[squid-users] Access based on auth and referer

Dott. Matteo Savatteri matteo.savatteri at unimi.it
Mon Mar 13 07:55:57 UTC 2023 

Hi Amos, list,

please, can you help me to solve the issue described below?

Or, if not possible at all, to find an alternative solution.

Thank you for your patience and your help.

Cheers,

Matteo

On 3/6/23 09:25, Dott. Matteo Savatteri wrote:
> Hi Amos,
>
> thank you for your answer.
>
> Unfortunately, the config you suggested does not seem to work: using 
> that the proxy ask for password for every sites.
>
> I think this is because CONNECT requests naturally does not present 
> the referer header. The special referer header in only present in 
> subsequent requests, those that get ssl-bumped.
>
> This is an example CONNECT request found in logs:
>
>
> CONNECT pixel.sitescout.com:443 HTTP/1.1
> Host: pixel.sitescout.com:443
> Proxy-Connection: keep-alive
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 
> Edg/108.0.1462.76
>
>
> How can I solve this? Is even possible to mix up auth based and 
> referer based access?
>
> Thank you for your patience and your kind help,
>
> Matteo
>
> On 3/6/23 07:34, Amos Jeffries wrote:
>> On 5/03/2023 10:44 pm, Dott. Matteo Savatteri wrote:
>>>
>>> Hello fellow Squid users,
>>>
>>> we use Squid 3.5 at my company and we want to give access to all 
>>> sites to authenticated users. If a user is not authenticated we need 
>>> to allow only HTTP/S requests that present a referer header matching 
>>> a regex. Is this even possible?
>>>
>>> I have tried a combination of proxy_auth and referer_regex ACLs with 
>>> no results. sslbump is working.
>>
>> Try these rules:
>>
>>   # initial security protection
>>   http_access deny !Safe_ports
>>   http_access deny CONNECT !SSL_ports
>>
>>   # forbid access to cache manager from non-localhost
>>   http_access deny manager !localhost
>>   # leave the below commented to require a login for cache manager 
>> access
>>   # http_access allow manager
>>
>>   # forbid unauthenticated, except when providing the special Referer 
>> header
>>   http_access deny !myreferer !password
>>
>>   # users not denied are allowed
>>   http_access allow all
>>
>>
>> Cheers
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
-- 
Dott. Matteo Savatteri

Responsabile Ufficio Piattaforme Tecnologiche
Direzione Servizio Bibliotecario di Ateneo
Università degli Studi di Milano

Indirizzo: Via Santa Sofia, 9 20122 MILANO (MI)
Tel. ufficio: 02503 12227
Email: Matteo.Savatteri at unimi.it

More information about the squid-users mailing list