[squid-users] acl problem

Amos Jeffries squid3 at treenet.co.nz
Tue Aug 29 19:37:55 UTC 2017 

On 30/08/17 03:12, Alex Gutiérrez Martínez wrote:
> Hello community, I just installed squid 3.3.8 on ubuntu 14.04. The use 
> of this software is only providing the Internet to my users. But 
> something is wrong with my setup. I must clarify that I use as an 
> authentication system the Ldap plug-in that comes with squid.
> The problem is that some acl, although apparently well written, are not 
> working the way I expect. Specifically those blocking social sites and 
> prohibited sites.

Ah, there are no rules blocking social and advertising sites.
You have some rules *allowing* access to various groups, then some 
blanket denial of everything else.

The problem is actually your allow rule not doing what you seem to 
expect of them. Specifically the first one.

...
> acl basic_ldap_auth proxy_auth REQUIRED
> http_access allow basic_ldap_auth

Anyone who can login is allowed to use this proxy. End of story for 
authenticated users.

Note that the "REQUIRED" value in the ACL does not mean proxy access 
requires credentials. It means that the ACL will non-match unless a 
valid login is given. The "allow" action in turn then means a non-match 
simply skips that line.

Anyone who sends invalid credentials to the proxy _will_ fly straight 
past this first access control without being challenged, anyone lacking 
credentials entirely *might* be challenged to supply some depending on 
what ACL types your later rules use.


Overall "allow" is a very unreliable way to do authentication security.
Instead you should start with denying clients who cannot supply valid 
logins. Like so:

   http_access deny !basic_ldap_auth

... then do the group checks etc which rely on those credentials.


> #http_access deny all
> ########################################################
> #restricciones selectivas#
> ########################################################
> acl dmz src 172.16.4.0/27
> acl navegacion src 192.168.9.0/24
> acl full external Group InternetFull
> acl limitado external Group InternetLimitado
> acl sociales dstdomain -n "/etc/squid3/bloqueo/sociales"
> acl extensiones urlpath_regex -i "/etc/squid3/bloqueo/listaextensiones"

... but no valid credentials means no group. These cannot match right 
now and so get skipped.

While it may have appeared that these allow lines were working, it was 
in fact the earlier "allow basic_ldap_auth" line letting users in the 
group "full" (and any other group) through.


> http_access allow full sociales
> http_access allow full limitado navegacion
> http_access allow full dmz
> ########################################################
> #restricciones obligadas#
> ########################################################
> #acl blacklist url_regex -i "/etc/squid3/listanegra"
> #http_access deny blacklist
> acl bl7 dstdomain -n "/etc/squid3/bloqueo/correos"
> http_access allow full !limitado bl7


Here you have a bunch of stuff being denied based on group. BUT, the 
last thing is "deny all" with no possibility of allow from here on down. 
So all these slow checking group and regex ACLs are pretty pointless, 
even if the group checks could work with invalid logins.

If any request reaches this spot of the access list it is going to be 
denied. So "deny all" is sufficient, no need to do all the following 
complex stuff first.


> acl bl1 url_regex -i "/etc/squid3/bloqueo/porno"
> http_access deny bl1
> acl bl2 url_regex -i "/etc/squid3/bloqueo/android"
> http_access deny bl2
> acl bl3 url_regex -i "/etc/squid3/bloqueo/prox1"
> http_access deny bl3
> acl bl4 url_regex -i "/etc/squid3/bloqueo/prox2"
> http_access deny bl4
> acl bl5 url_regex -i "/etc/squid3/bloqueo/prox3"
> http_access deny bl5
> acl bl6 url_regex -i "/etc/squid3/bloqueo/prox4"
> http_access deny bl6
> #acl ladmin src "/etc/squid3/ladmin"
> http_access deny all


HTH
Amos

More information about the squid-users mailing list