<div dir="ltr"><div dir="ltr"><div dir="ltr"><div>In my case I have the domains, for example from webex, which I get from their official support page. It seems that I am doing something wrong or I am not understanding well.</div><div>I base on this documentation <a href="https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass">https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass</a></div><div><br></div><div>The error I get is 407. I understand I should not request authentication to those domains with the configuration I have, but apparently it does.</div><div><br></div><div><div>Below I have a bandwidth control configuration with acl note, I don't know if that will be triggering the webex client authentication request.</div><div>Maybe someone with more experience can tell me.</div><div><br></div><div>Thank you very much.</div></div><div>Gabriel</div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">El sáb., 26 de sep. de 2020 a la(s) 13:12, Ajb B (<a href="mailto:ajb23@ymail.com">ajb23@ymail.com</a>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px">
<div dir="ltr">I looked this up an it looks like the reason Google does not work with Kerberos authentication (I think) is that Google makes requests to other domains:</div><div dir="ltr"><br></div><div dir="ltr"><a href="https://serverfault.com/a/307605" rel="nofollow" target="_blank">https://serverfault.com/a/307605</a></div><div dir="ltr">(Please look at the second comment of the first answer.)<br></div><div><br></div><div dir="ltr">The solution would be to create an ACL to allow the Google and Cisco domains, but I don't think it will work because they make requests to other domains. It would be something like:<br></div><div dir="ltr"><br></div><div dir="ltr">acl <span><span>allowed_domains</span> </span>dstdomain <a href="http://google.com" target="_blank">google.com</a></div><div dir="ltr">http_access allow <span>allowed_domains</span></div><div dir="ltr"><br></div><div dir="ltr">Please note you would have to place it before your ACL in your lines where you have:</div><div dir="ltr"><br></div><div dir="ltr"><div>http_access allow authenticated<br><div>http_access deny all</div></div><div><br></div></div><div>I don't really have a solution except to look at your access.log file (in /var/log/squid), see the other domains Google is making a request to, and then add to your ACLs also.</div><div><br></div><div><br></div><div dir="ltr">Thanks,</div><div dir="ltr">Adrian<br></div>
</div><div id="gmail-m_2284595591594542063yahoo_quoted_1510418645">
<div style="font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;color:rgb(38,40,42)">
<div>
On Friday, September 25, 2020, 5:28:36 PM CDT, Service MV <<a href="mailto:service.mv@gmail.com" target="_blank">service.mv@gmail.com</a>> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div id="gmail-m_2284595591594542063yiv4344909646"><div dir="ltr">Hello everyone, I am trying to deal unsuccessfully with proxy authentication bypass.<br>Even looking at the documentation I can't get it right. The point is that certain programs such as being a cisco webex client or the google earth pro client do not know how to speak well with SQUID's kerberos authentication, so I want them not to authenticate for the domains they use.<br>For everything else I have no problems in the authentication. <br>I attach the logs I get and my configuration to see if they can help me.<br><br>Thank you very much in advance.<br><div>Best regards</div><div>Gabriel</div><div><br></div><div>squid.conf</div><div>visible_hostname <a rel="nofollow" href="http://s-px4.mydomain.com" target="_blank">s-px4.mydomain.com</a><br>#http_port 3128 require-proxy-header<br>http_port 3128<br>error_directory /opt/squid-503/share/errors/es-ar<br>forwarded_for transparent<br>shutdown_lifetime 0 seconds<br>quick_abort_min 0 KB<br>quick_abort_max 0 KB<br>quick_abort_pct 100<br>read_timeout 5 minutes<br>request_timeout 3 minutes<br>cache_mem 1024 MB<br>maximum_object_size_in_memory 4 MB<br>memory_cache_mode always<br>ipcache_size 2048<br>fqdncache_size 4096<br>#cache_mgr <br>httpd_suppress_version_string on<br>coredump_dir /opt/squid-503/var/cache/squid<br><br>auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth -i -r -s GSS_C_NO_NAME<br>auth_param negotiate children 300 startup=150 idle=10<br>auth_param negotiate keep_alive on<br><br>auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b "dc=mydomain,dc=com" -D "cn=ldap,cn=Users,dc=mydomain,dc=com" -W /opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h <a rel="nofollow" href="http://s-dc00.mydomain.com" target="_blank">s-dc00.mydomain.com</a><br>auth_param basic children 30<br>auth_param basic realm Proxy Authentication<br>auth_param basic credentialsttl 4 hour<br><br>#acl vip_haproxy src 10.10.8.92<br>#proxy_protocol_access allow vip_haproxy<br><br>external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D NUEVENET.MEDIOS<br>acl NO_INTERNET external NO_INTERNET_USERS<br></div><div><br></div><div>acl SSL_ports port 443<br>acl SSL_ports port 8543 # LiveU Central<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br>acl Safe_ports port 81 # coto "yo te conozco" donkey ports<br>acl Safe_ports port 623 # coto "yo te conozco" donkey ports<br>acl Safe_ports port 8543 # LiveU Central management<br>acl Safe_ports port 18255 # LiveU Central files download<br>acl Safe_ports port 33080 # ddjj<br>acl Safe_ports port 9090 # asociart<br>acl Safe_ports port 8713 # handball results<br>acl Safe_ports port 8080 # <a rel="nofollow" href="http://cponline.org.ar" target="_blank">cponline.org.ar</a><br><br># Lists of domains and IPs<br>acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt"<br>acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt"<br>acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt"<br>acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt"<br>acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt"<br>acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt"<br>acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt"<br><br># Access lists<br>acl http proto http<br>acl port_80 port 80<br>acl port_443 port 443<br>acl port_9000 port 9000<br>acl port_5061 port 5061<br>acl port_5065 port 5065<br>acl CONNECT method CONNECT<br><br>#acl authenticated proxy_auth REQUIRED<br></div><div># Denied internet to member users of INTERNET_OFF group<br>http_access deny NO_INTERNET all<br><br># Allow webex without authentication<br>http_access allow http port_80 LS_webex<br>http_access allow CONNECT port_443 LS_webex<br>http_access allow port_9000 LS_webex<br>http_access allow port_5061 LS_webex<br>http_access allow port_5065 LS_webex<br><br><br>http_access deny LS_blackdomains<br>http_access deny LS_porn<br>http_access deny DOM_Malware<br>http_access deny IP_Malware<br><br># default SQUID rules<br>http_access deny !Safe_ports<br>http_access deny CONNECT !SSL_ports<br>http_access allow localhost manager<br>http_access deny manager<br>http_access deny to_localhost<br>http_access allow localhost<br><br># Apply 20Mbit/s QoS to members of Active Directory Authenticated Users group<br>acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA==<br>delay_pools 1<br>delay_class 1 1<br>delay_parameters 1 2500000/2500000<br>delay_access 1 allow Domain_Users<br><br># Allow authenticated users to use internet and deny to all others<br>acl authenticated proxy_auth REQUIRED<br>http_access allow authenticated<br>http_access deny all<br></div><div><br></div><div><br></div><div>cat /opt/squid-503/acl/webex.txt</div><div>.<a rel="nofollow" href="http://wbx2.com" target="_blank">wbx2.com</a></div>.<a rel="nofollow" href="http://ciscospark.com" target="_blank">ciscospark.com</a><br>.<a rel="nofollow" href="http://webex.com" target="_blank">webex.com</a><br>.<a rel="nofollow" href="http://quovadisglobal.com" target="_blank">quovadisglobal.com</a><br>.<a rel="nofollow" href="http://digicert.com" target="_blank">digicert.com</a><br>.<a rel="nofollow" href="http://accompany.com" target="_blank">accompany.com</a><br>.<a rel="nofollow" href="http://walkme.com" target="_blank">walkme.com</a><br>.<a rel="nofollow" href="http://cisco.com" target="_blank">cisco.com</a><div><br></div><div>access.log</div><div>1601071522.675 0 10.10.9.250 TCP_DENIED/407 4106 CONNECT <a rel="nofollow" href="http://join-test.webex.com:443" target="_blank">join-test.webex.com:443</a> - HIER_NONE/- text/html<br>1601071522.684 0 10.10.9.250 TCP_DENIED/407 4029 CONNECT <a rel="nofollow" href="http://msj1mcccl01.webex.com:443" target="_blank">msj1mcccl01.webex.com:443</a> - HIER_NONE/- text/html<br>1601071524.717 0 10.10.9.250 TCP_DENIED/407 4086 CONNECT <a rel="nofollow" href="http://tsa3.webex.com:443" target="_blank">tsa3.webex.com:443</a> - HIER_NONE/- text/html<br></div><div><br></div><div><br></div><div><br></div><div><br></div></div></div>_______________________________________________<br>squid-users mailing list<br><a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br><a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br></div>
</div>
</div></div></blockquote></div>