[squid-users] Problem with squid proxy authentication configuration

Amos Jeffries squid3 at treenet.co.nz
Thu Jun 11 16:55:02 UTC 2020 

On 12/06/20 12:29 am, Amiq Nahas wrote:
> On Wed, Jun 10, 2020 at 8:07 PM Amos Jeffries wrote:
>>
>> On 10/06/20 9:26 pm, Amiq Nahas wrote:
>>> Hi Guys,
>>>
>>> I am trying to configure squid so as to have user proxy
>>> authentication, below is how my squid.conf file looks like:
>>>
>>> -----
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80        # http
>>> acl Safe_ports port 21        # ftp
>>> acl Safe_ports port 443        # https
>>> acl Safe_ports port 70        # gopher
>>> acl Safe_ports port 210        # wais
>>> acl Safe_ports port 1025-65535    # unregistered ports
>>> acl Safe_ports port 280        # http-mgmt
>>> acl Safe_ports port 488        # gss-http
>>> acl Safe_ports port 591        # filemaker
>>> acl Safe_ports port 777        # multiling http
>>> acl CONNECT method CONNECT
>>>
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localhost manager
>>> http_access deny manager
>>> http_access allow localhost
>>> http_access deny all
>>> http_port 3128
>>> coredump_dir /var/spool/squid
>>>
>>> refresh_pattern ^ftp:        1440    20%    10080
>>> refresh_pattern ^gopher:    1440    0%    1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
>>> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
>>> refresh_pattern .        0    20%    4320
>>> -----
>>>
>>> The above lines were default in squid.conf file.
>>>
>>> I have added below lines:
>>>
>>
>> *Where* did you add them? order is important.
> 
> I have added the below lines exactly in this order at the end of the
> file squid.conf.
> 

That is the wrong place to be adding the http_access part of your custom
config.


>>> -----
>>> icap_enable on
>>> icap_send_client_ip on
>>> icap_send_client_username on
>>> icap_client_username_header X-Authenticated-User
>>> icap_preview_enable on
>>> icap_preview_size 1024
>>>
>>> icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo
>>> adaptation_access service_req allow all
>>>
>>> icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/echo
>>> adaptation_access service_resp allow all
>>>
>>> acl ncsa src 0.0.0.0/0.0.0.0
>>
>> Don't do that. Use "all" to match any IP address.
>>
>> If you want to match IPv4-only clients there is a special value "ipv4"
>> which is used like so:
>>   acl ipv4_only src ipv4
>>
>> Be careful with these type of control. Different access behaviours for
>> IPv4 and IPv6 is how security bypass issues are created.
>>
>>
>>
>>> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
>>> auth_param basic realm proxy
>>> acl ncsa proxy_auth REQUIRED
>>
>> "ncsa" was already defined as a IP address matching ACL.
>>
>>
>>> http access allow ncsa
>>
>>
>> This will only allow clients who are already trying to send credentials.
>> It will not inform clients that they need to and no sane client will
>> broadcast its credential secrets unless it has to.
>>
>> To have HTTP auth work in the usual way it is best to *deny*
>> non-authenticated traffic and allow based on any other criteria you
>> have. Like so:
>>
>>   http_access deny !ncsa
>>   http_access allow localnet
>>
>> or
>>
>>   http_access deny !ncsa
>>   http_access allow ncsa
> 
> So I changed the configuration according to what you suggested and now
> I can access the internet.
> Below is how the configuration now looks like:
> 
> acl ncsa src all

That is the same as the built-in "all" ACL ...


> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
> auth_param basic realm proxy
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated ncsa

... which makes the above line same as:

  http_access allow authenticated all

Which actively *prevents* Squid from requesting credentials from clients.

> 
> I am able to access the internet now, does this mean that everything
> worked fine?

No. There are many ways to configure Squid to allow traffic through.
Most of them do not in any way match your policy.


> I am asking because I will be using this proxy
> authentication setup in c-icap for setting up the url_check service.
> Also I am not prompted for any password, I am able to access the
> internet just like that. Is that how it is supposed to work

It is what you currently configured to be happening.
I wrote earlier that you needed something like this:

  http_access deny !ncsa
  http_access allow localnet


That needs to be in sequence with the other http_access rules in your
config:


  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow localhost manager
  http_access deny manager

  acl authenticated proxy_auth REQUIRED
  http_access deny !authenticated

  http_access allow localhost
  http_access deny all


> because if
> I don't need to enter the password before browsing the web what would
> be the point of it all. Right? or am I missing something here?

You are missing the order http_access rules are applied.


> I have been using this article for reference
> http://hevi.info/do-it-yourself/install-and-setup-squid3-on-ubuntu-14-04-with-authentication/
> 

Please notice that while the individual steps of the tutorial itself are
correct they omit very important details like where to place the config
settings. Like I said at the beginning order is important.
  And the followup comments are from people with non-working setups or
wrong answers.

The Squid wiki contains the authoritative information on how to use HTTP
authentication in Squid
<https://wiki.squid-cache.org/Features/Authentication>


Amos

More information about the squid-users mailing list