[squid-users] Problem with squid proxy authentication configuration

Amos Jeffries squid3 at treenet.co.nz
Wed Jun 10 14:34:40 UTC 2020 

On 10/06/20 9:26 pm, Amiq Nahas wrote:
> Hi Guys,
> 
> I am trying to configure squid so as to have user proxy
> authentication, below is how my squid.conf file looks like:
> 
> -----
> acl SSL_ports port 443
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl CONNECT method CONNECT
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access deny all
> http_port 3128
> coredump_dir /var/spool/squid
> 
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
> refresh_pattern .        0    20%    4320
> -----
> 
> The above lines were default in squid.conf file.
> 
> I have added below lines:
> 

*Where* did you add them? order is important.


> -----
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> 
> icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo
> adaptation_access service_req allow all
> 
> icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/echo
> adaptation_access service_resp allow all
> 
> acl ncsa src 0.0.0.0/0.0.0.0

Don't do that. Use "all" to match any IP address.

If you want to match IPv4-only clients there is a special value "ipv4"
which is used like so:
  acl ipv4_only src ipv4

Be careful with these type of control. Different access behaviours for
IPv4 and IPv6 is how security bypass issues are created.



> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
> auth_param basic realm proxy
> acl ncsa proxy_auth REQUIRED

"ncsa" was already defined as a IP address matching ACL.


> http access allow ncsa


This will only allow clients who are already trying to send credentials.
It will not inform clients that they need to and no sane client will
broadcast its credential secrets unless it has to.

To have HTTP auth work in the usual way it is best to *deny*
non-authenticated traffic and allow based on any other criteria you
have. Like so:

  http_access deny !ncsa
  http_access allow localnet

or

  http_access deny !ncsa
  http_access allow ncsa





Amos

More information about the squid-users mailing list