[squid-users] Protecting squid
ben.goz87 at gmail.com
Sun Mar 14 13:26:28 UTC 2021
On 12/03/2021 7:13, Amos Jeffries wrote:
> On 12/03/21 3:56 am, Ben Goz wrote:
>> On 11/03/2021 16:44, Amos Jeffries wrote:
>>> On 12/03/21 3:37 am, Ben Goz wrote:
>>>> On 11/03/2021 15:50, Antony Stone wrote:
>>>>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>>>> Tell about your network setup and what you are trying to achieve -
>>>>> we might be
>>>>> able to suggest solutions.
>>>> End users machine using some client application while their system
>>>> proxy points to the above squid proxy server.
>>> Please also provide your squid.conf settings so we can check they
>>> achieve your described need(s) properly. At least any lines starting
>>> with the http_access, auth_param, acl, or external_acl_type
>>> directives would be most useful.
>>> Do not forget to anonymize sensitive details before posting. PLEASE
>>> do so in a way that we can tell whether a hidden value was correct
>>> for its usage, and whether any two hidden values are the same or
>> It's fork of default configuration with some changes.
>> # Recommended minimum Access Permission configuration:
>> # Deny requests to certain unsafe ports
>> #http_access deny !Safe_ports
> Please restore this security protection. It prevents malware abusing
> HTTP's similarity to certain other protocols to perform attacks
> *through* your proxy.
> The default Safe_ports list allows all ports not known to be
> dangerous, and all ports above 1024. So it should not have any
> noticeable effect on to any legitimate HTTP proxy clients - unless
> there is something really dodgy happening on your network. If you
> actually want something like that happening, then add the appropriate
> port for that activity to the Safe_ports list. Do not drop the
> protection completely.
>> # Deny CONNECT to other than secure SSL ports
>> #http_access deny CONNECT !SSL_ports
> The same can be said about this. Except this line is arguably even
> more important. CONNECT tunnels can literally contain anything. Let
> clients do things by adding ports to SSL_Ports list as-needed.
> Please do some due-diligence checks before that to verify you are okay
> with all the uses of that port. Even ones you think the client
> themselves is unlikely to be doing. Once you open a port here *anyone*
> with access to the proxy can do whatever they like on that port.
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow localnet
>> http_access allow localhost
>> auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth
>> auth_param basic realm proxy
> I notice you are missing a line setting the login TTL value.
> There is currently a potential problem in the default which means
> Squid encounters situations where the credentials are seen as still
> going to be valid for hours so do not get refreshed. But garbage
> collection decides to throw them away.
> This may not be related to the complaints you reported getting. But
> should be fixed to ensure the side effect of having to re-authenticate
> users does not complicate your actual problem.
> "auth_param basic credentialsttl ..." sets how often Squid will
> re-check your auth system to confirm the users is still allowed.
> Default: 2 hr.
> "authenticate_ttl ..." sets how often Squid will try to throw away all
> info about old clients being logged in. Default: 1 hr.
>> acl authenticated proxy_auth REQUIRED
>> http_access allow authenticated
> I recommend a slightly different form of check for logins. It prevents
> the situation where a user trying the wrong credentials gets a loop of
> Like so:
> http_access deny !authenticated
> That guarantees they are not asked to login again if their software
> agent (aka browser, or such) provided or can locate the proper
> After that you can add other rules about what the logged in users can
> do. eg allow them to do whatever they want. Like so:
> http_access allow all
Can I configure squid authentication TTL per only source IP and ignores
other parameters so authentication will be requested only once in TTL
for all the sessions?
> squid-users mailing list
> squid-users at lists.squid-cache.org
More information about the squid-users