[squid-users] acl problem (Amos Jeffries)

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 1 02:36:13 UTC 2017 

On 01/09/17 00:44, Alex Gutiérrez Martínez wrote:
> Thanks for answering Mr. Jeffries, I just applied his recommendations, I 
> changed the "allow basic_ldap_auth" rule to "deny! Basic_ldap_auth",

Good.

> I 
> also left the acl names denied and removed their respective "acl deny 
> rule" and the rule "http_access deny I left it on the last line.

Hmm. I assume you are referring to the commenting out of the needless 
denies I mentioned. That looks okay now.

> Although I did not give problems the "squid3 -k parse". But the link to 
> the ldap suddenly stopped working, searching at 
> "http://www.squid-cache.org/Doc/config/" I saw that I had to change the 
> parameter "external_acl_type Group" to "external_acl_type ldap_group" .

No, you can use any name you like for that parameter.

The first parameter of the external_acl_type directive is just a custom 
name / label to refer to that particular external helper in the acl 
lines later.

For example:

  external_acl_type foo ...

  acl ... external foo ...


> The Ldap user password has not change and there are other applications 
> that are using the ldap correctly at this time, any sugestions?
> 

I see you also changed the rules giving permission for 'full' group to 
access the proxy. That change broke a few things.


> Here is a copy of my current configuration file
> 
> 
> #Escondemos la version del squid
> httpd_suppress_version_string on
> #nombre que queremos que muestre el squid como nuestro host
> visible_hostname Hermes
> #no permitimos que nada pase por nuestro proxy
> via off
> forwarded_for off
> follow_x_forwarded_for deny all
> #puertos que permitiremos
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow localhost manager
> http_access deny manager

You have another set of rules at the bottom of the config for manager 
access. These rules let sqstat etc through without logging in, the ones 
at the bottom require login.

If you need sqstat etc to login, then remove these manger lines.

If you need sqstat etc to get through without login. Then:
  * remove the above lines, and
  * move the sqstat rules from the bottom of the config up to just below 
the CONNECT rule below here.

> # Permitimos los puertos inseguros
> http_access allow !Safe_ports
> http_access allow CONNECT !SSL_ports

The above rules are supposed to be _preventing_ hacking attacks through 
your proxy. The default lines were very carefully designed to add that 
protection without overriding your local policies.
  The change to make the above use "allow" lets anybody through the 
proxy without any control (ouch).

Please return that to the default:
  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports


Your rules for 'manger' ACL should go somewhere after these rules. (That 
Best Practice has changed recently, so the 3.3 default config does not 
do it right.)


> debug_options ALL,9
> ########################################################
> #auth ldap#
> ########################################################
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -P  -R -b 
> "dc=empresa,dc=cuba,dc=cu" -D cn=ldap,ou=squid,dc=empresa,dc=cuba,dc=cu 
> -W /etc/squid3/clave.txt -f sAMAccountName=%s -v 3 -s sub -h 172.16.4.10
> external_acl_type Group %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -b 
> "dc=empresa,dc=cuba,dc=cu" -D 
> cn=cn=ldap,ou=squid,dc=empresa,dc=cuba,dc=cu -W /etc/squid3/clave.txt -f 
> "(&(objectclass=user)(sAMAccountName=%u) 
> (memberof=cn=%g,dc=empresa,dc=cuba,dc=cu))" -h 172.16.4.10

Is there actually a space in the middle of that -f parameter string?
I'm not very familiar with LDAP syntax, but the other configs I have 
seen using it do not have a space there.

NP: If it helps Squid understands line wrapping in squid.conf. Just add 
a '\' as the last character and some whitespace at the beginning of the 
next line. That can help avoid email wrap problems.


> #######################################################
> #auth que no funcionan y deben arreglarse
> ##########################################################
> auth_param basic children 10
> auth_param basic realm hermes.empresa.cuba.cu
> auth_param basic credentialsttl 2 hour
> acl basic_ldap_auth proxy_auth REQUIRED

> http_access deny !basic_ldap_auth
> #http_access deny all
> ########################################################
> #restricciones selectivas#
> ########################################################
> acl dmz src 172.16.4.0/27
> acl navegacion src 192.168.9.0/24
> acl full external Group InternetFull
> acl limitado external Group InternetLimitado
> acl sociales dstdomain -n "/etc/squid3/bloqueo/sociales"
> acl extensiones urlpath_regex -i "/etc/squid3/bloqueo/listaextensiones"
> http_access deny !full sociales
> http_access deny !full !limitado navegacion
> http_access deny !full dmz


These extra changes are adding some new problems.

Earlier you had some allow lines to let the 'full' group use the proxy. 
They were okay [assuming that was what you wanted], only the way they 
interacted with the login ACL was broken.

You do need some allow lines to tell Squid what to allow for logged in 
users. The order you need for best use of authentication is this:

  # rules for things that do not require authentication
  http_access allow/deny ...

  # require authentication to happen
  http_access deny !login

  # rules for authenticated users
  http_access allow/deny ...

  # prevent any other / unexpected access of the proxy
  http_access deny all


It may help if you write out your policy in human language statements. 
Being as simple as you can. Each statement will then usually be an 
http_access line and you can shuffle the order around until the config 
file 'reads' correctly to both you/us and Squid.

