[squid-users] How te deal with proxy authentication bypass

Service MV service.mv at gmail.com
Fri Sep 25 22:28:14 UTC 2020


Hello everyone, I am trying to deal unsuccessfully with proxy
authentication bypass.
Even looking at the documentation I can't get it right. The point is that
certain programs such as being a cisco webex client or the google earth pro
client do not know how to speak well with SQUID's kerberos authentication,
so I want them not to authenticate for the domains they use.
For everything else I have no problems in the authentication.
I attach the logs I get and my configuration to see if they can help me.

Thank you very much in advance.
Best regards
Gabriel

squid.conf
visible_hostname s-px4.mydomain.com
#http_port 3128 require-proxy-header
http_port 3128
error_directory /opt/squid-503/share/errors/es-ar
forwarded_for transparent
shutdown_lifetime 0 seconds
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
read_timeout 5 minutes
request_timeout 3 minutes
cache_mem 1024 MB
maximum_object_size_in_memory 4 MB
memory_cache_mode always
ipcache_size 2048
fqdncache_size 4096
#cache_mgr
httpd_suppress_version_string on
coredump_dir /opt/squid-503/var/cache/squid

auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth
-i -r -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on

auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b
"dc=mydomain,dc=com" -D "cn=ldap,cn=Users,dc=mydomain,dc=com" -W
/opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h s-dc00.mydomain.com
auth_param basic children 30
auth_param basic realm Proxy Authentication
auth_param basic credentialsttl 4 hour

#acl vip_haproxy src 10.10.8.92
#proxy_protocol_access allow vip_haproxy

external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN
/opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D
NUEVENET.MEDIOS
acl NO_INTERNET external NO_INTERNET_USERS

acl SSL_ports port 443
acl SSL_ports port 8543         # LiveU Central
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 81          # coto "yo te conozco" donkey ports
acl Safe_ports port 623         # coto "yo te conozco" donkey ports
acl Safe_ports port 8543        # LiveU Central management
acl Safe_ports port 18255       # LiveU Central files download
acl Safe_ports port 33080       # ddjj
acl Safe_ports port 9090        # asociart
acl Safe_ports port 8713        # handball results
acl Safe_ports port 8080        # cponline.org.ar

# Lists of domains and IPs
acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt"
acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt"
acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt"
acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt"
acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt"
acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt"
acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt"

# Access lists
acl http proto http
acl port_80 port 80
acl port_443 port 443
acl port_9000 port 9000
acl port_5061 port 5061
acl port_5065 port 5065
acl CONNECT method CONNECT

#acl authenticated proxy_auth REQUIRED
# Denied internet to member users of INTERNET_OFF group
http_access deny NO_INTERNET all

# Allow webex without authentication
http_access allow http port_80 LS_webex
http_access allow CONNECT port_443 LS_webex
http_access allow port_9000 LS_webex
http_access allow port_5061 LS_webex
http_access allow port_5065 LS_webex


http_access deny LS_blackdomains
http_access deny LS_porn
http_access deny DOM_Malware
http_access deny IP_Malware

# default SQUID rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localhost

# Apply 20Mbit/s QoS to members of Active Directory Authenticated Users
group
acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA==
delay_pools 1
delay_class 1 1
delay_parameters 1 2500000/2500000
delay_access 1 allow Domain_Users

# Allow authenticated users to use internet and deny to all others
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all


cat /opt/squid-503/acl/webex.txt
.wbx2.com
.ciscospark.com
.webex.com
.quovadisglobal.com
.digicert.com
.accompany.com
.walkme.com
.cisco.com

access.log
1601071522.675      0 10.10.9.250 TCP_DENIED/407 4106 CONNECT
join-test.webex.com:443 - HIER_NONE/- text/html
1601071522.684      0 10.10.9.250 TCP_DENIED/407 4029 CONNECT
msj1mcccl01.webex.com:443 - HIER_NONE/- text/html
1601071524.717      0 10.10.9.250 TCP_DENIED/407 4086 CONNECT
tsa3.webex.com:443 - HIER_NONE/- text/html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200925/087d9bb6/attachment.htm>


More information about the squid-users mailing list