[squid-users] Problem with squid proxy authentication configuration
Amiq Nahas
m992493 at gmail.com
Thu Jun 11 12:29:18 UTC 2020
On Wed, Jun 10, 2020 at 8:07 PM Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
> On 10/06/20 9:26 pm, Amiq Nahas wrote:
> > Hi Guys,
> >
> > I am trying to configure squid so as to have user proxy
> > authentication, below is how my squid.conf file looks like:
> >
> > -----
> > acl SSL_ports port 443
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> >
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost manager
> > http_access deny manager
> > http_access allow localhost
> > http_access deny all
> > http_port 3128
> > coredump_dir /var/spool/squid
> >
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> > refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
> > refresh_pattern . 0 20% 4320
> > -----
> >
> > The above lines were default in squid.conf file.
> >
> > I have added below lines:
> >
>
> *Where* did you add them? order is important.
I have added the below lines exactly in this order at the end of the
file squid.conf.
> > -----
> > icap_enable on
> > icap_send_client_ip on
> > icap_send_client_username on
> > icap_client_username_header X-Authenticated-User
> > icap_preview_enable on
> > icap_preview_size 1024
> >
> > icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo
> > adaptation_access service_req allow all
> >
> > icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/echo
> > adaptation_access service_resp allow all
> >
> > acl ncsa src 0.0.0.0/0.0.0.0
>
> Don't do that. Use "all" to match any IP address.
>
> If you want to match IPv4-only clients there is a special value "ipv4"
> which is used like so:
> acl ipv4_only src ipv4
>
> Be careful with these type of control. Different access behaviours for
> IPv4 and IPv6 is how security bypass issues are created.
>
>
>
> > auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
> > auth_param basic realm proxy
> > acl ncsa proxy_auth REQUIRED
>
> "ncsa" was already defined as a IP address matching ACL.
>
>
> > http access allow ncsa
>
>
> This will only allow clients who are already trying to send credentials.
> It will not inform clients that they need to and no sane client will
> broadcast its credential secrets unless it has to.
>
> To have HTTP auth work in the usual way it is best to *deny*
> non-authenticated traffic and allow based on any other criteria you
> have. Like so:
>
> http_access deny !ncsa
> http_access allow localnet
>
> or
>
> http_access deny !ncsa
> http_access allow ncsa
So I changed the configuration according to what you suggested and now
I can access the internet.
Below is how the configuration now looks like:
acl ncsa src all
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated ncsa
I am able to access the internet now, does this mean that everything
worked fine? I am asking because I will be using this proxy
authentication setup in c-icap for setting up the url_check service.
Also I am not prompted for any password, I am able to access the
internet just like that. Is that how it is supposed to work because if
I don't need to enter the password before browsing the web what would
be the point of it all. Right? or am I missing something here?
I have been using this article for reference
http://hevi.info/do-it-yourself/install-and-setup-squid3-on-ubuntu-14-04-with-authentication/
Thanks
Amiq
More information about the squid-users
mailing list