Note: if you find yourself writing 'except' or 'unless' that means there 
are probably going to be multiple http_access lines to match your policy 
statement, with the exception ones being ordered first.


For example reading your current rules:

 > http_access deny !full sociales

* "everyone not in group full are denied access to sociales domains"

 > http_access deny !full !limitado navegacion

* "everyone not in group full and not in group limitado and on a 
navegacion machine are denied"

  -> see how this is very clumsy to write in human language. That 
probably means a mistake and things could be simpler.

 > http_access deny !full dmz

* "everyone not in group full and coming from dmz are denied"


It is usually better to design in a way that avoids so many '!' / not 
statements. That is both easier for us humans to read and understand, 
and usually faster for Squid to process - especially when it has to 
pause the transaction and wait for a helper response on each ACL test.

eg. from what you have mentioned so far I think you want to end up with 
something like this:

  # ... some rules for anything 'full' group are denied ?

  # otherwise, 'full' group are allowed though unrestricted
  http_access allow full

  # ... things denied to everyone outside the 'full' group
  http_access deny dmz
  http_access deny sociales

  # ... navegacion are allowed if their user is in 'limitado' group
  #     (except to 'sociales' domains)
  http_access allow navegacion limitado

  # no more things are allowed
  http_access deny all



> ########################################################
> #restricciones obligadas#
> ########################################################
> #acl blacklist url_regex -i "/etc/squid3/listanegra"
> #http_access deny blacklist
> acl bl7 dstdomain -n "/etc/squid3/bloqueo/correos"
> #http_access allow full !limitado bl7
> acl bl1 url_regex -i "/etc/squid3/bloqueo/porno"
> #http_access deny bl1
> acl bl2 url_regex -i "/etc/squid3/bloqueo/android"
> #http_access deny bl2
> acl bl3 url_regex -i "/etc/squid3/bloqueo/prox1"
> #http_access deny bl3
> acl bl4 url_regex -i "/etc/squid3/bloqueo/prox2"
> #http_access deny bl4
> acl bl5 url_regex -i "/etc/squid3/bloqueo/prox3"
> #http_access deny bl5
> acl bl6 url_regex -i "/etc/squid3/bloqueo/prox4"
> #http_access deny bl6
> #acl ladmin src "/etc/squid3/ladmin"


> #########################################################################
> #proxy_padre #
> #########################################################################
> cache_peer 172.16.1.24 parent 8000 0
> #nunca permitimos conexiones directas, siempre a traves del proxy
> never_direct allow all
> #######################################################################
> # puerto en que el proxy nos escuchara
> http_port 3128
> ###############################################################################
> maximum_object_size 100 MB
> cache_dir aufs /var/cache/squid3 1024000 16 256
> cache_mem 128 MB
> cache_store_log /var/cache/squid3/cache_store.log
> coredump_dir /var/cache/squid3/dump
> #minimum_expiry_time 600 seconds
> ############################
> client_db off
> offline_mode off
> cache_swap_low 5
> cache_swap_high 10
> cache_replacement_policy heap GDSF
> maximum_object_size_in_memory 256 KB
> chunked_request_body_max_size 4096 KB
> half_closed_clients off
> quick_abort_min 2 KB
> ############################
> # establecemos los archivos de volcado en /var/cache/squid3/
> coredump_dir /var/cache/squid3/
> ###############################################################################
> #Establecemos los patrones de refrescamiento de la cache #
> #patron de refrescamiento -- tipo de archivo -- tiempo del objeto -- %de 
> refrescamiento -- tiempo #
> #1440 minutos equivalen a 24 horas #
> ###############################################################################
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 10080 20% 43200 
> override-expire ignore-no-store ignore-private
> refresh_pattern -i .(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 20% 
> 432000 override-expire ignore-no-store ignore-private
> #refresh_pattern -i (/cgi-bin/|?) 0 0% 0
> refresh_pattern . 0 20% 4320
> max_filedescriptors 3200
> ##cuanto el squid intenta cachear en mi nombre
> read_ahead_gap 256 KB
> #################
> #sqstat
> #################
> #acl manager proto cache_object
> # replace 10.0.0.1 with your webserver IP
> acl webserver src 172.16.4.25/27
> http_access allow manager webserver
> http_access allow localhost manager
> http_access deny manager
> ###############################################################################
> #Delay#
> ###############################################################################
> client_delay_initial_bucket_level 60
> delay_initial_bucket_level 75
> delay_pools 2
> memory_pools off
> 
> #Canal 1 extensiones.
> delay_class 1 2
> delay_parameters 1 16384/32768 8192/16384
> delay_access 1 allow sociales extensiones
> delay_access 1 deny all
> 
> #Canal 2 para usuarios.
> delay_class 2 2
> delay_parameters 2 65536/65536 32768/32768
> delay_access 2 allow navegacion
> delay_access 2 deny all
> http_access deny all
> #end of line
> ####################################################################################
> 
> 
> 
> 
> PD: Please forgive my english, it's no my native language.
> 
> -- 
> Saludos Cordiales
> 
> Lic. Alex Gutiérrez Martínez
>

More information about the squid-users mailing list