[squid-users] Protecting squid

Ben Goz ben.goz87 at gmail.com
Sun Mar 14 13:26:28 UTC 2021

On 12/03/2021 7:13, Amos Jeffries wrote:
> On 12/03/21 3:56 am, Ben Goz wrote:
>> On 11/03/2021 16:44, Amos Jeffries wrote:
>>> On 12/03/21 3:37 am, Ben Goz wrote:
>>>> On 11/03/2021 15:50, Antony Stone wrote:
>>>>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>>>> Tell about your network setup and what you are trying to achieve - 
>>>>> we might be
>>>>> able to suggest solutions.
>>>> End users machine using some client application while their system 
>>>> proxy points to the above squid proxy server.
>>> Please also provide your squid.conf settings so we can check they 
>>> achieve your described need(s) properly. At least any lines starting 
>>> with the http_access, auth_param, acl, or external_acl_type 
>>> directives would be most useful.
>>> Do not forget to anonymize sensitive details before posting. PLEASE 
>>> do so in a way that we can tell whether a hidden value was correct 
>>> for its usage, and whether any two hidden values are the same or 
>>> different.
>> It's fork of default configuration with some changes.
>> # Recommended minimum Access Permission configuration:
>> #
>> # Deny requests to certain unsafe ports
>> #http_access deny !Safe_ports
> Please restore this security protection. It prevents malware abusing 
> HTTP's similarity to certain other protocols to perform attacks 
> *through* your proxy.
> The default Safe_ports list allows all ports not known to be 
> dangerous, and all ports above 1024. So it should not have any 
> noticeable effect on to any legitimate HTTP proxy clients - unless 
> there is something really dodgy happening on your network. If you 
> actually want something like that happening, then add the appropriate 
> port for that activity to the Safe_ports list. Do not drop the 
> protection completely.
>> # Deny CONNECT to other than secure SSL ports
>> #http_access deny CONNECT !SSL_ports
> The same can be said about this. Except this line is arguably even 
> more important. CONNECT tunnels can literally contain anything. Let 
> clients do things by adding ports to SSL_Ports list as-needed.
> Please do some due-diligence checks before that to verify you are okay 
> with all the uses of that port. Even ones you think the client 
> themselves is unlikely to be doing. Once you open a port here *anyone* 
> with access to the proxy can do whatever they like on that port.
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow localnet
>> http_access allow localhost
>> auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth 
>> /usr/local/squid/etc/passwd
>> auth_param basic realm proxy
> I notice you are missing a line setting the login TTL value.
> There is currently a potential problem in the default which means 
> Squid encounters situations where the credentials are seen as still 
> going to be valid for hours so do not get refreshed. But garbage 
> collection decides to throw them away.
> This may not be related to the complaints you reported getting. But 
> should be fixed to ensure the side effect of having to re-authenticate 
> users does not complicate your actual problem.
> "auth_param basic credentialsttl ..." sets how often Squid will 
> re-check your auth system to confirm the users is still allowed. 
> Default: 2 hr.
> "authenticate_ttl ..." sets how often Squid will try to throw away all 
> info about old clients being logged in. Default: 1 hr.
>> acl authenticated proxy_auth REQUIRED
>> http_access allow authenticated
> I recommend a slightly different form of check for logins. It prevents 
> the situation where a user trying the wrong credentials gets a loop of 
> popups.
> Like so:
>  http_access deny !authenticated
> That guarantees they are not asked to login again if their software 
> agent (aka browser, or such) provided or can locate the proper 
> credentials.
> After that you can add other rules about what the logged in users can 
> do. eg allow them to do whatever they want. Like so:
>  http_access allow all

Can I configure squid authentication TTL per only source IP and ignores 
other parameters so authentication will be requested only once in TTL 
for all the sessions?

> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list