[squid-users] How te deal with proxy authentication bypass

Service MV service.mv at gmail.com
Tue Sep 29 20:53:47 UTC 2020 

Thank you Amos as always.
My current configuration has not changed much, it is as follows:

visible_hostname s-px4.mydomain.local
http_port 3128
error_directory /opt/squid-503/share/errors/es-ar
forwarded_for transparent
shutdown_lifetime 0 seconds
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
read_timeout 5 minutes
request_timeout 3 minutes
cache_mem 1024 MB
maximum_object_size_in_memory 4 MB
memory_cache_mode always
ipcache_size 2048
fqdncache_size 4096
cache_mgr support at mydomain.local
httpd_suppress_version_string on
coredump_dir /opt/squid-503/var/cache/squid

auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth
-i -r -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on

auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b
"dc=mydomain,dc=local" -D "cn=ldap,cn=Users,dc=mydomain,dc=local" -W
/opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h
s-dc00.mydomain.local
auth_param basic children 30
auth_param basic realm Proxy Authentication
auth_param basic credentialsttl 4 hour

external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN
/opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D
MYDOMAIN.LOCAL
acl NO_INTERNET external NO_INTERNET_USERS

acl SSL_ports port 443
acl SSL_ports port 8543         # LiveU Central
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 81          # coto "yo te conozco" donkey ports
acl Safe_ports port 623         # coto "yo te conozco" donkey ports
acl Safe_ports port 8543        # LiveU Central management
acl Safe_ports port 18255       # LiveU Central files download
acl Safe_ports port 33080       # ddjj
acl Safe_ports port 9090        # asociart
acl Safe_ports port 8713        # handball results
acl Safe_ports port 8080        # cponline.org.ar


# Lists of domains and IPs
acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt"
acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt"
acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt"
acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt"
acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt"
acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt"
acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt"

# Access lists
acl http proto http
acl port_80 port 80
acl port_443 port 443
acl port_9000 port 9000
acl port_5061 port 5061
acl port_5065 port 5065
acl CONNECT method CONNECT

# Denied internet to member users of INTERNET_OFF group
http_access deny NO_INTERNET all

# Allow webex without authentication
http_access allow http port_80 LS_webex
http_access allow CONNECT port_443 LS_webex
http_access allow port_9000 LS_webex
http_access allow port_5061 LS_webex
http_access allow port_5065 LS_webex

http_access deny LS_blackdomains
http_access deny LS_porn
http_access deny DOM_Malware
http_access deny IP_Malware

# default SQUID rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localhost

# Apply 20Mbit/s QoS to members of Active Directory Authenticated Users
group
acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA==
delay_pools 1
delay_class 1 1
delay_parameters 1 2500000/2500000
delay_access 1 allow Domain_Users

# Allow authenticated users to use internet and deny to all others
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all


Thank you very much in advance for your valuable help.
Best regards
Gabriel


El mar., 29 de sep. de 2020 a la(s) 07:46, Amos Jeffries (
squid3 at treenet.co.nz) escribió:

> On 29/09/20 3:55 am, Service MV wrote:
> > In my case I have the domains, for example from webex, which I get from
> > their official support page. It seems that I am doing something wrong or
> > I am not understanding well.
> > I base on this documentation
> > https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass
> >
> > The error I get is 407. I understand I should not request authentication
> > to those domains with the configuration I have, but apparently it does.
> >
>
> In the (possibly outdated now) config you showed earlier the
> "NO_INTERNET" ACL might produce a 407 if credentials are completely
> missing, but not re-auth if they are invalid.
>  If you wish to have a free audit please post your current squid.conf
> rules and I will comment on useful changes.
>
>
> > Below I have a bandwidth control configuration with acl note, I don't
> > know if that will be triggering the webex client authentication request.
> > Maybe someone with more experience can tell me.
>
> "note" ACL will match if the data is available but not trigger
> authentication sequences. That is what makes it so useful for fast-group
> access checking logins.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200929/b9125744/attachment.htm>

More information about the squid-users mailing list