[squid-users] How te deal with proxy authentication bypass

Service MV service.mv at gmail.com
Mon Sep 28 14:55:58 UTC 2020 

In my case I have the domains, for example from webex, which I get from
their official support page. It seems that I am doing something wrong or I
am not understanding well.
I base on this documentation
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass

The error I get is 407. I understand I should not request authentication to
those domains with the configuration I have, but apparently it does.

Below I have a bandwidth control configuration with acl note, I don't know
if that will be triggering the webex client authentication request.
Maybe someone with more experience can tell me.

Thank you very much.
Gabriel

El sáb., 26 de sep. de 2020 a la(s) 13:12, Ajb B (ajb23 at ymail.com) escribió:

> I looked this up an it looks like the reason Google does not work with
> Kerberos authentication (I think) is that Google makes requests to other
> domains:
>
> https://serverfault.com/a/307605
> (Please look at the second comment of the first answer.)
>
> The solution would be to create an ACL to allow the Google and Cisco
> domains, but I don't think it will work because they make requests to other
> domains. It would be something like:
>
> acl allowed_domains dstdomain google.com
> http_access allow allowed_domains
>
> Please note you would have to place it before your ACL in your lines where
> you have:
>
> http_access allow authenticated
> http_access deny all
>
> I don't really have a solution except to look at your access.log file (in
> /var/log/squid), see the other domains Google is making a request to, and
> then add to your ACLs also.
>
>
> Thanks,
> Adrian
> On Friday, September 25, 2020, 5:28:36 PM CDT, Service MV <
> service.mv at gmail.com> wrote:
>
>
> Hello everyone, I am trying to deal unsuccessfully with proxy
> authentication bypass.
> Even looking at the documentation I can't get it right. The point is that
> certain programs such as being a cisco webex client or the google earth pro
> client do not know how to speak well with SQUID's kerberos authentication,
> so I want them not to authenticate for the domains they use.
> For everything else I have no problems in the authentication.
> I attach the logs I get and my configuration to see if they can help me.
>
> Thank you very much in advance.
> Best regards
> Gabriel
>
> squid.conf
> visible_hostname s-px4.mydomain.com
> #http_port 3128 require-proxy-header
> http_port 3128
> error_directory /opt/squid-503/share/errors/es-ar
> forwarded_for transparent
> shutdown_lifetime 0 seconds
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> quick_abort_pct 100
> read_timeout 5 minutes
> request_timeout 3 minutes
> cache_mem 1024 MB
> maximum_object_size_in_memory 4 MB
> memory_cache_mode always
> ipcache_size 2048
> fqdncache_size 4096
> #cache_mgr
> httpd_suppress_version_string on
> coredump_dir /opt/squid-503/var/cache/squid
>
> auth_param negotiate program
> /opt/squid-503/libexec/negotiate_kerberos_auth -i -r -s GSS_C_NO_NAME
> auth_param negotiate children 300 startup=150 idle=10
> auth_param negotiate keep_alive on
>
> auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b
> "dc=mydomain,dc=com" -D "cn=ldap,cn=Users,dc=mydomain,dc=com" -W
> /opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h
> s-dc00.mydomain.com
> auth_param basic children 30
> auth_param basic realm Proxy Authentication
> auth_param basic credentialsttl 4 hour
>
> #acl vip_haproxy src 10.10.8.92
> #proxy_protocol_access allow vip_haproxy
>
> external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN
> /opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D
> NUEVENET.MEDIOS
> acl NO_INTERNET external NO_INTERNET_USERS
>
> acl SSL_ports port 443
> acl SSL_ports port 8543         # LiveU Central
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 81          # coto "yo te conozco" donkey ports
> acl Safe_ports port 623         # coto "yo te conozco" donkey ports
> acl Safe_ports port 8543        # LiveU Central management
> acl Safe_ports port 18255       # LiveU Central files download
> acl Safe_ports port 33080       # ddjj
> acl Safe_ports port 9090        # asociart
> acl Safe_ports port 8713        # handball results
> acl Safe_ports port 8080        # cponline.org.ar
>
> # Lists of domains and IPs
> acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt"
> acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt"
> acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt"
> acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt"
> acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt"
> acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt"
> acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt"
>
> # Access lists
> acl http proto http
> acl port_80 port 80
> acl port_443 port 443
> acl port_9000 port 9000
> acl port_5061 port 5061
> acl port_5065 port 5065
> acl CONNECT method CONNECT
>
> #acl authenticated proxy_auth REQUIRED
> # Denied internet to member users of INTERNET_OFF group
> http_access deny NO_INTERNET all
>
> # Allow webex without authentication
> http_access allow http port_80 LS_webex
> http_access allow CONNECT port_443 LS_webex
> http_access allow port_9000 LS_webex
> http_access allow port_5061 LS_webex
> http_access allow port_5065 LS_webex
>
>
> http_access deny LS_blackdomains
> http_access deny LS_porn
> http_access deny DOM_Malware
> http_access deny IP_Malware
>
> # default SQUID rules
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> http_access allow localhost
>
> # Apply 20Mbit/s QoS to members of Active Directory Authenticated Users
> group
> acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA==
> delay_pools 1
> delay_class 1 1
> delay_parameters 1 2500000/2500000
> delay_access 1 allow Domain_Users
>
> # Allow authenticated users to use internet and deny to all others
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
>
>
> cat /opt/squid-503/acl/webex.txt
> .wbx2.com
> .ciscospark.com
> .webex.com
> .quovadisglobal.com
> .digicert.com
> .accompany.com
> .walkme.com
> .cisco.com
>
> access.log
> 1601071522.675      0 10.10.9.250 TCP_DENIED/407 4106 CONNECT
> join-test.webex.com:443 - HIER_NONE/- text/html
> 1601071522.684      0 10.10.9.250 TCP_DENIED/407 4029 CONNECT
> msj1mcccl01.webex.com:443 - HIER_NONE/- text/html
> 1601071524.717      0 10.10.9.250 TCP_DENIED/407 4086 CONNECT
> tsa3.webex.com:443 - HIER_NONE/- text/html
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200928/88dfc8cd/attachment-0001.htm>

More information about the squid-users mailing list