[squid-users] Squid ACL, SSL-BUMP and authentication questions

squid at icshk.com squid at icshk.com
Fri Nov 7 03:25:36 UTC 2014 

Hello all,

 

As our company policy only allow some machines to access to some SSL website
URL(eg. https://www.google.com/maps). However, they do not have access to
https://www.google.com/ Before, we tried to implement authentication,
everything works fine. We try to allow https access to
https://www.google.com/maps and "CONNECT" request to www.google.com
<http://www.google.com>  using SSL bump. Now, I want to preserve this
config, and let user to authenicate to access to any website. Access to
google maps(https://www.google.com/maps) should prevent any authentication
need. However, I am not success to figure this out. I have tried different
kinds of configuration, some will prompt for authentication. Some will not
allow the authenticated users to access to https://www.google.com. From the
access log, after I authenticate and try to access to
https://www.google.com, the authentication information is not displayed.
Seems squid do not use the authentication information when matching the this
rule: "http_access     allow   CONNECT                 google".

The "CONNECT" method is success. Then, the squid will continue use no
authentication information to process the "GET" command, causing the
authenticated user to denied access to https://www.google.com.

Can I make squid always use the authentication information if already
authenticate ? Or any suggestion to implement this policy.

Thanks.

 

Here is an extracted version of config which should state the related
configuration:

 

auth_param basic children 5

auth_param basic realm Welcome to Our Website!

auth_param basic program /usr/lib64/squid/basic_ncsa_auth
/etc/squid/squid_user

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

 

acl my_auth proxy_auth REQUIRED

 

acl SSL_ports port 443

acl Safe_ports port 443         # https

acl CONNECT method CONNECT

 

acl     GoogleMaps           url_regex -i    ^https://www.google.com/maps*.

acl     test_net                 src             192.168.1.253/32

acl     google                    dstdomain    www.google.com
<http://www.google.com> 

http_access deny CONNECT !SSL_ports

 

http_access     allow                           GoogleMaps

 

http_access     allow   CONNECT                 google

http_access     deny    CONNECT                 google
my_auth

#http_access    allow   CONNECT                 test_net
google

 

http_access     allow   my_auth                all

 

http_access     deny                            all

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141107/767b6b1c/attachment-0001.html>

More information about the squid-users mailing list