[squid-users] Protecting squid

[Amos Jeffries]

On 12/03/21 3:56 am, Ben Goz wrote:
> 
> On 11/03/2021 16:44, Amos Jeffries wrote:
>> On 12/03/21 3:37 am, Ben Goz wrote:
>>>
>>> On 11/03/2021 15:50, Antony Stone wrote:
>>>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>>>
>>>> Tell about your network setup and what you are trying to achieve - 
>>>> we might be
>>>> able to suggest solutions.
>>>
>>> End users machine using some client application while their system 
>>> proxy points to the above squid proxy server.
>>>
>>
>> Please also provide your squid.conf settings so we can check they 
>> achieve your described need(s) properly. At least any lines starting 
>> with the http_access, auth_param, acl, or external_acl_type directives 
>> would be most useful.
>>
>> Do not forget to anonymize sensitive details before posting. PLEASE do 
>> so in a way that we can tell whether a hidden value was correct for 
>> its usage, and whether any two hidden values are the same or different.
> 
> 
> It's fork of default configuration with some changes.
> 
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> #http_access deny !Safe_ports
> 


Please restore this security protection. It prevents malware abusing 
HTTP's similarity to certain other protocols to perform attacks 
*through* your proxy.

The default Safe_ports list allows all ports not known to be dangerous, 
and all ports above 1024. So it should not have any noticeable effect on 
to any legitimate HTTP proxy clients - unless there is something really 
dodgy happening on your network. If you actually want something like 
that happening, then add the appropriate port for that activity to the 
Safe_ports list. Do not drop the protection completely.


> # Deny CONNECT to other than secure SSL ports
> #http_access deny CONNECT !SSL_ports
> 

The same can be said about this. Except this line is arguably even more 
important. CONNECT tunnels can literally contain anything. Let clients 
do things by adding ports to SSL_Ports list as-needed.

Please do some due-diligence checks before that to verify you are okay 
with all the uses of that port. Even ones you think the client 
themselves is unlikely to be doing. Once you open a port here *anyone* 
with access to the proxy can do whatever they like on that port.



> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> http_access allow localnet
> http_access allow localhost
> 
> auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth 
> /usr/local/squid/etc/passwd
> auth_param basic realm proxy

I notice you are missing a line setting the login TTL value.

There is currently a potential problem in the default which means Squid 
encounters situations where the credentials are seen as still going to 
be valid for hours so do not get refreshed. But garbage collection 
decides to throw them away.

This may not be related to the complaints you reported getting. But 
should be fixed to ensure the side effect of having to re-authenticate 
users does not complicate your actual problem.

"auth_param basic credentialsttl ..." sets how often Squid will re-check 
your auth system to confirm the users is still allowed. Default: 2 hr.

"authenticate_ttl ..." sets how often Squid will try to throw away all 
info about old clients being logged in. Default: 1 hr.


> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> 

I recommend a slightly different form of check for logins. It prevents 
the situation where a user trying the wrong credentials gets a loop of 
popups.

Like so:
  http_access deny !authenticated

That guarantees they are not asked to login again if their software 
agent (aka browser, or such) provided or can locate the proper credentials.

After that you can add other rules about what the logged in users can 
do. eg allow them to do whatever they want. Like so:
  http_access allow all


Amos