[squid-users] How te deal with proxy authentication bypass

Ajb B ajb23 at ymail.com
Sat Sep 26 16:12:47 UTC 2020

 I looked this up an it looks like the reason Google does not work with Kerberos authentication (I think) is that Google makes requests to other domains:
https://serverfault.com/a/307605(Please look at the second comment of the first answer.)

The solution would be to create an ACL to allow the Google and Cisco domains, but I don't think it will work because they make requests to other domains. It would be something like:

acl allowed_domains dstdomain google.comhttp_access allow allowed_domains
Please note you would have to place it before your ACL in your lines where you have:
http_access allow authenticated
http_access deny all
I don't really have a solution except to look at your access.log file (in /var/log/squid), see the other domains Google is making a request to, and then add to your ACLs also.

    On Friday, September 25, 2020, 5:28:36 PM CDT, Service MV <service.mv at gmail.com> wrote:  
 Hello everyone, I am trying to deal unsuccessfully with proxy authentication bypass.
Even looking at the documentation I can't get it right. The point is that certain programs such as being a cisco webex client or the google earth pro client do not know how to speak well with SQUID's kerberos authentication, so I want them not to authenticate for the domains they use.
For everything else I have no problems in the authentication. 
I attach the logs I get and my configuration to see if they can help me.

Thank you very much in advance.
Best regardsGabriel
squid.confvisible_hostname s-px4.mydomain.com
#http_port 3128 require-proxy-header
http_port 3128
error_directory /opt/squid-503/share/errors/es-ar
forwarded_for transparent
shutdown_lifetime 0 seconds
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
read_timeout 5 minutes
request_timeout 3 minutes
cache_mem 1024 MB
maximum_object_size_in_memory 4 MB
memory_cache_mode always
ipcache_size 2048
fqdncache_size 4096
httpd_suppress_version_string on
coredump_dir /opt/squid-503/var/cache/squid

auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth -i -r -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on

auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b "dc=mydomain,dc=com" -D "cn=ldap,cn=Users,dc=mydomain,dc=com" -W /opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h s-dc00.mydomain.com
auth_param basic children 30
auth_param basic realm Proxy Authentication
auth_param basic credentialsttl 4 hour

#acl vip_haproxy src
#proxy_protocol_access allow vip_haproxy

external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D NUEVENET.MEDIOS

acl SSL_ports port 443
acl SSL_ports port 8543         # LiveU Central
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 81          # coto "yo te conozco" donkey ports
acl Safe_ports port 623         # coto "yo te conozco" donkey ports
acl Safe_ports port 8543        # LiveU Central management
acl Safe_ports port 18255       # LiveU Central files download
acl Safe_ports port 33080       # ddjj
acl Safe_ports port 9090        # asociart
acl Safe_ports port 8713        # handball results
acl Safe_ports port 8080        # cponline.org.ar

# Lists of domains and IPs
acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt"
acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt"
acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt"
acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt"
acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt"
acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt"
acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt"

# Access lists
acl http proto http
acl port_80 port 80
acl port_443 port 443
acl port_9000 port 9000
acl port_5061 port 5061
acl port_5065 port 5065

#acl authenticated proxy_auth REQUIRED
# Denied internet to member users of INTERNET_OFF group
http_access deny NO_INTERNET all

# Allow webex without authentication
http_access allow http port_80 LS_webex
http_access allow CONNECT port_443 LS_webex
http_access allow port_9000 LS_webex
http_access allow port_5061 LS_webex
http_access allow port_5065 LS_webex

http_access deny LS_blackdomains
http_access deny LS_porn
http_access deny DOM_Malware
http_access deny IP_Malware

# default SQUID rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localhost

# Apply 20Mbit/s QoS to members of Active Directory Authenticated Users group
acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA==
delay_pools 1
delay_class 1 1
delay_parameters 1 2500000/2500000
delay_access 1 allow Domain_Users

# Allow authenticated users to use internet and deny to all others
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all

cat /opt/squid-503/acl/webex.txt.wbx2.com.ciscospark.com
access.log1601071522.675      0 TCP_DENIED/407 4106 CONNECT join-test.webex.com:443 - HIER_NONE/- text/html
1601071522.684      0 TCP_DENIED/407 4029 CONNECT msj1mcccl01.webex.com:443 - HIER_NONE/- text/html
1601071524.717      0 TCP_DENIED/407 4086 CONNECT tsa3.webex.com:443 - HIER_NONE/- text/html

squid-users mailing list
squid-users at lists.squid-cache.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200926/ae61e978/attachment.htm>

More information about the squid-users mailing list