at a new IP address (172.23.5.193:56059)
> 2016/04/05 16:54:39.780| aclMatchExternal: memberof("tcraddock at EXAMPLE.COM Full.Access") = lookup needed
> 2016/04/05 16:54:39.780| aclMatchExternal: "tcraddock at EXAMPLE.COM Full.Access": entry=@0, age=0
> 2016/04/05 16:54:39.780| aclMatchExternal: "tcraddock at EXAMPLE.COM Full.Access": queueing a call.
> 2016/04/05 16:54:39.780| aclMatchExternal: "tcraddock at EXAMPLE.COM Full.Access": return -1.
> 2016/04/05 16:54:39.780| externalAclLookup: lookup in 'memberof' for 'tcraddock at EXAMPLE.COM Full.Access'
> 2016/04/05 16:54:39.784| externalAclHandleReply: reply="ERR"
> 2016/04/05 16:54:39.785| external_acl_cache_add: Adding 'tcraddock at EXAMPLE.COM Full.Access' = 0
> 2016/04/05 16:54:39.785| aclMatchExternal: memberof = 0
> 
> In the file referenced in the ACLs:
> 
> acl RestrictedAccess    external memberof "/etc/squid/restricted_access.txt"
> acl FullAccess          external memberof "/etc/squid/full_access.txt"
> 
> 
> it has:
> 
> cat /etc/squid/full_access.txt
> Full.Access
> 
> cat /etc/squid/restricted_access.txt
> Restricted.Access
> 

Speaking of white spaces. The only reason for using files there is when
the group name contains a whitespace character. TO avoid a squid.conf
parser bug (Sorry). If those dots are in fact dots and not spaces, then
you dont need the extra files.


> Im not sure why the logs show my user is getting ERR as the response to group checking, when I run it from the command line, I get an OK.
> 
> 
> Info about my setup:
> 
> [root at clwslprox01p squid]# squid -v
> Squid Cache: Version 3.1.23
> configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-internal-dns' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-arp-acl' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' '--enable-ntlm-auth-helpers=smb_lm,no_check,fake
auth' '--enable-digest-auth-helpers=password,ldap,eDirectory' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--enable-http-violations' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -W
p,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.23
> 
> [root at clwslprox01p squid]# cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 6.7 (Santiago)
> 
> Using negotiate w/NTLM and Kerberos to do user auth, and trying to use external helpers to do group lookups to a Windows AD.  Windows AD is 2008 and 2012 in my env.
> 
> Squid.conf:
> 
> 
> ### cache manager
> cache_mgr pclan at example.com
> 
> #Define the cache_peer to be used
> # cache_peer proxy1.ap.webscanningservice.com parent 3128 0000 default no-query no-digest
> # cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest
>   cache_peer proxy1.us.webscanningservice.com parent 3128 0000 default no-query no-digest
> # cache_peer proxy1.hk.webscanningservice.com parent 3128 0000 default no-query no-digest
> # cache_peer proxy1.eu.webscanningservice.com parent 3128 0000 default no-query no-digest
> 
> 
> ### negotiate kerberos and ntlm authentication
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE.COM --require-membership-of=EXAMPLE\\Full.Access -kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive off
> 
> ### pure ntlm authentication
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=EXAMPLE\\Full.Access
> auth_param ntlm children 30
> auth_param ntlm keep_alive off
> 
> ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=example,dc=com" -D Squid at EXAMPLE.COM -W /etc/squid/password -f sAMAccountName=%s -h DC01.EXAMPLE.COM
> auth_param basic children 10
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 1 minute
> 


Your NTLM and Negotiate authenticators have a parameter requiring
membership of the Ful.Access group as part of the auth process.

That means you should be able to use the auth type to tell what group
they are a member of.


> ### ldap authorisation
> external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -S -b "dc=example,dc=com" -D Squid at EXAMPLE.COM -W /etc/squid/.ldappass.txt -f "(&(objectclass=person)(sAMAccountName=$)(memberof=cn=%g,ou=Some Group,dc=EXAMPLE,dc=COM))" -h DC01.EXAMPLE.COM
> 
> ### acl for proxy auth and ldap authorizations
> acl our_networks src  172.16.0.0/12 10.0.0.0/8 192.170.0.0/24
> acl INTERNAL dst 172.16.0.0/12 10.0.0.0/8
> acl auth proxy_auth REQUIRED
> acl HEAD method HEAD
> acl RestrictedAccess    external memberof "/etc/squid/restricted_access.txt"
> acl FullAccess          external memberof "/etc/squid/full_access.txt"
> acl Approved_Domains dstdomain "/etc/squid/acls/approved.txt"
> acl WindowsUpdate dstdomain -i "/etc/squid/acls/windowsupdates.txt"
> acl local-servers dstdomain "/etc/squid/acls/localservers.txt"
> acl RestrictedHost src "/etc/squid/acls/restrictedhost_ip.txt"
> acl bypass_auth src "/etc/squid/acls/bypass_auth_src_ip.txt"
> acl bypass_auth-external dstdomain "/etc/squid/acls/bypass_auth_dst_domain.txt"
> acl blocksites dstdomain "/etc/squid/acls/block_sites.txt"
> acl DIRECT src "/etc/squid/acls/direct_src_ip.txt"
> acl DIRECT-external dstdomain "/etc/squid/acls/direct_dst_domains.txt"
> acl Smartconnect dstdomain ned.webscanningservice.com
> acl Java browser Java/[0-9]
> acl JavaSites dstdomain .gotomeeting.com
> always_direct allow INTERNAL
> always_direct allow local-servers
> cache deny INTERNAL
> cache deny local-servers
> 
> 
> 
> ### squid defaults
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl SSL_ports port 443 563 33808
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443 563     # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> #allow custom ports
> acl goto_meeting dst 216.115.208.0/20 216.219.112.0/20 66.151.158.0/24 66.151.150.160/27 66.151.115.128/26 64.74.80.0/24 202.173.24.0/21 67.217.64.0/19 78.108.112.0/20 68.64.0.0/19 206.183.100.0/22
> acl Safe_ports port 8200        # gotomeeting
> acl Safe_ports port 31303 33808 # TD Merchant
> acl Safe_ports port 8443        # Symantec SEP Manager
> acl Safe_ports port 8014               # Symantec SEPM Client
> acl SSL_ports port 9443         # pingdevfed
> acl SSL_ports port 9444         # pingdevfed
> acl SSL_ports port 5443         # pingdev
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> #http_access deny !memberof
> http_access allow localhost
> http_access allow HEAD
> http_access deny !our_networks
> http_access allow Smartconnect
> http_access deny blocksites all
> http_access allow Approved_Domains
> http_access deny RestrictedHost all
> http_access allow FullAccess auth

NP: FullAccess and auth ACLs require authentication to take place.

What is the point of the Java and WindowsUpdate and bypass_auth ACLs
being tested *after* auth has already been required of the client?

Surely the bypasses should be first and the auth related things after.

> http_access allow Java
> http_access allow WindowsUpdate
> http_access allow bypass_auth
> http_access allow bypass_auth-external
> http_access allow goto_meeting
> http_access allow our_networks all
> http_access allow Java our_networks JavaSites
> http_access allow auth
> http_access deny !auth
> http_access deny all
> 

Generally the best pattern to use when designing http_access sequences
is this:

+ allow <things that bypass auth>
+ "deny !auth"
+ allow <things that require auth>
+ "deny all"



Amos




More information about the squid-users mailing list