[squid-users] Antw: Re: CentOS Linux 7 / squid-3.5.20-2.el7.x86_64 / LDAP / ECAP / squidGuard blacklisting

bjoern wahl bjoern.wahl at hospital-borken.de
Thu Dec 22 07:44:00 UTC 2016 

Hello!

Thanks for your input.

Remember: This is still a test environment.

Never the less i very much appreciate your answer.

Lets do it one by one.

-> this was never meant to be a tutorial. I just send this because such
an info would have saved me some time and as i didn`t find any
information on eDir/Ldap/Squid auth i just thought it would be nice to
post some infos, never meant to be a perfect solution to copy.

Skipping 1-2 things you mentioned, the next thing to answer would be the
"bypass=off" info you gave.

-> Thanks for this, i also found that, and did a correction on this.

The securityrules  in the config, that are ignored...

-> This is because of the whole testing i did here. These are leftovers
from the standard config comming with the installation.

Your comment an SquidGuard an HTTPS.

-> It is right, that SquidGuard is blocking HTTPS by this config. So the
questions are two:

1.) What other to user than SquidGuard ?
2.) or how to deal with HTTPS  ?

Because of the clear-text credatials:

-> what would be your alternative in this environment ?

Thanks for your time !

Björn

On 21/12/2016 11:24 p.m., bjoern wahl wrote:
> Hello!
>
> Just for those who would like to have a:
>
> Squid with Ldap user auth on an eDirectory with an ecap (watch out !
It
> is not i-cap!) virus check and squidGuard for blacklisting.
>
> One think not working for me so far is the redirect to a virus info
site
> if ecap/clamd did find a virus. By now the user is informed that the
> access was "denied" but not why. A thing i do not like with this setup
> right now. (still working on this!)

You have missed out the most important part of this tutorial...
  Where to get the eCAP adapter.


>
> The working squid.conf looks like this:
>
> =================================================================
> cache_mgr xxx at mail.de
> http_port IPADDRESSOFSERVER:3128

Or just use the default "http_port 3128" config line provided. If you
hard-code IP addresses unnecessarily into configs you just make yourself
do extra work maintaining them.

> acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged)
> machines
> acl SSL_ports port 443
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl CONNECT method CONNECT
> auth_param basic program /usr/lib64/squid/basic_ldap_auth -b o=XXXX -h
> IPOFEDIRSERVER -D cn=XXX,o=XXX -w PASSWORDOFUSER -f
> "(&(objectclass=User)(cn=%s))"
> auth_param basic children 5
> auth_param basic realm WHATEVER-YOU-LIKE-TO-TELL-THE-USER
> auth_param basic credentialsttl 2 hours
> ecap_enable on
> loadable_modules /usr/local/lib/ecap_clamav_adapter.so
> ecap_service clamav_service_req reqmod_precache
> uri=ecap://e-cap.org/ecap/services/clamav?mode=REQMOD bypass=off
> ecap_service clamav_service_resp respmod_precache
> uri=ecap://e-cap.org/ecap/services/clamav?mode=RESPMOD bypass=on

Since bypass=on if the eCAP service has any error. (Such as finding a
virus perhapse?) The eCAP adapter will stop being used for some minutes.

If you want scanners like this to filter all traffic you need to set
bypass=off and fix any/every-thing that causes service outages.


> adaptation_access clamav_service_req allow all
> adaptation_access clamav_service_resp allow all
> acl ediruse
r proxy_auth REQUIRED
> http_access allow ediruser
> http_acbypass them completely for all traffic?

The http_access lines above this should all be down ...

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager

... here.

At which point you will find yourself looking at two "deny all" rules in
a row. Do the obvious to fix that.

> http_access deny all
> http_port 3128
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern .        0    20%    4320
> url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
> url_rewrite_children 15
> url_rewrite_access allow all

Which is the default setting for "url_rewrite_access" directive.

And BTW, SquidGuard cannot cope with many HTTP extension request methods
in modern traffic. You will at the very least have to prevent it seeing
the CONNECT messages.

You should then realize that any users doing HTTPS can easily bypass
your SG URL mangling "control". If you are lucky right now SG will be
"blocking" HTTPS by breaking the Squid transaction on each attempt to
use it.

Otherwise what this config actually does is cause clients to send their
user credentials in clear-text across the network, while possibly
letting any client that can see and re-use anothers users credentials
create tunnels through the proxy. Hackers paradise.

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Träger: Klinikum Westmünsterland GmbH
Jur. Sitz der Gesellschaft: Am Boltenhof 7, 46325 Borken
Registergericht Coesfeld, HRB Nr. 4184 I Ust.-Id.Nr.: DE123762133
Geschäftsführer: Christoph Bröcker, Ludger Hellmann (Sprecher)
Aufsichtsratsvorsitzender: Jürgen Büngeler

Diese E-Mail enthält vertrauliche oder rechtlich geschützte
Informationen. Wenn Sie nicht der beabsichtigte Empfänger sind,
informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail.
Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.

More information about the squid-users mailing list