[squid-users] Issues with authentication

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 11 06:46:30 UTC 2016


On 11/10/2016 6:18 p.m., Joe O wrote:
> Thanks for the reply Amos! I started following another thread in which you were helping some one else with showing pages to / redirecting unauthenticated users
> but still haven’t been able to get that to work either. The thread was this one http://squid-web-proxy-cache.1019090.n4.nabble.com/redirecting-unauthenticated-users-td1038146.html <http://squid-web-proxy-cache.1019090.n4.nabble.com/redirecting-unauthenticated-users-td1038146.html>
> I think this approach would work well for what I am doing if I could get it working :)

That thread is about having one specific URL being visited cause proxy
authentication to happen. With any unauthenticated visitors redirected
to that URL.

You are dealing with CONNECT requests. Which do not have URL, just
authority-URI and cannot be redirected.

> 
> error_directory /usr/share/squid/errors/en
> cache deny all
> debug_options ALL,1 11,3 20,3
> acl whitelist dstdomain .whitelist.com 127.0.0.1
> 
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

These ACLs should be defined by default and Squid complain about these
adding duplicate entries on startup or reconfigure. If it does not you
should upgrade to a more recent Squid.


> 
> acl localnet src 127.0.0.1      # RFC1918 possible internal network


127.0.0.1 is not a possible internal network. It is localhost.

> acl localnet src 10.0.0.0/8
> acl localhost src 127.0.0.1/32 ::1

You already defined locahost. Your Squid should be complaining about
this  on startup or reconfigure. If it does not you should upgrade to a
more recent Squid.

> 
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> 
> http_access allow manager localhost
> http_access deny manager
> 

The manager rules are more efficient security when performed after the
"CONNECT !SSL_ports" rule.


> http_access deny !Safe_ports
> 
> http_access deny CONNECT !SSL_ports
> 
> http_access allow localnet
> http_access allow localhost
> 

Amos



More information about the squid-users mailing list