[squid-users] Squid Authentication if URL is on a Blacklist from SquidGuard

Eliezer Croitoru eliezer at ngtech.co.il
Thu Apr 6 16:41:51 UTC 2017 

A copy of the message which includes the script and the relevant details at: http://www.ngtech.co.il/paste/1758/raw/

Or on the list archives:
http://lists.squid-cache.org/pipermail/squid-users/2016-June/011047.html

Or on the next gist:
https://gist.github.com/elico/865938620fb7a61ce5293bbce0b2bb06

Eliezer

* Should I add it to the wiki?... this is a 3 Clause  BSD licensed piece of code

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Tuesday, April 4, 2017 9:18 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid Authentication if URL is on a Blacklist from SquidGuard

On 31/03/2017 9:22 p.m., CrossfireAUT wrote:
> Hello Squid-Community!
> 
> I need your help with a rather non-standard config.
> My aim is as following:
> -> Users that use my proxy (will deploy it via group policy in AD) should be
> able to use my proxy without authentication

If you have such a thing as AD and the ability to push Group Policy to
the users there is no need to avoid authentication.

Perhapse the client is actually asking to get away from lots of annoying
popups the browsers are forcing on them? if that is happening it is a
strong sign that the authentication system needs fixing. When it works
there should be zero popups.


> -> if a user invokes SquidGuard (he wants to call up a URL on my
> blacklists), he should get prompted for his username and password
> -> only users of the AD-group webusers should be able to continue and go to
> this site on the blacklist
> I know, it isn't the best way to use SquidGuard, but a customer wants it
> that way.

Ewww. Okay. See below....


> 
> My current config is as following:
> auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b
> "dc=xxxx,dc=local" -D testuser at xxxx.local -W /etc/squid/squid.secrets -f
> sAMAccountName=%s -h 172.30.0.36
> auth_param basic children 10
> auth_param basic realm xxxx
> auth_param basic credentialsttl 2 hours
> 
> external_acl_type webusers %LOGIN /usr/lib/squid/ext_ldap_group_acl -b
> "dc=xxxx,dc=local" -D testuser at xxxx.local -W /etc/squid/squid.secrets -f
> "(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=xxxx,dc=local))" -h
> 172.30.0.36
> 
> authenticate_ip_ttl 1 second
> 

Er, credentials are valid for 2 hours, but the "users" are jumping
around between IPs every second?

NP: the authenticate_ip_* stuff is irrelevant unless a maxuserip type
ACL is being used.

> 
> acl auth proxy_auth REQUIRED
> acl no_webusers dstdomain .xxxx.at
> acl ldapgroup_webusers external webusers webusers
> 
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> 
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> 
> http_access deny !auth
> http_access allow no_webusers
> 
> http_access allow ldapgroup_webuser
> 
> http_access deny all
> 
> http_port 3128
> 
> 
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> url_rewrite_children 4
> 
> 
> 
> 
> So my users get prompted for their username/passwords everytime they restart
> their browser.

Funky.
 Have you check that is not simple the browser "Password Manager"
feature requesting access to their machine or AD "Domain login" details?

I have seen a few computer-illiterate people confuse their browser
"master password" as some form of password associated with their default
homepage website. This can be particularly bad when that is set the
homepage to some popular social media site or search engine.


> If they call up a domain on my blacklists, they get ACCESS DENIED.
> 
> Does anyone know how you can achieve this?
> Until know, I tried really hard, thought it would be a good idea to ask the
> user-list!

So ignoring SG for now the problem is a matter of access control. That
means the right way to do it is with ACLs in http_access.


To use SG as requested you need to make an external_acl_type helper that
receives the same things SG needs and passes them on to it, mapping the
result back to an OK/ERR result for Squid ACL use.
 [ IIRC Eliezer has posted a helper that does that to the list . ]

Then you can do something like:
  external_acl_type sgMapper ...
  acl testWithSg external sgMapper

  http_access allow testWithSG
  http_access deny !auth
  ...

Note that this does not involve the url_rewrite_* API. You can drop that
entirely. Unless you want some traffic to still be redirected/rewritten
by SG. In which case you need url_rewrite_access to define which traffic
SG applies to.

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list