[squid-users] Only allow specific Users per Port

Amos Jeffries squid3 at treenet.co.nz
Sat Jan 26 04:21:04 UTC 2019 

On 26/01/19 4:19 pm, Schokobecher wrote:
> Hello,
> 
> I'm struggling quite a bit with transitioning from basic_ncsa_auth to
> basic_db_auth.
> I have some ports where only certain users (sometimes just one) is
> allowed to connect/pass the ACL check.
> 
> I'm running Squid 3.28 on Ubuntu  
> 
> I have lines like this:
> acl userA proxy_auth_regex -i userA
> 
> Which reads the htpasswd file and matches the user based on the regex.

That is technically wrong. When figuring out this type of problem the
details matter.

That is an ACL which reads the HTTP request message for details and
matches true if it finds "usera" or any case-insensitive variation of that.

It has a prerequisite that the auth system has already authenticated
those credentials as valid. But the ACL itself does not do any of that.

As a result of that seemingly minor detail that ACL will happily
non-match when it should match if the access control using it is a
'fast' category control. Correlated with that it may also wrongly match
if the ACL is configured in a '!' modifier.



> Port config looks like this:
> 
> http_port 3201 name=3201
> acl userA3201 myportname 3201
> cache_peer example.com parent 3300 0 no-query
> no-digest proxy-only standby=60 name=up01
> cache_peer_access  up01  allow userA3201
> never_direct allow userA3201
> http_access allow  userA3201 userA

So "usera" is allowed when they use port 3201.

What else have you configured? This line *cannot* be the one allowing
other users to that port, nor this user to other ports. Some other line
or combination of lines is doing that.


> 
> And that for multiple Ports.
> 
> I now want to transition to basic_db_auth and got it up and running, but
> the problem is that the above does not work anymore. All authed users
> can now connect to every port.
> 

That implies something in your access controls changed. The few you have
mentioned do not show anything related to the problem.

OR, maybe you set the DB helper to return OK for users unrelated to the
actual HTTP request client. You have omitted those details too.


> UserA can use Port 3201,3202,3206 for connecting to the proxy
> UserB can't use these and only can use 3315
> 
> What is the best/cleanest way to regain the above functionality?

Cleanest way is to:

 1) revert to the old config file. check that it still works.

 2) check that the new SQL DB contents match the NCSA htpasswd entries.

 3) change only the auth_param "program" line setting which helper is
used. Nothing else, not even other auth_param lines should be touched (yet).

 4) check that the proxy behaviour has not changed in regards to who is
getting to what.
  - if there is a change then your parameters to the DB helper need fixing.
 - otherwise problem stated above is solved and you can move on to other
changes.


Amos

More information about the squid-users mailing list