[squid-users] Cannot get ACL to work

Amos Jeffries squid3 at treenet.co.nz
Wed Sep 14 13:35:13 UTC 2016 

On 14/09/2016 5:43 p.m., Jason Leshchyshyn wrote:
> Ugh, I am trying to get Squid to deny access to a particular AD group, but when I enable the rule, then it denys everyone. 
> 
> 
> This is what I have in squid.conf 
> 
> 
> 
> 
> 
> 
> # NTLM 
> 
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
> 
> auth_param ntlm children 15 
> 
> auth_param ntlm keep_alive on 
> 
> 
> 
> # Limit access for Factory users 
> 
> external_acl_type nt_group %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl 
> 
> acl FactoryDeny external nt_group sec_deny_internet 
> 
> http_access deny FactoryDeny 
> 

Move all that below the "deny !auth" line. One would expect clients to
login before group checking. Order is important.


> 
> acl auth proxy_auth REQUIRED 
> 
> http_access deny !auth 
> 
> http_access allow auth 
> 
> 
> 
> 
> 
> -=- 
> I have verified the ext_wbinfo_group_acl works: 
> 
> 
> <blockquote>
> 
> 
> [root at fac-proxy squid]# ./ext_wbinfo_group_acl -d 
> 
> Debugging mode ON. 
> 
> user sec_vpn_users 
> 
> Got user sec_vpn_users from squid 

This is irrelevant sec_vpn_users is not a group in the config above.

> 
> user sec_deny_internet 
> 
> Got user sec_deny_internet from squid 
> 
> User: -user- 
> 
> Group: -sec_deny_internet- 
> 
> SID: -S-1-5-21-1978138449-291607360-3720246513-18148- 
> 
> GID: -1677721- 
> 
> Sending ERR to squid 
> 

Meaning the "deny FactoryDeny" is false (no deny action) when the
username is "user".


> 
> Because this is a production server there's a bunch of traffic on it so I can't catch too much of the log, but this is what I can see with debugging turned on: 
> 
> 
> <blockquote>
> 
> 
> 
> 2016/09/13 23:22:32.552 kid1| Acl.cc(336) matches: ACLList::matches: checking FactoryDeny 
> 
> 
> 2016/09/13 23:22:32.552 kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'FactoryDeny' 
> 
> 
> 2016/09/13 23:22:32.552 kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'FactoryDeny' is -1 
> 

Login credentials are unknown (-1). Authentication needs to be performed
and the ACLs checked again.


> 
> 2016/09/13 23:22:32.552 kid1| Acl.cc(343) matches: FactoryDeny failed. 
> 
> 
> 2016/09/13 23:22:32.552 kid1| Acl.cc(354) matches: FactoryDeny result is false 
> </blockquote>
> 
> 
> If the result is false then the deny should be false and it should continue to the next rule, right? 
> 

Normally yes, but authentication is involved here and that makes it a
bit more complex.

Since the external_acl_type uses %LOGIN and responds with -1, that is a
signal that the false actually means Squid is to generate the 407/401
response to make authentication happen. The http_access action is not
known yet, and wont be until the client presents some credentials.


The suggestion above to place the authentication above the group lookup
simplifies things again by ensuring that auth has already happened and
this special-case situation with %LOGIN does not happen very often.

Amos

More information about the squid-users mailing list